Cleaning sites that are infected via FTP

Infection of a website  via FTP, involves the injection of site code into an <iframe> through which the visitor of the webiste is redirected to another page called the 'attack site '. The website intends to install a malicious program on the visitors computer to access, gathering information and displaying unsolicited content. Site that have been hacked using this kind of attack can be observed when loading it in the web browser, where usually the browser displays a warning about content being potentially harmful or a warning displayed by the antivirus installed on computer when the program on the "attack site" is trying to access the computer.

Infection mechanism is as follows: From the workstation from which you access the site via FTP passwords are stolen by a trojan virus. The stolen data is used to log in via FTP, download files and injecting the malicious code, and then are uploaded back into the site. Infected files are usually the index.html or index.php file(s), but these changes can be made in the .js scripts where the target URL  is usually encoded, which later will be decoded at runtime.

The following steps are to correct the consequences of an attack via FTP to the site and prevent their reinfestation. To prevent reinfestation it is important to take the steps in this order:

1. Scan with an antivirus and disinfect the workstation(s) on which the infested website was accessed via FTP. For this use at least one good antivirus and antispyware product. If this is not done properly and completely,  the site will be infested again in a few hours of cleaning malicious code.

2. Change passwords for  the FTP accounts used to access the site. This can be done from the website control panel (cPanel, Plesk a.s.o). Not changing the passwords can lead to recurrence of the problem.

3. Check carefully and remove foreign code from the infected site. Check all files, index files are priority. Most often you will find the presence of an <iframe> at the beginning or end of the infected file(s).

Following these steps carefully ensures the solving of the problem. Increasing the security of the computers that are used to access your site via FTP will help avoiding such problems.

  • 110 Users Found This Useful
Was this answer helpful?

Related Articles

Free SSL certificate generation from cPanel

  You must first make sure that your site has our NS (or A record pointing to our server), and...

What is the SSL certificate (HTTPS)

Getting started with SSL (https :)SSL stands for Secure Sockets Layer. Is a standard / protocol...

How to make the transition from HTTP to HTTPS

Before you will start to make the transition from HTTP to HTTPS you have to be sure that you have...

Trimiterea emailurilor prin SMTP

Funcția mail() a fost dezactivată pe serverele Linux shared din motive de securitate, începând cu...

Acces SSH

Pentru a va putea conecta la SSH vom avea nevoie de: 1. Un program gen PuTTY (pentru Windows)....