Announcement

Collapse
No announcement yet.

Malware attack

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Malware attack

    Not sure if this is the correct forum section but;
    My site was hacked into at around 0520 this morning and all of the html files were infected with the following malware;

    detected: Trojan program Trojan-Downloader.HTML.Agent.mu
    URL: gogo2me.net/.go/check.html
    It is a hidden IFRAME that redirects users to some dodgy sites (above).
    Luckily I was quite quick and the site was not trawled and marked as bad by Google etc.

    I have cleaned the whole site and re-loaded files where necessary.
    I have updated and strengthened my server password.
    All file access codes are 644 or higher - I think.
    Does anyone here have experience of this, especially about where the malicious script might be lurking? Or was it just a brute force attack on the server that got somebody user access rights?
    My event logs don't show any evidence of access.

    I hesitate to ask on the forum but - is there anything I need to check for corruption within my ACTv9 directories?

    Any experienced guidance would be appreciated.
    http://www.bowstock.co.uk

    #2
    Does anyone here have experience of this, especially about where the malicious script might be lurking?
    this type of attack tends to place code within an iframe on html pages (as you have surmised) - the solution is to refresh the website (as you have done) but it is advisable to check the files in the preview folder do not contain the code - ie the attack has come from the server and not your pc

    Comment


      #3
      Who hosts your site, and is it a shared/VPS/dedicated server? Contact your host ASAP is the best advice you'll get.

      Comment


        #4
        I have contacted Webfusion and am waiting to hear back - I am on a shared server.

        My P_html files seem to be OK - It's quite easy to spot the rogue ones as they are about 100k too big.
        http://www.bowstock.co.uk

        Comment


          #5
          Update

          Webfusion tech support inform me that their server ftp code was compromised and some older passwords were taken. There may be a duff .htaccess file somewhere as well......

          It's now fixed - they say - but I am annoyed that they didn't contact me with a warning about this instead of waiting for me to get blitzed.

          I suppose I got lax with my password procedure - it was about a year old. I'll be changing it every two weeks now until I get lazy again.

          Thanks for the help anyway
          http://www.bowstock.co.uk

          Comment


            #6
            time to change hosts. when you are looking, look for one with a good security record.

            may i suggest locking your computer in a block of concrete too?

            Comment


              #7
              Just checking folder permissions on the server - out of interest should the acatalog folder be 777 or can it be set at a better level of protection? It is inside public_html which is 755.
              http://www.bowstock.co.uk

              Comment


                #8
                Needs to be 755 or 777 depending on the hosts IIRC

                Army Gore-tex
                Winter Climbing Mitts
                webD's Blog: Website design, SEO and other ramblings…
                Twitter LinkedIN

                If you think a post is good, rate it!

                Find the answers in the Knowledge Base | Have you read the User Guides

                Comment


                  #9
                  Thanks Rich.

                  Just as a matter of interest every time I came out of my ftp client it came up "file still being edited". When I checked - it was the .htaccess file. Would it be possible for a third party to hang on to editing rights by keeping this file open constantly or am I being paranoid? I managed to close it anyway after checking there were no unwanted links inserted.
                  http://www.bowstock.co.uk

                  Comment


                    #10
                    Why not edit the file on your PC and upload after changing it rather than changing it online?

                    Comment

                    Working...
                    X