virus/trojan attaching itself to site

[arathra]

I have a client who has half a dozen sites on his account. A couple of weeks ago the sites were hacked and a small piece of script code attached itself to every index page (default.asp) and also every javascript file.

I changed the FTP password and didn't reveal this to anyone and also cleaned the files.

Now it's back!

I'm 99% certain it's a problem originating with his computer as it's only his sites which are hacked and none of my other customers (therefore I don't believe it's a virus on my computers).

Has anyone else had this problem? Is there a simple way to lock down the site and prevent this happening again?

And is there an easy way to clean the sites without having to go through them again, page by page?

 

[Stephen]

Yes it is probably his computer that is doing it, we have seen it and can see it is attaching itself from clients FTP side

Microsoft Security Essentials is a good free AV system, I'd recommend him using it!

 

[arathra]

Is there a simple way to remove the script from the infected files or do I need to do it 1 by 1 again?

 

[Stephen]

send me the domain and file types affected on a PM I can doa search and replace on it.

 

[skypanther]

Make sure also that your client has updated all of his Adobe products: Flash, Acrobat Reader, etc. There are published weaknesses in various versions of those products that enable a hacker to remotely gather passwords. There are lots of good, free antivirus apps. Stephen mentioned one, check out Avast and AVG also. And, have him scan for malware with something like Malwarebytes.

The infiltration could be coming from cross-site scripting weaknesses in the CMS or dynamic coding files on his site. I had a recent hack that looks to have been a brute force password crack. And don't leave any files on a linux host set to 777 unless you absolute must do so...in a shared hosting system it is possible for scripts running in one site's space to write to another site if the exact file name & path are known or can be guessed.

Tim

 

[arathra]

Thanks for those ideas; I've sent the malware link to him and changed the ftp passwords so only I know them but it's still infecting files!

 

[Stephen]

Thanks for those ideas; I've sent the malware link to him and changed the ftp passwords so only I know them but it's still infecting files!

Sounds like it is coming via a SQL injection or insecure uploader on the web side then.

Edit: checked it out and not seeing same thing, no seeing injection since cleanup done last time.