My site shows a trojan horse when i try to connect to it???

Portal Home > Knowledgebase > Articles Database > My site shows a trojan horse when i try to connect to it???

Posted by Beatplexity, 12-24-2009, 09:03 AM
http://i47.tinypic.com/2qdy1bb.jpg this has only happened during the last day, does anyone know how i could go about fixing it???
Posted by david510, 12-24-2009, 09:13 AM
There should be code injection in your web files. You can check for them in the files. Check for the pattern as follows.
Posted by gregm11, 12-24-2009, 11:55 AM
You probably have been attacked by an injection. You first need to change all FTP passwords and then clean the pages with the code and check your database as well. Then you need to find out the reason, which is probably caused by old code or insecure code. There is a lot of information out there on SQL injections.
Posted by Ramprage, 12-24-2009, 12:23 PM
View your page source for any javascript or iframe code added. You should also scan your computer, apply all patches and change your ftp password.
Posted by Beatplexity, 12-25-2009, 02:38 AM
thanks for the responses people i have change all ftp passwords, cpanel password and root password, im having my server monitoring team restore a previous backup of index.php ill get them to check the databases etc coz i have no idea, hopefully they will be able to find out what caused this :/
Posted by bizness, 12-25-2009, 09:14 PM
are you using joomla by chance ?
Posted by hostultimo, 12-26-2009, 01:27 AM
of you are using any cms or blo files which require cnstant updates that is where the injection could have come from. Dont just change the index.ph file...change all o them. You may also need to resubmit your website to google for them to clear the warning from your pge globally
Posted by Beatplexity, 12-26-2009, 03:26 AM
nah im using a custom cms, ive had my server monitoring company look at it and they have told me the following I scanned the server for hacks with RKHunter and it did not detect any signs of hacks, trojans, rootkits, malicious processes, etc. I cleared out the tmp directories to make sure nothing is hiding in there. the site still shows a trojan horse when i try to connect though
Posted by madaboutlinux, 12-26-2009, 04:00 AM
RkHunter and Chkrootkit cannot detect the injected code in your website files. Such code is mostly injected using Ftp so clearing /tmp won't make any difference. You need to check all your files thoroughly to make sure there is no code OR some encrypted strings. They should definitely be there and you need to remove those and resubmit your website to Google. </td></tr></table><hr /><table><tr><td>Posted by <strong>Beatplexity</strong>, <u>12-26-2009, 05:06 AM</u></td></tr><tr><td>i dont know how to check the files, i have no knowledge of servers nor the website code. is anyone able to help me solve this <<removed>> Last edited by bear; 12-26-2009 at 09:36 AM. </td></tr></table><hr /><table><tr><td>Posted by <strong>hostultimo</strong>, <u>12-26-2009, 05:10 AM</u></td></tr><tr><td>OMG....who made the custom cms for you??? They will obviously be able to notice any changes in the code at a glance. Try them first, if they dont want to do it I will take a look at the code for free but your best bet is either the person who designed the cms or your management company </td></tr></table><hr /><table><tr><td>Posted by <strong>madaboutlinux</strong>, <u>12-26-2009, 05:11 AM</u></td></tr><tr><td>Isn't your hosting company assisting you in this issue? As they are the one who can investigate the issue better and faster as they have the root access to the server. </td></tr></table><hr /><table><tr><td>Posted by <strong>Beatplexity</strong>, <u>12-26-2009, 05:15 AM</u></td></tr><tr><td>the company who made the cms will charge me a small forture to do this and it being Boxing day in the UK i have no chance of getting them to look at it. My server company will not look at this as im on an unmanaged plan my server monitoring company are looking into now, but they arent usually that good at fixing these kind of things :/ </td></tr></table><hr /><table><tr><td>Posted by <strong>bear</strong>, <u>12-26-2009, 09:46 AM</u></td></tr><tr><td>Your index page has this at the bottom: There's a lot more of it. Chances are this is the attacker's code, so that's where to start. Have them look in the FTP logs for the domain to see if there were any affected index pages uploaded recently. </td></tr></table><hr /><table><tr><td>Posted by <strong>Beatplexity</strong>, <u>12-26-2009, 12:39 PM</u></td></tr><tr><td>ive just had a look, and it doesnt seem to be there anymore, maybe they have deleted it already the trojan horse still appears to be showing up when i connect though. </td></tr></table><hr /><table><tr><td>Posted by <strong>bear</strong>, <u>12-26-2009, 12:43 PM</u></td></tr><tr><td>Still there. If you're not seeing it in the raw code on the page, then it's being added when the page is called. All the way at the bottom, after the closing html tag. </td></tr></table><hr /><table><tr><td>Posted by <strong>Beatplexity</strong>, <u>12-26-2009, 12:50 PM</u></td></tr><tr><td>ah god how do i go about fixing this, i dont think my server company will get it fixed, i reported it 24th dec </td></tr></table><hr /><table><tr><td>Posted by <strong>bear</strong>, <u>12-26-2009, 01:10 PM</u></td></tr><tr><td>It sounds like you're anxious to fix it, and can't do so for yourself, so you should consider hiring someone, if you can afford that. You can't ask for offers here, but you can post in the employment offers section: http://www.webhostingtalk.com/forumdisplay.php?f=33 I'm sure there's someone there that can fix this for you. Best of luck. </td></tr></table><hr /><table><tr><td>Posted by <strong>khunj</strong>, <u>12-26-2009, 02:56 PM</u></td></tr><tr><td>Your directory indexes are viewable, even your .htaccess Before you get hacked even more, I would advise you to add those lines to your .htaccess : </td></tr></table><hr /> <br /><br /> </blockquote> <form method="post" action="knowledgebase.php?action=displayarticle&id=7981&useful=vote"> <input type="hidden" name="token" value="5f06783e1f23aa9caa7ad6ed2003716b1bf2e428" /> <p> <strong>Was this answer helpful?