Jump to content

Code injected into website - is there a program to remove it?


Recommended Posts

I have a couple website that have had malware code added to them. In general, the code is either an iframe, an externally linked javascript file, or an eval( base64_decode( 'u65r...')).

 

I thought about just using regex, but I was wondering if there is already a program to remove it.

Are you using shared hosting?  I've been hearing about this a lot, there seems be quite bit of injected code on websites. It all seems be originating from shared hosting. I guess becuase on shared, its too easy to hack the server. So really the security hole might not be yours. It could be 1. Someone has a insecure script  2. Someone registered as a customer to hack the server.

 

#2 is the most frieghting even for people who run shared hosting. You dont know if the customers your getting has malicious intentions. I could buy hosting most places $4.99 a month, upload c99.php and see what happens.

Its really that easy. Hence I dont trust shared hosting. I would use a VPS or dedicated.

 

 

 

 

VPS and dedicated servers cost a fuckton that your regular webmaster isn't willing to shell out for.

 

 

VPS and dedicated servers cost a fuckton that your regular webmaster isn't willing to shell out for.

 

You can get a vps for around $30 - 60 a month , how is that a ton?  If you not making enough, then you should reconider a new employment or cancel that case of beer and large pizza.  :P

 

I pay around £25 every third month for my VPS. I have 40 GB disk space and 384 MB memory (768 MB burst). If you can't afford that there are probably some things you should reconsider in your economy. Actually, I have up to 4 GB burst memory because they've configured it incorrectly. I'm not complaining though.

It's a dedi.

 

I think what happened i that a guy that used to do work for the company got a virus that stole his FTP passwords. I ended up just restoring the sites from some old backups.

 

That sounds scary, maby that offers some more insight into this problem. It might not be related to shared hosting, it could be a virus that steals ftp passwords. That would seem likely, as the passwords are probably not encrypted in any way.  I've hearing though that this malicious code when you remove it from your pages, it will repear later on, indicating there might be cron reinserting the code, or a trojan doing it. If you remove it, and just keeps repearing, with no indication where the cron is you would have to nuke (reformat) the harddrive to get rid of it unfortunately. :-[

The solution:

 

1) Never store passwords on your computer

2) Always use an encrypted connection instead of plain FTP

 

This has nothing to do with the host. This is a virus that is on a computer or network of somebody that has either:

 

1) Stored the password on their computer

2) Used plain FTP

 

Happened to me a couple months ago. Ended up being a virus on my mom's computer that is on my network. My computer had no virus, and was up to date with security. Didn't matter though, because the virus on her computer stole the FTP login by looking at the network traffic.

 

 

Whats the difference between

 

1. FTP over SSL implicit

2. FTP Over SSL explicit

 

Are these safe as SFTP? Is the password at any time going over in the clear with the ssl ones?

 

I can't use SFTP becuase the FTP Program I paid for (smartFTP) require me to pay more money for that option. (Great way to treat your customer btw  >:(  Like how often  do I buy software to begin with to have me pay for that extra option.. err)

I can't use SFTP becuase the FTP Program I paid for (smartFTP) require me to pay more money for that option. (Great way to treat your customer btw  >:(  Like how often  do I buy software to begin with. Its like insult, I may as well just pirated it. )

 

Then ditch it and get something else. WinSCP is open source and supports it.

I'm using FileZilla, which is free, with FTPeS and have had no problems since abandoning plain FTP. I don't store passwords in FileZilla anymore either. What I've found is that the way I can connect depends on the host more than anything. I have a few accounts on Inmotion hosting and mddhosting, and both accept FTPeS connections. I have a customer with Godaddy, and they don't allow a secure connection for his account, even though they say they do. Whatever the situation, make sure to go with the most secure connection (and a good host).

 

I haven't used public key authentication. Don't know how either. Guess I'll have to look it up.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.