Almost all websites on my domain were infected agsain. I don't know how is it possible.
Infected files are:
FS JavaScript Popup Date Selector
root/index.php
login.php
content.htm
Also other index.php files and htm, html files are infected.
Infecting code starts and ends with commented "a9a007" and is written in two very long lines of encrypted script.
It is placed on various places, bud mostly corrupts files.
INFECTION!!!
INFECTION!!!
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: INFECTION!!!
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: INFECTION!!!
It's hard to say. However, it might be useful to find it out. Maybe you have some success finding out more about this particular infection by googling for parts of the injected scripts. Searching for "infection a9a007" only brought up this: http://www.webhostingtalk.com/showthrea ... &p=8841808.Tata wrote:I don't know how is it possible.
Has the file been writable by the webserver? If not, the attack probably had happened via FTP.Tata wrote:Infected files are:
[...]
root/index.php
[...]
Ah, I've just seen the link you've posted. Can you please send me the code by email in a textual format (save as .txt and zip it, or so).
Christoph M. Becker – Plugins for CMSimple_XH
Re: INFECTION!!!
Well, I have quickly analysed the code, and it is a typical IFRAME insertion attack. The IFRAMES src attribute points to a PHP script, which seems to redirect to different sites/scripts depending on whatever (the USER_AGENT seems to play a role at least). So what actually may happen if someone visits an infected site, is not clear. In the worst case they might try to exploit a vulnerability of the browser or a browser plugin.
Further googling brought up not much more info. The only thing was an entry on http://sitecheck.sucuri.net/results/ber ... ncescan.nl, which list basically identical malware, and http://ninjafirewall.com/malware/index. ... 3-06-18.01 which is a close variation.
Further googling brought up not much more info. The only thing was an entry on http://sitecheck.sucuri.net/results/ber ... ncescan.nl, which list basically identical malware, and http://ninjafirewall.com/malware/index. ... 3-06-18.01 which is a close variation.
Christoph M. Becker – Plugins for CMSimple_XH
Re: INFECTION!!!
I can ask my ISP to restore the whole domain from the server backup .I made no changes a couple of days back, so there is a chance to have everythin fine. Now I found that all infected files have the same date of last change - 17/092013 14:00 - 14:50. So this was the attack time. Anyway, I load the antire doman to my MAC and will clean all files. Will see what happens tomorrow.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: INFECTION!!!
Well, I would say VIRUSES ARE SCRIPTS. Anyway, if such script - which doesn't belong to your CMS - occures in it, it is always that somebody tries to make something on/by/due/with your website thta is sure out of oyur intention.mariashina wrote:scripts are often thought as a virus.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.