This is the part II of how to combat the pesky JS injections that are appearing on websites all over the Internet like mushrooms after rain.
I am pretty confident that the JS injections initially get into your site through a FTP connection from a trojan infected PC. The details of your server login are sent to the hackers which will use it to access the server later, even after you have removed the injection. The files will keep reappearing until you do something about it.
In order to get rid of them once for good first remove the virus from your PC, using AVG for best results currently.
Then proceed to change your FTP password.
Next, remove the malicious JS code either manually, by restoring backup or using the code remover script.
You may also consider changing ftp server (mine was pure-ftpd and I changed it to proftpd). This is as I am not sure whether the security problem with FTP server or the stolen password allowed the hackers back in.
Finding and banning hacker IPs
To proceed a step further we want to ban access to all IPs hackers were using to upload files to your server.
Here is the example of using following commands to find FTP uploading activity (confirmed to work with pure-ftpd)
cat /var/log/messages | grep your_ftp_username | grep -v your_ipaddresses | grep uploaded
This will list connections to your site that were uploading files. Do you see any unknown IP's there? These are hacker's.
Let's extract them into a ban_list file:
cat /var/log/messages | grep your_ftp_username | grep -v your_ipaddresses | grep uploaded | awk ‘{print $6}’ | cut -d “@” -f2 | cut -d “)” -f1 | sort -u >>ban_list
Assuming you are using apf, you can now edit /etc/apf/deny_hosts.rules and add all these IPs. Be careful not to enter your own IP as you will not be able to access your site.
This effectively shutdown the injections on my server but I am keeping an eye see what new happens.
Suggested reading:
- How to remove the pesky JS injection virus from your WordPress blog
- How to do a full WordPress backup and restore
- How to move WordPress site to new server with zero downtime
Posted in: WordPress
TAGS:all javascript injected, computer virus javascript, how remove javascript virus, inject javascript, java script virus, javascript injection, javascript virus, leave comment virus removal, server javascript virus, virus inject, virus injects javascript browser, virus javascript, virus removal, website inject javascript virus, wordpress plugin javascript injection, wordpress virus removal
6 Comments
Hello, I am having the same problem with my page. Can someone help me get this script? Already have a lot of people complaining that they can enter the site and I'm losing customers ... what can I do?
The page of script is:
http://cursoyes.com.br/2010/unidades.asp?estado=RJ&unidade=107
scan ALL directories for /_notes/ which contain xml files
Thanks, that is a very useful removal guide. I have been working with online security for long time now, and still don't understand how some people can surf the web, download stuff and not even get anti-virus protection. Removing a virus once it's IN your system is a real pain...
Hi Vladimir,
When i click the code remover script link
http://possible.in/products-security-updates.php,
i'm getting a Threat Blocked message from AVG.
2 days ago my blog was hacked and it started redirection to someother sites.
But i had the updated wp version.
After googling, the only solution i was able to find was to re-install wp.
I have downloaded and replaced wp.
But i lost 4images, forums, another wp blog installed inside the root of wp blog with buddypress :(
hi there, I got the same virus, but not on a wordpress blog, but on a regular website. i would like to use the command to check for ip-addresses and after that block them, but don't know how to run the command on my website. couldy ou give me some tips? thx!
I confirm your assumptions Vladimir. Here ispart of the my FTP log from yesterday:
Tue Apr 06 11:58:37 2010 1 62.93.166.242 24738 /editor_template.js b _ i r mag ftp 1 * c
Tue Apr 06 11:58:40 2010 0 69.41.173.111 2054 /about.js b _ o r mag ftp 1 * c
Tue Apr 06 11:59:13 2010 0 88.208.244.116 3891 /about.js b _ i r mag ftp 1 * c
Tue Apr 06 11:59:18 2010 0 65.82.182.195 1029 /anchor.js b _ o r mag ftp 1 * c
Tue Apr 06 11:59:23 2010 0 74.3.223.163 2997 /anchor.js b _ i r mag ftp 1 * c
Tue Apr 06 11:59:30 2010 0 217.13.215.186 14515 /charmap.js b _ o r mag ftp 1 * c
Tue Apr 06 11:59:35 2010 1 62.75.218.192 16483 /charmap.js b _ i r mag ftp 1 * c
Tue Apr 06 11:59:39 2010 0 75.127.102.249 11017 /color_picker.js b _ o r mag ftp 1 * c
Tue Apr 06 11:59:44 2010 0 78.129.157.110 12985 /color_picker.js b _ i r mag ftp 1 * c
Tue Apr 06 11:59:47 2010 0 216.245.221.82 6254 /image.js b _ o r mag ftp 1 * c