Chinese hacker hacked my website

Viruses and worms
1

Hello,

Recently one Chinese hacker hacked my website and he placed some malicious scrips in some of the files. Also, he messed up my website homepage. It shows some hacking images with Chinese written language.

Then I took my website’s backup on my computer and scan all the website files in avast software. But avast do not track any malicious script files.

Can you please help me with how can I clean my website files using avast?

Please let me know if you need any further details from me.

Thanks in advance

2

Is your website online now?

Check it here >> https://sitecheck.sucuri.net/

Post link to scan result

you may also upload and scan your website code here >> www.virustotal.com

Post link to scan result

3

I have scanned it in sucuri and it shows “Unable to scan your site. Timeout reached”
https://sitecheck.sucuri.net/results/https/www.gradecalculator.tech

and virustotal shows all well.
https://www.virustotal.com/gui/url/02a9c97d15c3644c9ad2edafab1b6d24ba91f32cbaf9454972d3eba8bc46c8f5/detection

Yes my website is live: https://www.gradecalculator.tech

I have restored my old backup after hack.

4
I have scanned it in sucuri and it shows "Unable to scan your site. Timeout reached" https://sitecheck.sucuri.net/results/https/www.gradecalculator.tech
You may ask Sucuri why ... there is a chat

If you need website protection, Sucuri is the one to ask https://sucuri.net/

and virustotal shows all well. https://www.virustotal.com/gui/url/02a9c97d15c3644c9ad2edafab1b6d24ba91f32cbaf9454972d3eba8bc46c8f5/detection
Did you just scan the URL ? that is just a URL blacklist check

You have to upload the HTML code as a file and scan it to see if it contain anything malicious

5

Ok let me check.
Thanks for your advice and support.

6

I have uploaded my website files and folder in virustotal and after scan they gave me more than 50 files with malicious script.
Thanks support team to solve my issue.

7

Some major configuration errors found, some scans fail for the web address you mention.

Here you have some improvement recommendations based on linting:
https://webhint.io/scanner/6621268d-f132-4637-9424-2ccc0900c31c

Here a fileviewer scan for where your site is redirecting to:
https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Z313e2IuW15zLmZdfXRoLmd9YHB1YmxbXmA%3D~enc

Retirable jQuery libraries:

bootstrap 3.4.1.min Found in -https://grweb.ics.forth.gr/public/assets/js/bootstrap-3.4.1.min.js
Vulnerability info:
High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
jquery 3.2.1.min Found in -https://grweb.ics.forth.gr/public/assets/js/jquery-3.2.1.min.js
Vulnerability info:
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Javascript SRC →

error → TypeError: Cannot read property ‘style’ of null
/public/:108

Javascript 11 (external 5, inline 6)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

consent.cookiebot.com/​uc.js
INLINE: function onSubmit(token) { $( “#w-form” ).submit(); } func
295 bytes

INLINE: checkNonCookieResponse(); function checkNonCookieResponse() {
934 bytes

grweb.ics.forth.gr/public/assets/js/​jquery-3.2.1.min.js
grweb.ics.forth.gr/public/assets/js/​bootstrap-3.4.1.min.js
INLINE: document.getElementById(“currentYear”).innerHTML = new Date().getFullYear()
84 bytes

grweb.ics.forth.gr/public/assets/js/​animate.js
INLINE: $(document).ready(function() { $(“#domain”).focus(); //add
495 bytes

www.google.com/recaptcha/​api.js?hl=el&render=onload
INLINE: onload();
9 bytes

ONCLICK: /* a.onclick = */ Cookiebot.renew()
35 bytes

ONCLICK: /* a.onclick = */ Cookiebot.renew()
35 bytes

Re: Externally Linked Host Hosting Provider Country
-eregpublic.eett.gr Hellenic Telecommunications and Post Commision Greece
-www.ics.forth.gr Foundation of Research and Technology Hellas Greece

Somehow you have to take this up with the hosting party.
Your domain is now pointing to a hosting party with a domain address on IP 185.201.11.156
that is hosted in Cyprus by person: Hostinger NOC
address: Hostinger International Ltd.
address: 61 Lordou Vyronos
address: Lumiel Building, 4th floor
address: 6023
address: Larnaca
address: CYPRUS

Does all this ring a bell?

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)