Portal Home > Knowledgebase > Articles Database > My site shows a trojan horse when i try to connect to it???
My site shows a trojan horse when i try to connect to it???
Posted by Beatplexity, 12-24-2009, 09:03 AM |
http://i47.tinypic.com/2qdy1bb.jpg
this has only happened during the last day, does anyone know how i could go about fixing it???
|
Posted by david510, 12-24-2009, 09:13 AM |
There should be code injection in your web files. You can check for them in the files. Check for the pattern as follows.
|
Posted by gregm11, 12-24-2009, 11:55 AM |
You probably have been attacked by an injection. You first need to change all FTP passwords and then clean the pages with the code and check your database as well. Then you need to find out the reason, which is probably caused by old code or insecure code. There is a lot of information out there on SQL injections.
|
Posted by Ramprage, 12-24-2009, 12:23 PM |
View your page source for any javascript or iframe code added. You should also scan your computer, apply all patches and change your ftp password.
|
Posted by Beatplexity, 12-25-2009, 02:38 AM |
thanks for the responses people
i have change all ftp passwords, cpanel password and root password, im having my server monitoring team restore a previous backup of index.php
ill get them to check the databases etc coz i have no idea, hopefully they will be able to find out what caused this :/
|
Posted by bizness, 12-25-2009, 09:14 PM |
are you using joomla by chance ?
|
Posted by hostultimo, 12-26-2009, 01:27 AM |
of you are using any cms or blo files which require cnstant updates that is where the injection could have come from. Dont just change the index.ph file...change all o them. You may also need to resubmit your website to google for them to clear the warning from your pge globally
|
Posted by Beatplexity, 12-26-2009, 03:26 AM |
nah im using a custom cms, ive had my server monitoring company look at it and they have told me the following
I scanned the server for hacks with RKHunter and it did not detect any signs of hacks, trojans, rootkits, malicious processes, etc.
I cleared out the tmp directories to make sure nothing is hiding in there.
the site still shows a trojan horse when i try to connect though
|
Posted by madaboutlinux, 12-26-2009, 04:00 AM |
RkHunter and Chkrootkit cannot detect the injected code in your website files. Such code is mostly injected using Ftp so clearing /tmp won't make any difference. You need to check all your files thoroughly to make sure there is no |
Posted by Beatplexity, 12-26-2009, 05:06 AM |
i dont know how to check the files, i have no knowledge of servers nor the website code.
is anyone able to help me solve this <>
Last edited by bear; 12-26-2009 at 09:36 AM.
|
Posted by hostultimo, 12-26-2009, 05:10 AM |
OMG....who made the custom cms for you??? They will obviously be able to notice any changes in the code at a glance.
Try them first, if they dont want to do it I will take a look at the code for free but your best bet is either the person who designed the cms or your management company
|
Posted by madaboutlinux, 12-26-2009, 05:11 AM |
Isn't your hosting company assisting you in this issue? As they are the one who can investigate the issue better and faster as they have the root access to the server.
|
Posted by Beatplexity, 12-26-2009, 05:15 AM |
the company who made the cms will charge me a small forture to do this and it being Boxing day in the UK i have no chance of getting them to look at it.
My server company will not look at this as im on an unmanaged plan
my server monitoring company are looking into now, but they arent usually that good at fixing these kind of things :/
|
Posted by bear, 12-26-2009, 09:46 AM |
Your index page has this at the bottom:
There's a lot more of it. Chances are this is the attacker's code, so that's where to start. Have them look in the FTP logs for the domain to see if there were any affected index pages uploaded recently.
|
Posted by Beatplexity, 12-26-2009, 12:39 PM |
ive just had a look, and it doesnt seem to be there anymore, maybe they have deleted it already
the trojan horse still appears to be showing up when i connect though.
|
Posted by bear, 12-26-2009, 12:43 PM |
Still there. If you're not seeing it in the raw code on the page, then it's being added when the page is called. All the way at the bottom, after the closing html tag.
|
Posted by Beatplexity, 12-26-2009, 12:50 PM |
ah god how do i go about fixing this, i dont think my server company will get it fixed, i reported it 24th dec
|
Posted by bear, 12-26-2009, 01:10 PM |
It sounds like you're anxious to fix it, and can't do so for yourself, so you should consider hiring someone, if you can afford that. You can't ask for offers here, but you can post in the employment offers section:
http://www.webhostingtalk.com/forumdisplay.php?f=33
I'm sure there's someone there that can fix this for you.
Best of luck.
|
Posted by khunj, 12-26-2009, 02:56 PM |
Your directory indexes are viewable, even your .htaccess
Before you get hacked even more, I would advise you to add those lines to your .htaccess :
|
Add to Favourites Print this Article
Also Read