Page 1 of 1

A few sites I run recently got hit by a malware attack,help!

Posted: Tue Feb 09, 2010 5:15 am
by AshSmith2
I run a collection of sites at work, and two of them got hit pretty bad with a malware attack, I managed to clean the sites yesterday but I'm making it a priority to prevent this from happening again.

The steps I have taken, is simply changing my FTP details as the passwords use to be words, now they are uppercase, lowercase and numbers pure gibberish!

Any tips on securing my two (LARGE e-commerce) sites, both of which are in PHP... one is Joomla, and the other is Actintic (Awful system, awful)

Google denied access to one of the two sites, causing us to lose around £800 (aprox $1,240 USD) in sales on Monday. I DO NOT want this to happen again

Any advice would be fantastic.


The files that got attacked were:
all .js files - Had 6 document.write's which embedded two scripts one from recentfeed.com and the other from elperiodic.canal-si.com
some deep .php files - this line that got placed would run the eval(); function, with base64_decode(); from what I believe these files are the source of the attack. The script would inject a line of html (embedded the elperiodic.canal-si.com script) right before the <body> tag on all my pages.
pretty much every planin .html page (most of which are used for blocking access to directories - Joomla's system not my doing!) all had the <script> with the src of elperiodic.canal-si.com


Need any more information, feel free to ask, I may of forgotten something - I'd like to keep the sites that got attack a secret... for security reasons ;)

Re: A few sites I run recently got hit by a malware attack,help!

Posted: Tue Feb 09, 2010 5:39 am
by aravona
Recently had a similar issue - php files / js files got a section of malicious code placed on the end of the code right before the </body> tag. All we could do was go through the files and remove the code manually (well mass back-ups were easier but some of our back-ups arent easy to get hold of).

Looked like gibberish - but its creating elements, and uses a lot of special characters. Cleared up most of the sites though still finding it here and there - Kaspersky picks the code up as a trojan and blocks it but only on local machines. If I had my way I'd have my own server and have anti-virus software I trust on it, ideal worlds don't exsist however. Though the code we had didnt have the site's on it but sounds just as nasty as yours.

Re: A few sites I run recently got hit by a malware attack,help!

Posted: Tue Feb 09, 2010 5:49 am
by AshSmith2
Yeah, from what I've been able to pick up of people is that the sites scripts that run will install malware on your PC without you knowing... and when you visit another site it then infects that site!

You think anti-virus/spyware for the server is a possible solution? If it costs the same (or less) per year than what we lost on Monday then that's a dam-sight better than losing half of our sales! and infecting peoples computers

Re: A few sites I run recently got hit by a malware attack,help!

Posted: Thu Feb 11, 2010 6:36 am
by kaisellgren
No anti-x software will solve the problem. The root problem needs to be fixed. Unfortunately, security is a complex area. Changing something like the FTP password is the most common and obvious thing to do, but other options include changing passwords of any services running on the site. This may not fix the problem. It might be a vulnerability in Joomla, and I wouldn't be too surprised if it were. Be sure to keep all software up-to-date.