tibberous Posted November 17, 2009 Share Posted November 17, 2009 I have a couple website that have had malware code added to them. In general, the code is either an iframe, an externally linked javascript file, or an eval( base64_decode( 'u65r...')). I thought about just using regex, but I was wondering if there is already a program to remove it. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/ Share on other sites More sharing options...
Daniel0 Posted November 17, 2009 Share Posted November 17, 2009 If it's in the files on the filesystem, the easiest thing would probably be to recursively grep the directory where your files are. Then go fix the hole of course. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-959195 Share on other sites More sharing options...
keldorn Posted November 18, 2009 Share Posted November 18, 2009 Are you using shared hosting? I've been hearing about this a lot, of injected code on websites. It all seems be originating from shared hosting. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-959662 Share on other sites More sharing options...
waynew Posted November 18, 2009 Share Posted November 18, 2009 Are you using shared hosting? I've been hearing about this a lot, there seems be quite bit of injected code on websites. It all seems be originating from shared hosting. I guess becuase on shared, its too easy to hack the server. So really the security hole might not be yours. It could be 1. Someone has a insecure script 2. Someone registered as a customer to hack the server. #2 is the most frieghting even for people who run shared hosting. You dont know if the customers your getting has malicious intentions. I could buy hosting most places $4.99 a month, upload c99.php and see what happens. Its really that easy. Hence I dont trust shared hosting. I would use a VPS or dedicated. VPS and dedicated servers cost a fuckton that your regular webmaster isn't willing to shell out for. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-959666 Share on other sites More sharing options...
keldorn Posted November 18, 2009 Share Posted November 18, 2009 VPS and dedicated servers cost a fuckton that your regular webmaster isn't willing to shell out for. You can get a vps for around $30 - 60 a month , how is that a ton? If you not making enough, then you should reconider a new employment or cancel that case of beer and large pizza. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-959671 Share on other sites More sharing options...
Daniel0 Posted November 18, 2009 Share Posted November 18, 2009 I pay around £25 every third month for my VPS. I have 40 GB disk space and 384 MB memory (768 MB burst). If you can't afford that there are probably some things you should reconsider in your economy. Actually, I have up to 4 GB burst memory because they've configured it incorrectly. I'm not complaining though. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-959884 Share on other sites More sharing options...
waynew Posted November 18, 2009 Share Posted November 18, 2009 As a student - I'm not willing to pay $30-60 a month. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-959916 Share on other sites More sharing options...
tibberous Posted November 20, 2009 Author Share Posted November 20, 2009 It's a dedi. I think what happened i that a guy that used to do work for the company got a virus that stole his FTP passwords. I ended up just restoring the sites from some old backups. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-961617 Share on other sites More sharing options...
keldorn Posted November 20, 2009 Share Posted November 20, 2009 It's a dedi. I think what happened i that a guy that used to do work for the company got a virus that stole his FTP passwords. I ended up just restoring the sites from some old backups. That sounds scary, maby that offers some more insight into this problem. It might not be related to shared hosting, it could be a virus that steals ftp passwords. That would seem likely, as the passwords are probably not encrypted in any way. I've hearing though that this malicious code when you remove it from your pages, it will repear later on, indicating there might be cron reinserting the code, or a trojan doing it. If you remove it, and just keeps repearing, with no indication where the cron is you would have to nuke (reformat) the harddrive to get rid of it unfortunately. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-961647 Share on other sites More sharing options...
mrMarcus Posted November 22, 2009 Share Posted November 22, 2009 cancel that case of beer and large pizza.whoa, slow down a second. let's not make any rash decisions here. priorities, man. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-963471 Share on other sites More sharing options...
sKunKbad Posted November 23, 2009 Share Posted November 23, 2009 The solution: 1) Never store passwords on your computer 2) Always use an encrypted connection instead of plain FTP This has nothing to do with the host. This is a virus that is on a computer or network of somebody that has either: 1) Stored the password on their computer 2) Used plain FTP Happened to me a couple months ago. Ended up being a virus on my mom's computer that is on my network. My computer had no virus, and was up to date with security. Didn't matter though, because the virus on her computer stole the FTP login by looking at the network traffic. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-963778 Share on other sites More sharing options...
Daniel0 Posted November 23, 2009 Share Posted November 23, 2009 1) Never store passwords on your computer 2) Always use an encrypted connection instead of plain FTP 3) Use public key authentication. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-963792 Share on other sites More sharing options...
keldorn Posted November 23, 2009 Share Posted November 23, 2009 Whats the difference between 1. FTP over SSL implicit 2. FTP Over SSL explicit Are these safe as SFTP? Is the password at any time going over in the clear with the ssl ones? I can't use SFTP becuase the FTP Program I paid for (smartFTP) require me to pay more money for that option. (Great way to treat your customer btw Like how often do I buy software to begin with to have me pay for that extra option.. err) Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-963804 Share on other sites More sharing options...
Daniel0 Posted November 23, 2009 Share Posted November 23, 2009 I can't use SFTP becuase the FTP Program I paid for (smartFTP) require me to pay more money for that option. (Great way to treat your customer btw Like how often do I buy software to begin with. Its like insult, I may as well just pirated it. ) Then ditch it and get something else. WinSCP is open source and supports it. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-963807 Share on other sites More sharing options...
sKunKbad Posted November 25, 2009 Share Posted November 25, 2009 I'm using FileZilla, which is free, with FTPeS and have had no problems since abandoning plain FTP. I don't store passwords in FileZilla anymore either. What I've found is that the way I can connect depends on the host more than anything. I have a few accounts on Inmotion hosting and mddhosting, and both accept FTPeS connections. I have a customer with Godaddy, and they don't allow a secure connection for his account, even though they say they do. Whatever the situation, make sure to go with the most secure connection (and a good host). I haven't used public key authentication. Don't know how either. Guess I'll have to look it up. Quote Link to comment https://forums.phpfreaks.com/topic/181874-code-injected-into-website-is-there-a-program-to-remove-it/#findComment-965526 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.