system
July 26, 2009, 8:28pm
1
I have had this virus malware hitting my site. We have cleaned all files and changed ftp password as well as wrapped it and it keeps affecting the site? How do we get rid of it??? JS:Obfuscated-CU [Trj]
trojan
It seems to be only showing warnings in google/chrome & safari??
system
July 26, 2009, 8:49pm
2
What address is this trojan infecting?
system
July 26, 2009, 8:52pm
3
I had to take down the site until we figure out what is going on so it does not affect any of my customers.
system
July 26, 2009, 8:55pm
4
You should look at your HTML script, find the javascript trojan, and remove it.
system
July 26, 2009, 8:56pm
5
Just a side note:
Please modify the address to make it inactive (i.e. change http to hXXp) to prevent others from potentially becoming infected.
You could also have a look at this:
Actually cleaning the file is not going to resolve why you got hacked it will only clean the file (well avast doesn’t clean the file just alerts to it, you have to find and strip out the injected code) and not the cause, you need to contact your host, see below.
– HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.
Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.
Check all .htaccess files, as hackers like to load re-directs into them.
Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security .
Hi n2shoes33,
Can you give the site’s address as htXp://wXw.etc…
Then we can have a look what the Web Page Security Report over the last 90 days reported,
in most cases they will give the malicious scipt there as well,
polonus
DavidR
July 26, 2009, 9:00pm
7
system
July 26, 2009, 9:06pm
8
Will I be able to update any old data base code without having to rebuild the entire site?
DavidR
July 26, 2009, 10:26pm
9
Your problem really isn’t just replacing the old database, uploading your clean back-up copy of the site (you do have one don’t you), but closing the vulnerability or the hack could be back. For that you will most certainly have to talk to your host. So you will need to pay particular attention to the Hacked Sites quote above.