Recently a case happened to me, a virus got caught - a script. infected all sites (did not work, were referred by referral), the script turned out to be very contagious. All sites hosted are also dead. How did he get there? I did not load anything into the roots of the sites.

Question: How can you protect yourself from such things?

  • Maybe you just carried out technical work on your hosting? Check the mail about it all alert. And if this was the script, then this is the maximum of JS, I think it is unlikely that the JS script is able to overwhelm the host. - FreeMast
  • Good such work to infect the site xD - Sharp - eyed
  • Hosting from ihc.ru The virus was strange in the <script> </ script> tag. Many different scrawl. - Nikita Aristarkhov
  • Here either the first point or the third. This, by the way, is not a scribble, but an encoded string loading a virus. - Sharp - eyed
  • I know, just this crap I killed 15 sites. And not only mine. - Nikita Aristarkhov

2 answers 2

Options:

  1. The virus got on your computer, stole saved passwords from FTP, after which an infection occurred. Solution: good antivirus.
  2. Leaky hosting, hacked it, infected you. Solution: do not use govnohostign for 3 pennies.
  3. Leaking a CMS that was hacked and infected. Solution: either update the system with the latest security fixes, or do not use. Here in general, that's all.

    Plus to @ Sharp- eyed and add on my own: faced with this problem several times. Helped change passwords + wrote a script that runs through all the files and "chopping off" tails.

    Added by

    <? $RD = dirname(__FILE__); function delVirus($dir) { $m = glob($dir.'/*.js'); $ml = sizeof($m); if($m) for($i = 0; $i < $ml; ++$i) { $t = file_get_contents($m[$i]); echo '['.$m[$i].']'; if($s = strpos($t, "var _0x5cb4")) { $t = substr($t, 0, $s); $t = file_put_contents($m[$i], $t); echo ' +'; } echo '<br>'; } if(!$handle = opendir($dir)) break; while(false !== ($file = readdir($handle))) { if($file != '.' && $file != '..' && is_dir($dir.'/'.$file)) { delVirus($dir.'/'.$file); } } } delVirus($RD); ?>

    This option removes from *.js everything that starts with var _0x5cb4 . If the virus got into php and starts from a different line, the script is easy to edit.

    • can't you share the script? And then manually delete everything more expensive. - Nikita Aristarkhov
    • Added in response. - ling
    • Sorry, but how to run a script for all subdirectories. - Nikita Aristarkhov
    • Download it to the root folder and open it in the browser. - ling
    • Understood) Big thanks - Nikita Aristarkhov