Hi there,
I currently have hosting which is hosting several sites, some of which run on Drupal and others are built on a self-written CMS. However, during the holidays I noticed that some of the sites stopped working and when I checked the index.php file, I discovered a piece of code that had been added to it.
Upon further investigation, I found that this code had been added to all .js files and index.php files across all of my sites. Although I removed the code, it kept reappearing in certain files. Unfortunately, I don't have SSH access to the server and only have access to DirectAdmin and FTP.
Can you please assist me in resolving this issue? Thank you.
A typical issue is the presence of a Trojan on your computer that steals your FTP passwords and modifies website code.
To resolve this problem, it's best to first change your FTP password via DirectAdmin and then contact your host's technical support team. They have the ability to either restore your site files from backup or use their own scripts to remove the Trojan. In fact, this is a common issue that they deal with on a daily basis.
There is a new type of malicious code that is being inserted with jQuery, which is a departure from the more typical iframe-based attacks.
To address this issue, it's important to secure your own devices and delete any emails containing access information as attackers often obtain this information through email phishing techniques. While this wave of infections was more prevalent a year ago, it's still important to take necessary precautions as software manufacturers now build antivirus protections into their CMS products.
To determine the cause of a website infection, access rights to the affected files must first be considered.
If there is a record for everyone, the infection may have occurred through vulnerabilities in the CMS or site scripts, such as the well-known hole in phpmyadmin. On the other hand, if there is no such record, it's possible that Trojans have infected the machine and passwords should be changed as a precautionary measure. Additionally, it may be necessary to search for all instances of PHP on the site using base64_decode and eval, which are often used in malicious bookmarks.
While there are numerous types of viruses, we will focus on the most popular attacks against websites and web applications.
One of the most common vulnerabilities is an XSS (Cross-Site Scripting) attack, which allows a malicious script to collect user data, including usernames, passwords, and cookies, and then send that data to the attacker's server without the user's knowledge. Additionally, this type of attack can redirect users to unauthorized sites where they may unwittingly reveal personal information.
Another vulnerability is LFI (Local File Inclusion), which occurs due to incorrect web server configuration or errors in site code. Attackers can use LFI to execute remote code on a web server, modify files on the server, and gain access to confidential information.
SQL injection represents another type of attack, where attackers manipulate queries to access sensitive data, redirect users to viral sites, modify or destroy data, or even gain permanent unauthorized access to servers. High-profile data leaks have resulted from SQL injection attacks, and they remain a serious threat.
Finally, malware and malicious code pose different threats but often work together to compromise both devices and websites. Malicious code can be used to penetrate site vulnerabilities, while malware can infect users' devices through downloads. It's important to take precautions to protect both your site and devices from these types of attacks.
Since you mentioned that you don't have SSH access to the server and only have access to DirectAdmin and FTP, here are a few steps you can take:
1. Change all your passwords: Start by changing the passwords for your DirectAdmin control panel, FTP accounts, and any other accounts associated with your hosting.
2. Scan your local machine: Run a thorough scan of your local machine using an updated antivirus software to ensure it is not compromised. This will help prevent the issue from reoccurring even after cleaning up your websites.
3. Review file permissions: Check the permissions of your index.php files and .js files through the FTP client. Make sure they are set to read-only for all users except the owner. This will help prevent unauthorized modifications.
4. Update CMS and plugins: Ensure that your Drupal installation and any self-written CMS are running the latest versions. Also, update any installed themes and plugins, as outdated software can be vulnerable to attacks.
5. Scan for malware: Utilize any security features provided by your hosting provider, such as scanning for malware or vulnerabilities through DirectAdmin. This can help identify and remove any infected files or code.
6. Secure DirectAdmin: Check if there are any security features available in DirectAdmin, such as enabling additional layers of authentication or enabling IP blocking for suspicious activities.
7. Contact your hosting support: If you've followed the above steps and the issue persists, reach out to your hosting provider's support team. Describe the problem, provide them with the steps you've already taken, and ask for their assistance in investigating and resolving the issue.