</strong> <select name="vote"><option value="yes">Yes</option><option value="no">No</option></select> <input type="submit" value="Vote" class="btn" /> </p> </form> <p><img src="images/addtofavouritesicon.gif" align="absmiddle" alt="Add to Favourites" /> <a href="#" onClick="addBookmark();return false">Add to Favourites</a>    <img src="images/print.gif" align="absmiddle" alt="Print this Article" /> <a href="#" onclick="window.print();return false">Print this Article</a></p> <div class="kbalsoread">Also Read</div> <div class="kbarticle"> <img src="images/article.gif" align="middle" alt="" /> <strong><a href="knowledgebase.php?action=displayarticle&id=6718">Windows Reseller with HELM</a></strong> <span class="kbviews">(Views: 634)</span> </div> <div class="kbarticle"> <img src="images/article.gif" align="middle" alt="" /> <strong><a href="knowledgebase.php?action=displayarticle&id=6967">Reseller Web hosting</a></strong> <span class="kbviews">(Views: 843)</span> </div> <div class="kbarticle"> <img src="images/article.gif" align="middle" alt="" /> <strong><a href="knowledgebase.php?action=displayarticle&id=6435">Acquiring a Managed Hosting Provider</a></strong> <span class="kbviews">(Views: 657)</span> </div> <div class="kbarticle"> <img src="images/article.gif" align="middle" alt="" /> <strong><a href="knowledgebase.php?action=displayarticle&id=6666">Traceroot from my PC - how?</a></strong> <span class="kbviews">(Views: 645)</span> </div> <div class="kbarticle"> <img src="images/article.gif" align="middle" alt="" /> <strong><a href="knowledgebase.php?action=displayarticle&id=6950">In need of advice</a></strong> <span class="kbviews">(Views: 660)</span> </div> <br /> <div align="right"><form method="post" action="/knowledgebase.php?action=displayarticle&id=7981" name="languagefrm" id="languagefrm"> <input type="hidden" name="token" value="5f06783e1f23aa9caa7ad6ed2003716b1bf2e428" /><strong>Language:</strong> <select name="language" onchange="languagefrm.submit()"><option>Arabic</option><option>Azerbaijani</option><option>Catalan</option><option>Croatian</option><option>Czech</option><option>Danish</option><option>Dutch</option><option selected="selected">English</option><option>Farsi</option><option>French</option><option>German</option><option>Hungarian</option><option>Italian</option><option>Norwegian</option><option>Portuguese-br</option><option>Portuguese-pt</option><option>Russian</option><option>Spanish</option><option>Swedish</option><option>Turkish</option><option>Ukranian</option></select></form></div><br /> </div> </div> </div> <div class="logoz"></div>  </div> <div class="footer"> <div class="wrapper"> <div class="sitemap"> <h2>Our Services</h2> <ul> <li><a href="domainchecker.php">Domain Registration</a></li> <li><a href="sharedhosting.php">EU Shared Hosting</a></li> <li><a href="usasharedhosting.php">US Shared Hosting</a></li> <li><a href="vpshosting.php">EU OpenVZ VPS Hosting</a></li> <li><a href="usaopenvzvpshosting.php">US OpenVZ VPS Hosting</a></li> <li><a href="usavpshosting.php">US Xen VPS Hosting</a></li>   </ul>  </div> <div class="sitemap"> <h2>Client Menu</h2> <ul> <li><a href="clientarea.php">My Account</a></li> <li><a href="supporttickets.php">Support Tickets</a></li> <li><a href="submitticket.php">Submit a Ticket</a></li> <li><a href="pwreset.php">Forgot password?</a></li> </ul>  </div> <div class="sitemap"> <h2>Legal</h2> <ul> <li><a href="terms.php">Terms of Service</a></li> <li><a href="privacy.php">Privacy Policy</a></li>  <li><a href="contact.php">Contact Us</a></li> </ul>  </div> <div class="testimonial"> <h2>+1 512-782-9732</h2> <h3>Find any answers<br />you need...</h3> <br> <br> <li><img src="images/logo1.png" alt="PCI Secure" align="absmiddle" /> <li><img src="images/logo2.png" alt="Verefied by VISA" align="absmiddle" /> <li><img src="images/logo3.png" alt="MasterCard SecureCode" align="absmiddle" />  <br><br> </div> <div class="clear"></div> <div class="clear"></div> <div class="copyright"> <div class="copylink"><a href="terms.php">Terms of Service</a> | <a href="privacy.php">Privacy Policy</a> | <a href="knowledgebase.php">FAQs</a> | <a href="affiliates.php">Affiliates</a> | <a href="mailto:braginhost@gmail.com">Email</a></div> <div class="copylink1">Copyright © 2015 BraginHos / CHS Gateway inc. - All Rights Reserved.</div> <div class="clear"></div> <div class="copylink1">Our address: CHS GATEWAY INC c/o Regus Offices, 2598 E. Sunrise Blvd Ste 2104, Fort Lauderdale, Florida 33304, contact phone number: (+1) 512-782-9732, email: support@chsgatewayinc.com</div> <div class="clear"></div>  </div>  </div>  </div>  <script type="text/javascript"> var Tawk_API=Tawk_API||{}, Tawk_LoadStart=new Date(); (function(){ var s1=document.createElement("script"),s0=document.getElementsByTagName("script")[0]; s1.async=true; s1.src='https://embed.tawk.to/5ac0c2324b401e45400e3e83/default'; s1.charset='UTF-8'; s1.setAttribute('crossorigin','*'); s0.parentNode.insertBefore(s1,s0); })(); </script>  </body> </html>