I was messing around with meta tags (specifically adding og:image tags for Facebook) and looky what I found at the bottom of my index page!
<font style="overflow: auto; position: absolute; height: 0pt; width: 0pt">
xxx teen porn <a href="http://www.freepornwatch.n../" title="freepornwatch">freepornwatch</a> online
cute teen <a href="http://www.freesexwatch.n../" title="freesexwatch">freesexwatch</a> now!
home porn <a href="http://www.xvideoshd.n../" title="xvideoshd">xvideoshd</a> hard sex.
Sabian asian porn <a href="http://www.pornmovietube.n../" title="pornmovietube">pornmovietube</a> hook.
german sex <a href="http://www.xxxpornwatch.n../" title="xxxpornwatch">xxxpornwatch</a> blades porn.
porn tube <a href="http://www.foryouporn.c../" title="foryouporn">foryouporn</a> youtube sex.
youporn <a href="http://www.hardsexporn.o../" title="hardsexporn">hardsexporn</a> hard sex.
</font>
Obviously, I destroyed the links to post here but I want to know how someone could inject this code into my index page below the last </html> tag?
http://towtalk.net ... Hosted by Zarconia.net! |
via ftp when connecting to your site if your computer is infected, also check other index files you might find more lol |
Agreed. This sort of stuff usually comes from your own computer or others you may have allowed to work on your site.
Check your computer for malware. This is a good product. http://www.malwarebytes.org/
If you have allowed access to your server by others that assisted you, inform them to do the same.
Than change all your server passwords. Especially FTP as this is most often what is used.
https://www.deanbassett.com |
Hmmm. Only 2 people have been given ftp access. No telling how long it's been there. http://towtalk.net ... Hosted by Zarconia.net! |
Agreed. This sort of stuff usually comes from your own computer or others you may have allowed to work on your site.
Check your computer for malware. This is a good product. http://www.malwarebytes.org/
If you have allowed access to your server by others that assisted you, inform them to do the same.
Than change all your server passwords. Especially FTP as this is most often what is used.
I've been using malwarebytes for a couple years now...... It is a good product. I didn't find it anywhere else on my server so I'm going to write it off as a random event and not waste time trying to identify how it got there. All the extraneous FTP accounts have been deleted or changed. Thanks guys...
http://towtalk.net ... Hosted by Zarconia.net! |
If it was only in that one file you're lucky... normally when they hit you it's stuck at the bottom of TONS of files on your site. You might want to check some of the other indexs and the .htaccess files. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
I checked all the index.whatevers and checked the htaccess as well as random other files and am finding nothing. I have to do it manually. Does someone know a program I can use to check the contents of each file automatically on my VPS?
You know, I wonder if this happened the other day when HFW went down? I couldn't access anything for about an hour, not even their root site. Was like they were being attacked.
http://towtalk.net ... Hosted by Zarconia.net! |
Log in using ssh and type this from the public_html directory:
grep -H -r "freesexwatch" *
You can replace "freesexwatch" with anything you want to search for. It will list all the files that contain it.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
http://towtalk.net ... Hosted by Zarconia.net! |
Yup, like I said, you da man!
Ran your little snippet in SSH, took 10 minutes to complete, came back clean. No further infection.
Gonna add this to my 'site fixes and upgrades' text file.
http://towtalk.net ... Hosted by Zarconia.net! |
bne3li 8 Oct 2012 ·
post is hidden (
show post
)
|
