Overview
When you visit an infected site your PC may become infected. Your
infected PC may be compromised with Spyware thus sending off FTP access
information to the malicious. Your password and username is
then used to hack your sites by embed its script to your web files. Your site then become malware sites and spread
the malware further. It may even become blacklisted by Google and
other sites.
Symptoms
Your web pages are slow loading, possibly while the malicious code communicates with it's master.
When you visit the site, your computer starts frantic disk activity
and browser locks up.
A bar at the top of the page prompts you to download a Microsoft Add-on.
If your PC is compromised it may display the following symptoms:
Computer has generally slowed down.
You experience browser hijacking possibly "search engine" redirection.
Other websites that you manage start to get infected.
How the hacking script looks (in asp files)
<script language=javascript><!--
document.write(unescape('%3CscAw
----- some detail has been removed -----
CKizgpt%3E').replace(/UbF|ubC|PT|eB|zg|CK|AwM|Sz|s1R|Tf1/g,""));
--></script>
How the hacking script looks (in html and js files)
</head>
<script language=javascript><!--
document.write('<script src=http:/
----some detail has been removed ----
mage.php ><script>'); --></script> <body>
How the hacking script looks (in php files)
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST
----- some detail has been removed -----
lkojfghx2(); ?>
Cause
There may have malware infect your computer when you hit an infected site. The infection is some kind of spyware which extracts FTP info from your browser. Probably the URL and username. They then hack the password using brute force.
A malicious login using FTP access rewrites many of your website files. (please ask our support to check your FTP logs and align the times with your file dates and times)
Resolution
1. Keeping a strong password is crucial and is the first step in protecting your website. Use a password with Upper case and lower case, numbers and symbols or
characters. The longer the password the better. Change your password
every 3 months at minimal.
2. Meticulously clean out all traces of the malware from your website by
reloading pages or editing out the hack code. Check hidden directories
for infected files.
3. Use a good virus scanner and keep it up to date. Also keep a trojan
scanner on your computer. Maintaining a clean PC is good practice as
one of the most popular iFrame Hacks comes from an infected PC.
4. Backing up your website is a must. You should always have a current copy of your website on your computer. Keep the files on your PC or a USB Key or External Hard Drive, it can save you from a major headache.
5. Security of file permission. Many scripts these day require you to set full permission (777 permissions on files and
or folder). This is NOT safe in any way and we highly recommend you do
not do that. Full Permission (777) allows users to have
full access to that folder and file. To remedy this always use read/execute (755 or
644 permissions). Your script should still operate without any issues
at all.
6. Keep Your Software/Scripts Up To Date. You should ALWAYS check your software or script provider for updates,
patches or new versions. When software is released not only are there
new features but security is always tightened and bugs are also fixed.
Making sure your script is up to date is critical is maintaining a safe
website.
Summary
1) reset all FTP passwords regularly.
2) keep your anti-virus update and always scan your computer for virus and malware.
3) Don't save FTP password in your FTP clients
4) use secure FTP (we published a article about secure FTP here