Virus Infected My Server

11 replies
Hello,

Some weird php file found its way onto my server and corrupted all my html files by adding a line of

script src="some dodgy site/somefile.php"

to each html file.

I deleted the offending php file and manually went over all the corrupted files and removed the <script> line.

This was two days ago. This morning I check my server - the html files are corrupted again... but no php file.

With no source corrupting php program to delete, I again manually deleted all the corrupted code from my html files but this time I also changed my account password.

Will changing my account/server/ftp password prevent the virus from coming back if it's not lurking somewhere on my server? Is there anything else I can do to stop my files from becoming corrupted?

I ran an anti-virus scan on my computer... it found/took care of some stuff in the cookies folder but nothing else.

I appreciate any input. Thanks in advance.

Gil-Ad
#infected #server #virus
  • Profile picture of the author HomeBizNizz
    Yeah, some one has most likely got in
    with FTP access and did this.

    How long is your username/password...?
    I have mine at 20 characters to be sure.
    My username was 7 letters and password was 7 letters then I was hacked.

    Go here to make strong passwords: www.goodpassword.com
    {{ DiscussionBoard.errors[1421002].message }}
  • Profile picture of the author ghyphena
    11 characters, including uppercase, lowercase and numbers. Not a dictionary word. :-S

    Gil-Ad
    Signature

    Gil-Ad Schwartz

    {{ DiscussionBoard.errors[1421018].message }}
  • Profile picture of the author windtalker
    Did you scan your server? They also could have got into your server by a exploit within a script you are using.
    Signature

    WarriorJ

    {{ DiscussionBoard.errors[1421109].message }}
  • Profile picture of the author ghyphena
    Thanks. Sorry to sound so technically incompetent... but how do I do that? I went over all the php files and I'm more or less sure they're meant to be there. The only thing I installed from an external source is Wordpress, and I'd like to think that that's safe...

    Gil-Ad
    Signature

    Gil-Ad Schwartz

    {{ DiscussionBoard.errors[1421118].message }}
  • Profile picture of the author TristanPerry
    It's probably an exploited script; if you run Wordpress, definitely look into the links provided above.

    Also if your host offers managed services, then you can ask them to look into why this may be happening too.
    Signature
    Plagiarism Guard - Protect Against Content Theft
    {{ DiscussionBoard.errors[1421151].message }}
  • Profile picture of the author ghyphena
    Thanks! It looks like this might be it.

    As Columbo would say: just one thing...

    This is also happening on another server of mine that doesn't have WP on it. Could it have transferred from one to the other via my computer? I have been uploading stuff to both?

    Gil-Ad
    Signature

    Gil-Ad Schwartz

    {{ DiscussionBoard.errors[1421184].message }}
    • Profile picture of the author chaos69
      It shouldn't have done - at least not from my experience, since it is a wordpress exploit. However, not sure why the other site would also have that behaviour. If you remove the code from that site and don't reupload anything does it change by itself? Is that site hosted on the same server?

      Is it possible you uploaded something to the wrong site?

      I would be more than happy to have a look at the other site for you, but only if you have SSH access to the site; Sorry, i dont work with FTP

      [this would be giving me the login information for your site though].
      Signature
      Best Ways To Make Money Online

      Eight bytes walk into a bar. The bartender asks, “Can I get you anything?”
      “Yeah,” reply the bytes. “Make us a double.”
      {{ DiscussionBoard.errors[1421197].message }}
  • Profile picture of the author ghyphena
    OK, as a result of my Googlings, I have now made several discoveries:

    1. This inflection of mine is called a Gumblar
    2. They lurk in php files of their own or as parasites on other php files, as well as in corrupted .htaccess files (as in the case of my non-WP-hosting server - mystery solved).

    Here's what it looks like in htaccess:

    options all
    RewriteEngine on
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule chinchins /cgi-bin/index.pl [L]

    3. WordPress is also susceptible. Especially when your username is "admin" and your password is also "admin".
    4. The person who developed them deserves to be shot.

    I've repaired the corrupted .htaccess file on server 2 and completely removed WP from server 1... Now I will set about re-installing it.

    BTW, I used Fantastico to install WP - do you think that could be part of the problem?

    Thanks so much for all your help, is much appreciated!

    Gil-Ad
    Signature

    Gil-Ad Schwartz

    {{ DiscussionBoard.errors[1421203].message }}
    • Profile picture of the author chaos69
      I dont think Fantastico is to blame itself; it should be no different than installing wordpress manually.

      However, admin:admin is always going to be a bad idea... i'm sure we've all done that though - "ahh, i'll change it later...."

      Glad you got it fixed though.
      Signature
      Best Ways To Make Money Online

      Eight bytes walk into a bar. The bartender asks, “Can I get you anything?”
      “Yeah,” reply the bytes. “Make us a double.”
      {{ DiscussionBoard.errors[1421223].message }}
  • Profile picture of the author HomeComputerGames
    Did you check your FTP logs to make sure no one has your log in information?
    You may also be able to search your weblogs and error logs for the point of entry. There should be some sort of tell tale signs.
    Signature

    yes, I am....

    {{ DiscussionBoard.errors[1423401].message }}

Trending Topics