Ecchi22

Few months ago, I had to deal with this problem..

Some weird piece of code affected almost all my sites on a shared hosting, but it happened on my dedicated too.

Somehow it injects code in .html and .php pages, usually ones with "index" and "home" names. Some antiviruses detects them, some aren't, but google stamps "warning" at your site which, you have to admit is pretty bad and decreases the traffic a lot (in my case, 6 times less traffic).

I tried to clean this code and update almost every CMS software I had on my host, but the problem was still occurring.
Contacted hosting support too, and they told me to change all my passwords (cpanel & ftp accounts). I've done that and everything seemed to be fine. Forgot to mention that I spent lots of time using google webmasters tools to request review after the cleanup.

Yesterday, I noticed this code being injected again. I cleaned it up, but I'm getting a bit worried now, so I'd like to stop it once forever (ok, at least for some time).

In order to isolate my side in this problem, I worked 2 months on newly installed linux machine with all new passwords for host, but some sites still got infected.

What's your experience about this and similar thingies? Is it hosting issue or something else? Any prevention tips?

__________________

klinton

Clean your PC, trust me... !

I had the same situation

it gets your ftp pass and then reupload infected files

k0nr4d

I've had a few clients have a problem like this. It's a computer virus that sniffs out ftp info and either sends it off to another machine which in turn injects this code onto index.html/index.php files, or it causes your own machine to ftp in.

Run Virus scanner, Change all your ftp passwords afterwards

__________________
Mechanical Bunny Media
Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

Ecchi22

Thanks for your answers.. I might left over some ftp accounts, going to change their passwords too.

Anyway I'll recheck my own security too. Thanks!

__________________

redwhiteandblue

Yep, I'm pretty sure I had the same. It was happening on two different servers even after changing the passwords but after I scanned my PC with Kaspersky a couple of times it stopped.

__________________
Interserver unmanaged AMD Ryzen servers from $73.00

bigalownz

change your ftp passwords asap and then change them evey week or so

__________________
$100 free credit for all hosting needs

Robo

...and if you want to resolve the problem for some time, chmod your index.html or index.php to 444 (no writing possible, but also for the owner).
When you'll update your index files you'll need to delete them first (or chmod again), but also any virus will not have way to come to to index files.
If your site is updated automatic, it can be a problem.

__________________

Always Paid On Time

harvey

I posted the solution here, check it out. We cleaned 3 PC and everybody that asked for help could clean it with no problem and the fucking thing never got back. Lots of steps, but well, you gotta do it

__________________
This post is endorsed by CIA, KGB, MI6, the Mafia, Illuminati, Kim Jong Il, Worldwide Ninjas Association, Klingon Empire and lolcats. Don't mess around with it, just accept it and embrace the truth