My page was attacked via xss, but on ftp all files are not changed?

Question

Hi, yesterday i noticed that sometimes on my webpage shows up javascript errors. when i went to source code, i found that one of .js files was totaly replaced with a ton of porn links.

i checked the ftp for this file, but there was just old javascript file without any changes. yet i go back to check source code via browser and indeed there was again original .js

today i visited my webpage again and the problem repeated.

• first visit showed me ton of porn pages
• cached .js file was hacked
• but after clearing browser cache js go back to oryginal

i checked all files on my ftp against my offilne version, but all files are without any change.

in last few years i was attacked by xss few times but in every case it was easy to diagnose and fix. but now i spend 12h and didnt find infection.

do you have any idea how to find it?

Answer 1

XSS attack does not need to change files at server side, it uses specially formatted query link which your code then renders to the webpage due to not checking inputs correctly.

You just need to escape or check your inputs. Search for "how to prevent xss".

Preventing Cross Site Scripting Attacks

Answer 2

Hey,

Most likely they've found an exploit inserting XSS data in your DB and / or CMS files, which then is displayed when you go to a specific page.

You seem to be using Quick CMS and it might contain some flaw somewhere, however if you've developed any custom functions yourself this might be where the problem is.

When you insert data into a DB always use the mysql escape function, and when you output the data from the DB on to the page use the php htmlentities() function, this will protect you from XSS attacks.