Re: website with suspected injection code
I've seen this more often than most probably have. Most of the time, a person logged in via ftp, downloaded a bunch of files, then probably ran a program that does a mass insert of the malicious code to the files, then uploaded them again to the website. The other common way is a script with a vulnerability installed on the site. I've seen this in a lot of word press third party plugins/themes. It allows the hacker to upload a malicious script that basically gives them file access via the browser.
Usually the cause of the problem is a keylogger/spyware installed on a computer of a person that had ftp access to the site. I always recommend to the client to do a full virus scan of their computer with a good up-to-date virus scanner and after fixing the problem, change the ftp password.
You can normally find the files that are compromised by looking at the file dates. The file dates of the files that were compromised should all have the same date and almost same time stamp. Sometimes htm/html extensions are the ones they got, sometimes php or js extensions, sometimes all of them.
Usually the same code is injected in all the files and it's normally at the very end of the file. For a few files, it's not too hard to remove, but, if you have hundreds of files, it gets rather monotonousness and if you have a search and replace program installed on your computer, you should be able to use it to remove all the code similar to how the hacker put it in.
Another way is if your host has a backup, many do backups daily. Some retain more than one backup. If they have a backup older than the date the site was compromised, they may restore the files for you.
Of course, if you have your own backup also, you may use that to overwrite the infected files.
Some hosting control panels have a virus scanner in them. It's great for finding malicious files and also sometimes finds files that have been injected with malicious code. It may give a delete and/or quarantine option for files it finds, but, I just like it for finding them quickly so I know what files to investigate.
Your host may also give you access to ftp logs. These are great for a few reasons. It allows you to see what files were downloaded/uploaded, the IP address of the hacker (which is often just a proxy/infected computer/infected server and not very meaningful) but you should also see the IP address of the legitimate user that last logged in before the hacker to give you a clue to whose computer may be infected. I've seen the hacker login anywhere from a few days to a few weeks after the legit user logged in.
Chris
LotsMoreHosting.com
Bookmarks