views:

384

answers:

2

my friend's website got hacked somehow. The index.php page got inserted an extra line of javascript, which redirect the page to another website. The index.php is just a text file not managed by any CMS. he has changed all ftp/ssh user password. Somehow this is still happening.

Any hint on what might be the cause?

A: 

The website in question has a vulnerability, which keeps getting exploited. Your friend should check the access logs at the time of index.php's modification time, and find which scripts are vulnerable, and fix them.

CyberShadow
A: 

It's pretty hard to sure that the server is no longer compromised.... So unless you re-install there is no certainty that the hack was removed (The absence ob evidence is not evidence of absence).

What type of server is ? If linux I would recommend creating a statically linked lsof on another machine and then run to see if you find a suspect process that might be replacing the file from time to time ...

webclimber