DotDragnet
May 24, 2012, 09:18:02 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Mobile users - Our forum is Tapatalk enabled. http://www.tapatalk.com/
 
   Home   Help Search Login Register  
DotDragnet > The Tech Side > Tech stuff > Webpage Injections [RESOLVED - hopefully]
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Webpage Injections [RESOLVED - hopefully]  (Read 405 times)
Haze
Hero Member
*****
Posts: 1485



View Profile Awards
« on: January 05, 2012, 11:24:43 AM »
HI All,

A personal friend got in touch today to say that his website has malware associated with it. He now takes charge of editing his ite, and all I could find that looked odd was a link to
Quote
http:// bs. serving - tracking . com /? campaignid = 135324812&type=tracking
. I am Googling info on it at the oment, but just wanted to mention it.
« Last Edit: January 06, 2012, 12:31:33 AM by Haze » Logged
Dom
Hero Member
*****
Posts: 1681


Taster of pasities. Clanger of both pots AND pans.


DominicNeagle
View Profile Awards
« Reply #1 on: January 05, 2012, 03:29:59 PM »
Was it a Wordpress site per chance? I've had the same thing happen to me (although with a different link) and it turned out to be a compromised Wordpress theme. I had to completely uninstall the theme and use a new one.
Logged
Sig edited due to lolling at this http://img72.imageshack.us/img72/6069/mainphpg2viewcoreh.gif
rutty
Global Moderator
Hero Member
*****
Posts: 1260



rutty_uk
View Profile WWW Awards
« Reply #2 on: January 05, 2012, 05:22:52 PM »
What Dom says - happened to me too (my own stupid fault for downloading from a free themes site).

Look in the theme for some BASE64 code that's obfuscating something malicious. My links to malware popped in and out and it was VERY hard to pin down what the hell was going on
Logged


Carlton Brass | Blog
sarahA
DDN Contribs
Hero Member
*****
Posts: 2184



View Profile WWW Awards
« Reply #3 on: January 05, 2012, 07:18:00 PM »
Most injected malware these days is via base64 encoded PHP or javascript. Sometimes it's also set to only show you once and then if you return you don't see it, making it harder to pinpoint.
Logged
Stuff By Me : Photos
Haze
Hero Member
*****
Posts: 1485



View Profile Awards
« Reply #4 on: January 05, 2012, 09:45:36 PM »
Wasn't a WP site, seems his site was the only one affected on the server, I am told. There were 6 or 7 files affected. Just had to edit and remove the code, and generate a new password for him.
Logged
Dom
Hero Member
*****
Posts: 1681


Taster of pasities. Clanger of both pots AND pans.


DominicNeagle
View Profile Awards
« Reply #5 on: January 06, 2012, 10:17:40 AM »
I removed the offending code from my Wordpress theme when I found it (and yep, it was some BASE64-encoded nasty that was doing it) but I found that even then, whoever it was managed to put the code back in afterwards.

It might not be a WP site, and might only affect one of your sites, but I'd be a little concerned about how they did it in the first place, or else simply taking the offending code out might not stop them from being able to put it back again. With me, I had to completely remove the theme, and the database amendments, and use something else.

Just some food for thought. smile
Logged
Sig edited due to lolling at this http://img72.imageshack.us/img72/6069/mainphpg2viewcoreh.gif
sarahA
DDN Contribs
Hero Member
*****
Posts: 2184



View Profile WWW Awards
« Reply #6 on: January 06, 2012, 12:32:05 PM »
If it's on an 'open' shared server (ie. not running PHPsuExec), then they can get in via any site on the server and edit your files. So your site could be as secure as possible, but it's relying on your server neighbours that's the frustrating part.
Logged
Stuff By Me : Photos
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

DotDragnet > The Tech Side > Tech stuff > Webpage Injections [RESOLVED - hopefully]
Powered by MySQL Powered by PHP Powered by SMF | SMF © 2006-2008, Simple Machines Valid XHTML 1.0! Valid CSS!