Removing Malware from a server

cadkins23

This is a question I have for one of my clients that I'm working with. If you'd prefer not to answer since it's for a client that's ok...

The issue is when you go to his website Google warns that it is an attack site. When I look at Google further it tells me nothing within 90 days, but then it also says it found something a day ago or something...

I've looked at several sites that are supposed to scan for Malware and found a bunch of files. In fact he has like 3 or 4 directories filled with hundreds of what looks like auto generated file names.. For instance instead of toolkit.html I see 200 spelling variations with numbers and mostly underscores.. like t_00_lkit.html (for example)

I want to make it so they don't come back but the problem is figuring out how they came. If a directory is 755 and someone knows the name of the directory, can they just put whatever they want in it? I didn't imagine so, but I do know that file permissions are just that, permissions..

The webmaster said he changed the password for the first time and that it may have been a competitor since they've been growing. Regardless of who or why, I want to make it so this doesn't happen again. Also it would be nice to know how it happened so I can protect myself from future attacks of this sort.

Some of the files were pointing to an ip address followed by go.php,.. In fact .htaccess was redirecting everyone to that file on another server. I removed those, but I'm not sure how this happened other than the person having the FTP login information.

Can anyone chime in and give me a quick lesson on this? 🙂 I removed the files and as I said he just changed his FTP login info for the first time. I'm not sure if that's how it happened, but no one deserves to have Google warning visitors that it's an attack site. Of course I don't blame Google, I blame the person who did this. I already requested google to review the site, but meanwhile does anyone know anything else I should check? Any scripts exist that will spider the site and notify my of malware?

Thanks in advance!

cadkins23

I'm willing to work for the answer.. Perhaps there is an existing post that I overlooked? If I overlooked a similar post I apologize. I didn't see anything anywhere other than explaining to remove the occurrences and have Google review the site. My question is how did it get there and how can I stop it from happeing 🙂 Thanks

NogDog

Part of the problem here is that you don't currently know the attack vector. If you're on a shared host and it's not very well configured, it could be possible for someone else on that server to copy files to your directories if they can guess/discover their names, or it could be someone else on the server had their site hacked and then the hacker also attacked your site from the first one.

Another possibility is that they guessed/discovered your FTP or login credentials. This could be done by someone sniffing packets (especially if you're logging in over a plain http connection instead of https).

Some application/script you're running could have a security hole in it (blog, image library, etc.), especially if you have not kept up to date with the latest updates for each.

Anyway, make sure you use strong passwords for your login and FTP accounts, change them often (for some arbitrary value of "often"), update all your 3rd-party apps to the latest stable version, and read Essential PHP Security by Chris Shiflett. for everything you need to worry about with your own apps.

PS: Keep complete backups of your site's files and data, so any time you discover it's been compromised, you can go to a back-up from before that point and replace all the file with known good versions (hopefully!).

cadkins23

I just wanted to say thanks. You said a lot and it all makes sense. I'll take your advice! Thanks again!

Ashley_Sheridan

Also, make sure you have up-to-date patches for any extra software you're using on the server, including those for things like blogging software, and cms's.

Try to check your code to ensure it's not vulnerable to some sort of SQL injection attack, as this could quite easily be the cause of your problem too.

The log files for the server should give you a bit more information that can help as well.

searain

My client's site was attacked too and google sounded the alarm, but it was iframe codes injected to redirect visits to some other sites. And it was due to his ftp password was stolen.

I spent hours with the hosting company and google antimalware team on its forum, but we got it solved within hours. (Goolge removed the alarm flag within hours after we fixed the codes.)

1) ask your host company to check the server log. they usually can spot it immediately, if it is a ftp issue, the server log can tell. there will be ftp log in and out, and ftp download and upload, many times records in a minute time period. These kind attacks usually not done manually but by a software.

2) go to google Malware & hacked sites forum

http://www.google.com/support/forum/p/Webmasters/label?lid=2fe2a8ee8e37c08e&hl=en

posted your questions there, you could get answer from support staff very quickly. sometimes, their response is within minutes. (maybe you want keep your site's name of the thread title, google search will find your thread, you don't want your site name show up with the malware, but you need to give the site in the content to ask them check it out for you)

You are not their paid customer, they don't have to help you so you need to ask smart question and respond to their threads with helpful right on spot information, then you would get your answer very quickly from them.

3) change the ftp password, don't save the password in the ftp client, and use secure ftp instead of just ftp.

4) google search the same attack when you have more info from your host or google forum, it could be ftp or it could be security holes in the 3rd party system you installed but ignored to keep them up to date.