# Solved: Trojan Attack on my Website



## pranabgohain (Jun 12, 2007)

Hi,

I have this website *www.prayagzone.com * hosted in a company here in India.

Since the last 3 - 4 days, some visitors have been complaining of a trojan attack. The browser slows down and eventually there is an alert that there has been a virus attack.
(Screenshots below). This happens not to everyone though.



It tries to redirect to something called http://e.pepato.org.



I wrote to their Technical Team and they say its some plugin problem. However, it is a plain HTML site and there are no unnecessary files on my FTP too.

Are your servers infected? How can I sort this?

Please help.

Cheers!

Pranab.


----------



## pranabgohain (Jun 12, 2007)

"Bump!"


----------



## ~Candy~ (Jan 27, 2001)

Please do not use the report option to request help. You have only just posted this today, since this isn't live tech support....you will need to have some patience


----------



## pranabgohain (Jun 12, 2007)

Oopps. Really sorry.

My anxiety got the better of my patience this time.

Thanks a lot


----------



## pranabgohain (Jun 12, 2007)

"Bump!"


----------



## ~Candy~ (Jan 27, 2001)

I've moved this to web development.


----------



## Fyzbo (Feb 6, 2002)

I can't find anything on your website that would cause this. I expect your hosting company may be right and your visitors are infected with spyware.


----------



## tomdkat (May 6, 2006)

Fyzbo said:


> I can't find anything on your website that would cause this. I expect your hosting company may be right and your visitors are infected with spyware.


I disagree!!! *** RED ALERT, RED ALERT ***

Fyzbo, if you look at the HTML source, it looks clean BUT if you scroll PAST the closing HTML tag, you will see some questionable looking JavaScript code. I believe his site has probably been hijacked. I will not post the JavaScript here since I don't trust it.

pranabgohain, check with your hosting provider to see if any IPs have been logged uploading files to your site other than IPs of computers authorized to do so.

Good luck!

Peace...


----------



## Fyzbo (Feb 6, 2002)

Good catch, I completely missed it. Thanks for correcting me.


----------



## tomdkat (May 6, 2006)

I almost missed it as well but I was "bothered" by the fact there was apparently empty space after the closing HTML tag. I don't know how that JavaScript would be invoked but then again, I'm not the hacker. 

Peace...


----------



## pranabgohain (Jun 12, 2007)

Hi Fyzbo & Tomdkat,

Thanks a ton for your advice.

I will check up with the hosting co. immediately if there are records of any IPs that may have been uploading codes etc...

Tomdkat, in the meanwhile, is the code you're talking about by any chance the Google Analytics or Statcounter.com code we have inserted for tracking traffic? I shall get it checked with our designer too.

Thanks again (please keep this open till I get back to you in a day or 2 with the required information).

Pranab.


----------



## tomdkat (May 6, 2006)

pranabgohain said:


> Tomdkat, in the meanwhile, is the code you're talking about by any chance the Google Analytics or Statcounter.com code we have inserted for tracking traffic? I shall get it checked with our designer too.


I don't think so because: 
The JavaScript code is OUTSIDE of the HTML block, which means someone is trying to "hide" it.
The JavaScript code is basically "machine readable" garbage, which means it's obsfucated enough to prevent humans from making sense of it yet the browser can understand it just fine. This is another attempt to "hide" what it's actually doing.
 If possible, send your web designer a link to this thread. 

Peace...


----------



## pranabgohain (Jun 12, 2007)

Wow!

I am amazed how you all in the forums can do what even Techies in big corporates cant.

Give me a day's time. I shall meet the designer and show him all the posts 

Cheers!

Pranab.


----------



## tomdkat (May 6, 2006)

Well, you've got many more eyes, minds, perspectives, and experiences potentially looking at your problem. 

Good luck!

Peace...


----------



## pranabgohain (Jun 12, 2007)

Hey,

I showed the posts to our designer. There was indeed a weird code.

We have removed it, and it seems to be working just fine now.

While I check how the code got there, THANKS A ZILLION TIMES! You guys here simply rock.

Keep up the great work.

Cheers!

Pranab.


----------



## Sequal7 (Apr 15, 2001)

Most likely a cross site scripting attack on your server. Tighten up the permission on the root folder of your server (remove write access to folder).

http://www.cert.org/advisories/CA-2000-02.html


----------



## pranabgohain (Jun 12, 2007)

Thanks mate. This is greek to me, but will definitely be handy for our Designer & Hosting Company.



Cheers!

Pranab.


----------



## tomdkat (May 6, 2006)

Sequal7 said:


> Most likely a cross site scripting attack on your server. Tighten up the permission on the root folder of your server (remove write access to folder).
> 
> http://www.cert.org/advisories/CA-2000-02.html


Yep, I agree with this. Since this has happened once already, I monitor the site and server for a repeat attack closely. I would "lock down" the site, as described above, and keep a close eye on things.

Peace...


----------



## pranabgohain (Jun 12, 2007)

Tomdkat,

When you say 'monitor the site', I assume you are referring to your site techguy.org? And that you recommend we do the same?

Cheers!


----------



## tomdkat (May 6, 2006)

No, I mean monitor YOUR site more closely. Since your site was attacked once already, you should keep a close eye on it in the event they try to attack it again. 

Peace...


----------



## pranabgohain (Jun 12, 2007)

Gotcha!

THANKS once again!

Cheers!


----------



## ~Candy~ (Jan 27, 2001)

You can mark the thread solved using the THREAD TOOLS drop down menu.


----------



## MMJ (Oct 15, 2006)

Joe Hewitt, the creator of firebug, has a similar JavaScript injection/hack on his site. A bit ironic.

Careful when you click on the link.


----------



## woof (Feb 18, 2008)

Hi

Googled this issue and found this thread.
We've had a similar problem - some of our sites have been comprimised with this bit of JS code as mentioned. 

But looking at the logs it was a FTP login - not a hack
we've seen multiple logins from an IP 58.65.238.59 (hong kong based) that logged in - found various index and home.htm files downloaded them and then re uploaded them

How it's happened is a bit of a mystery - but a possible infection source may of been an MSN messanger virus that went through the office - a week or so before. The MSN virus prompted users my a message from a trusted friend - asking them if this was a photo of them - and a link - which prompted a download exe

it then resent the message to everyone on yr address book ! 

Be interested to hear any other feedback/info 

cheers


----------



## tomdkat (May 6, 2006)

Thanks for the additional info! 

Peace...


----------



## nv1234 (Aug 27, 2008)

Since you are still talking about it, I had exactly the same problem and (surprise, surprise) it appears that the infection was coming from the same IP address as the one you mention. I do not use or have any instant messenger applications and I am extremelly careful (paranoid?) with email attachments - in my case the site was hijacked just out of the blue (maybe the password/session was hijacked during an upload or was simply cracked by brutal force).

I solved it (or so it seems so far) by changing the password. If you want to take a look to the symptoms and the discussion that followed check out thread "My website is attacked(?)", opened up around the 28th of August.


----------

