Dear colleagues,

I need your assistance in comprehending this situation: There is a shared hosting with a basic php website running on it. This website allows registered users to add their personal information, which gets stored in the database and displayed on the relevant pages. The database is clean, however, the site's owner was alarmed when NOD32 detected a Trojan. Upon thorough inspection, it was revealed that an iframe appeared in all pages' code, which was accessed from JS files. Furthermore, a tainted function was appended at the end of these JS files, ultimately displaying the iframe.

Despite removing all contaminated JS files and modifying passwords (admin panel and FTP), the attack recurred in a few weeks.

Two questions arise:
1. How can we identify the culprit?
2. How did the contamination infiltrate the JS files?

Their passwords were altered, but they made sure to remember the updated login credentials.

There exist three potential causes for this issue:
1) A vulnerability present in php scripts (or access permissions) that enables server manipulation. (unlikely)
2) A weakness in the hosting that permits interference with neighboring accounts. (moderately possible)
3) Infiltration by someone with admin privileges to the site. (most probable)

It is the responsibility of the resource administrator to identify and rectify the specific vulnerability.

As a reminder, it's crucial to be mindful of internet security measures, including the importance of regularly altering your passwords and guarding sensitive information.

This is akin to a virus that travels through ftp and appends itself to specific files. Simply changing your passwords will not suffice; it must be apprehended first. This virus, residing solely in my memory, managed to evade detection by popular antivirus software like Avast, Komodo, Norton, and Nod32. Consider utilizing a casper probe, which was recently successful in aiding a friend.

Once caught, adjust your passwords and purge the website of the virus. As a best practice, avoid storing passwords within FTP programs, as software such as Total Commander and Filezilla are especially vulnerable.

necessary to prioritize site security and regularly monitor for any malicious activity. Installing reliable antivirus software and maintaining secure login credentials are simple yet vital steps towards safeguarding your website.

In 99% of instances, the ftp password was acquired through a Trojan on the device of either a developer, admin or other individual with site access. For investigation purposes, the ftp logs should be reviewed first and foremost. The remaining 1% of occurrences can be attributed to exploitable flaws within legacy software. Targeted hacking is a rare phenomenon.

Recently, an instance surfaced on a godaddy shared hosting account with a malfunctioning server. Despite blocking all site access and implementing virus protection measures, the provider refused access to ftp logs. According to Apache logs, there is no evidence of unauthorized entry via the admin panel, and all passwords have been changed while employing a clean copy of files. It is plausible that the issue is with the host itself.

It is vital to remain vigilant in safeguarding technology from cyber threats and raising awareness about safe practices for password creation and storage.

Sites created through various CMS are often targeted by hackers because of their simplicity, which makes them vulnerable to many threats over time. While developers may try to anticipate and eliminate potential vulnerabilities, new ones always seem to surface. Regularly updating your PHP version, CMS version, and plugins can reduce the risk of attacks.

The second common reason for site hacking is due to the installation of modules, themes, or unauthorized software from non-official sources. Restoring and revitalizing a site after a hack can be much more expensive than purchasing paid products, making it important to consider the benefit of downloading free components.

One of the easiest methods for hackers to gain access to administrative parts of CMS is through bruteforcing FTP account passwords or SSH access. To protect yourself, use complex combinations for logins and passwords and implement IP restrictions on website access. Special tools that protect against bruteforce tactics can also be used.

Negligence on the part of site owners is another factor that may lead to hacking, such as sending login credentials in screenshots or via email or chat messages. Changing login information and never sharing them with third parties is essential to protect your site.

Occasionally, viruses can be introduced into a site's files and database in rare ways. Hiring experienced professionals with a high rating can help avoid this situation and save your site in the long run.

Common signs of an infected site include increased server load, slow loading times, email queuing, warnings in webmaster tools, and the appearance of third-party files. Harmful scripts introduced by hackers could include performing spam and redirects, placing ad blocks, phising pages, mining, and replacing or exploiting the site's content.

Various software products exist to scan sites for malicious code, perform site diagnostics, and identify viruses using antiviruses and site scanners. The AI-Bolit scanner is a commonly used tool for detecting infected files and searching for vulnerabilities. It regularly updates its database of virus signatures and supports all popular CMS and OS types.

To use AI-Bolit, download the scanner archive from the official site and unpack it in the root folder of your site. Running a scan through the command line produces a report on the viruses found, which can be used to clean your site.

You should examine the server logs. Look for unusual access patterns or repeated attempts to access specific files. Often, attackers will have a pattern they follow. Pay attention to any IP addresses that don't seem familiar or have been used frequently. Tools like fail2ban can help you block suspicious IPs if you notice any trends.

Next, check for vulnerabilities in your PHP application. Outdated software is one of the most common entry points for attackers. Ensure that your PHP version, CMS, or any plugins you're using are up-to-date. Look for common vulnerabilities like SQL injection, XSS (cross-site scripting), or any misconfigurations in your server that might allow remote code execution.

Also, it's a good idea to conduct a security audit of your entire website. There are tools like WPScan (for WordPress) or commercial alternatives that can scan for vulnerabilities. If it's a custom-built site, consider hiring a security expert to manually assess your code.

Now about how the contamination infiltrated the JS files. One common way this happens is through vulnerabilities in user input handling. If your website allows users to input data without proper sanitization, an attacker may exploit that to inject malicious code. Make sure to validate and sanitize all user inputs rigorously. Use prepared statements for database access to protect against SQL injection as well.

If your hosting environment is not secure, that can also be a weak point. Shared hosting environments can be tricky because if one site gets compromised, others on the same server may be at risk too. Review the permissions of your directories and files. They should be as restrictive as possible. Disable directory browsing and prevent execution of scripts in uploads folder.

Finally, consider utilizing a web application firewall (WAF) which can help detect and block malicious requests before they reach your server.
By analyzing logs, securing your application, and continuously monitoring for potential vulnerabilities, you should be on the right path to pinpoint the attacker and fortify your website against future intrusions.