Code injected into website - is there a program to remove it?

[tibberous]

I have a couple website that have had malware code added to them. In general, the code is either an iframe, an externally linked javascript file, or an eval( base64_decode( 'u65r...')).

 

I thought about just using regex, but I was wondering if there is already a program to remove it.

[Daniel0]

If it's in the files on the filesystem, the easiest thing would probably be to recursively grep the directory where your files are. Then go fix the hole of course.

[keldorn]

Are you using shared hosting?  I've been hearing about this a lot, of injected code on websites. It all seems be originating from shared hosting.

 

[waynewex]

Are you using shared hosting?  I've been hearing about this a lot, there seems be quite bit of injected code on websites. It all seems be originating from shared hosting. I guess becuase on shared, its too easy to hack the server. So really the security hole might not be yours. It could be 1. Someone has a insecure script  2. Someone registered as a customer to hack the server.

 

#2 is the most frieghting even for people who run shared hosting. You dont know if the customers your getting has malicious intentions. I could buy hosting most places $4.99 a month, upload c99.php and see what happens.

Its really that easy. Hence I dont trust shared hosting. I would use a VPS or dedicated.

 

 

 

 

VPS and dedicated servers cost a fuckton that your regular webmaster isn't willing to shell out for.

[keldorn]

 

 

VPS and dedicated servers cost a fuckton that your regular webmaster isn't willing to shell out for.

 

You can get a vps for around $30 - 60 a month , how is that a ton?  If you not making enough, then you should reconider a new employment or cancel that case of beer and large pizza. 

 

[Daniel0]

I pay around £25 every third month for my VPS. I have 40 GB disk space and 384 MB memory (768 MB burst). If you can't afford that there are probably some things you should reconsider in your economy. Actually, I have up to 4 GB burst memory because they've configured it incorrectly. I'm not complaining though.

[waynewex]

As a student - I'm not willing to pay $30-60 a month.

[tibberous]

It's a dedi.

 

I think what happened i that a guy that used to do work for the company got a virus that stole his FTP passwords. I ended up just restoring the sites from some old backups.

[keldorn]

It's a dedi.

 

I think what happened i that a guy that used to do work for the company got a virus that stole his FTP passwords. I ended up just restoring the sites from some old backups.

 

That sounds scary, maby that offers some more insight into this problem. It might not be related to shared hosting, it could be a virus that steals ftp passwords. That would seem likely, as the passwords are probably not encrypted in any way.  I've hearing though that this malicious code when you remove it from your pages, it will repear later on, indicating there might be cron reinserting the code, or a trojan doing it. If you remove it, and just keeps repearing, with no indication where the cron is you would have to nuke (reformat) the harddrive to get rid of it unfortunately.

[mrMarcus]

cancel that case of beer and large pizza.

whoa, slow down a second.  let's not make any rash decisions here.  priorities, man.

[sKunKbad]

The solution:

 

1) Never store passwords on your computer

2) Always use an encrypted connection instead of plain FTP

 

This has nothing to do with the host. This is a virus that is on a computer or network of somebody that has either:

 

1) Stored the password on their computer

2) Used plain FTP

 

Happened to me a couple months ago. Ended up being a virus on my mom's computer that is on my network. My computer had no virus, and was up to date with security. Didn't matter though, because the virus on her computer stole the FTP login by looking at the network traffic.

 

 

[Daniel0]

1) Never store passwords on your computer

2) Always use an encrypted connection instead of plain FTP

 

3) Use public key authentication.

[keldorn]

Whats the difference between

 

1. FTP over SSL implicit

2. FTP Over SSL explicit

 

Are these safe as SFTP? Is the password at any time going over in the clear with the ssl ones?

 

I can't use SFTP becuase the FTP Program I paid for (smartFTP) require me to pay more money for that option. (Great way to treat your customer btw    Like how often  do I buy software to begin with to have me pay for that extra option.. err)

[Daniel0]

I can't use SFTP becuase the FTP Program I paid for (smartFTP) require me to pay more money for that option. (Great way to treat your customer btw    Like how often  do I buy software to begin with. Its like insult, I may as well just pirated it. )

 

Then ditch it and get something else. WinSCP is open source and supports it.

[sKunKbad]

I'm using FileZilla, which is free, with FTPeS and have had no problems since abandoning plain FTP. I don't store passwords in FileZilla anymore either. What I've found is that the way I can connect depends on the host more than anything. I have a few accounts on Inmotion hosting and mddhosting, and both accept FTPeS connections. I have a customer with Godaddy, and they don't allow a secure connection for his account, even though they say they do. Whatever the situation, make sure to go with the most secure connection (and a good host).

 

I haven't used public key authentication. Don't know how either. Guess I'll have to look it up.