David R hit the nail right on the end! Your very good at this haha, but I’m sure you already know that.
I emailed the host first thing when I found out that this had happened, telling them everything and this was the response. I was stunned to get a reply, I’ve had issues before and waited weeks for a response. Prompt isn’t there forte.
I actually got a response!
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and
changed some default settings to help prevent these coding
compromises. The weaknesses were not server wide but rather just made
it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
-
check all index pages for any signs of java script injected into
their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.
-
Remove any “rouge” files or php scripts uploaded by the hackers
into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess
files through all of your domains in that end user.
-
Check all .htaccess files, as hackers like to load re-directs into them.
-
Change all passwords for that end user account. The cp password,
the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and
NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any
resurfacing of the hackers efforts. In some cases you may still have
coding which allows for injection. All user input fields hidden or not
should be hard coded, filtered, and sanitized before being handed off
to php or a database which will prevent coding characters from being
submitted and run through your software.
Thanks,
So I grabbed my guts and tried to log into the host server, so I could see the files. I was quite nervous that the trogan would start to download as soon as I signed in, the pop-up warnings from Avast and AdAware were a site to see. I went on real quickly, searched for any of the files that he had reccomended, and did not see any. There was no files added, BUT my files were altered and the javascript was injected. I went in and editted the index.php & index.html and found the HUGE long injections. The one on index.php was loaded with links and all this crazy stuff, I deleted it and reloaded it. The index.html was all crazy with foreign letter and number combos of a java script. I deleted that and re uploaded it. I then went and looked on the site, and I nolonger recieved any notifications on Avast or Adaware and it looks perfectly normal. I am still looking through all of my pages and making sure nothing has been added. I will then change my passwords, and clear out my computer, run avast again, just to be safe.
I’ve always been kinda paranoid/ better safe then sorry with everything, so I was shocked to say the least that this has happened. But it was a releif to know that this wasn’t at my end, and more so the hosts end.
Thank you everyone for your help, your really awesome! I appreciate David showing me exactly where the problem was when he uploaded the picture. That was a big help for me.
Now that the pop-ups are all clear, is it safe to say the website has been taken care of?
Also, I just noticed this as I was typing this message. I went on my log in-page for the host, and the exact same pop-up is there! hxxp://cpanel2.page14.com and on hxxp://www.gensap.com - my hosts site.
I emailed the host and told them this, but is this a problem caused by my computer or is it at there end? I’m not to sure.
Thanks everyone!