0

Possible Duplicate:
My server's been hacked EMERGENCY

I have a critical virus infection to one of my website.

There is a additional script found added at footer of few web pages . the pages are html pages. and all his index.php has a curl script added automatically which access some malicious code to be downloaded on people who view the website. The script is that much dangerous that it immediately destroys the accessing person system if there is no antivirus. The developer working on this website himself got 5 times system formatted in last 6 days.

Condition become more critical because the script keep on coming back after deleting from infected files. Now we are in worst condition that it has spread to all 8-10 websites developer is working on from last 6 months. BTW: we are using open source framework for developing these websites mainly we used Magento, CakePHP, wordpress.

IF YOU CAN HELP OUT ON THIS SUBJECT, PLEASE PROVIDE ANY OF YOUR PREVIOUS EXPERIENCE OR KNOWLEDGE TO HANDLE SUCH SITUATION.

All suggestions are appreciated.

P.S. If you guys need I can post the malicious script here which is added in my html and php files.

Edit: Is there any programming solutions to remove the added malicious code from website??

Community
  • 1
Saurabh
  • 101
  • 4
  • 3
    "I can post the malicious script here" - No Thanks! – Mitch Wheat Feb 04 '12 at 06:24
  • do it as soon as possible else google also blacklist your website –  Feb 04 '12 at 06:29
  • and u have to remove that script manually from every web page bottom –  Feb 04 '12 at 06:30
  • 5
    I would suggest removing the affected system from the network, performing a post-mortem on the affected system to determine how the infection occoured, and then formatting, reinstalling and restoring from a known good backup. – Crippledsmurf Feb 04 '12 at 06:32
  • You might want to review your wordpress plugins and build version. It is often the weak point if only because there are well known exploits and so many people are running it that there are lots of kiddie scripts targeting wp – Ben D Feb 04 '12 at 06:37
  • In addition to cleaning up the mess consider the process you want to follow for a post-mortem. (http://serverfault.com/questions/107334/how-to-do-a-post-mortem-of-a-server-hack) – voretaq7 Feb 04 '12 at 07:56
  • "The script is that much dangerous that it immediately destroys the accessing person system if there is no antivirus. The developer working on this website himself got 5 times system formatted in last 6 days." - Install a antivirus solution on your developers computer! – Izac Feb 04 '12 at 10:18

1 Answers1

5

Delete everything, reinstall the developer's own computer, then reinstall your servers from the OS level up and restore from a clean backup. That's all there is to it, really. At this point don't even bother trying to remove just the virus, you've clearly found that to be beyond your abilities; just wipe everything clean and start from a known-good state.

bdonlan
  • 683
  • 7
  • 14