Website still hacked with npanelsrv

[promurphy]

http://forums.x10hosting.com/free-h...-info-width-1-height-2-iframe.html#post580750

This is still happening to my site after I deleted all files I did not create myself and changed my password. I am concerned that there may be something on x10hosting's servers.

 

[descalzo]

Got a link to one of the pages?

 

[promurphy]

http://promurphy.com/index.shtml

 

[galaxyAbstractor]

Do a virusscan and a spybot scan. If you use dreamweaver, disable all plugins if you use any. You probably got a keylogger on your computer. Also, do you have any kind of PHP script on your site? If so, check them

 

[promurphy]

Unfortunately I've done all those things and I don't use any PHP. I only use one java script that I have used for 3 years now.

 

[Corey]

If someone had access to the server I can assure you they wouldn't bother putting an iframe link in your files This is a common exploit in JS and PHP. Please check both, also it is common for them to hide additional files, check all the folders, not just the ones you uploaded.

 

[promurphy]

I downloaded everything, including the email files to a folder on my computer, than scanned it with both MCAffee and Malwarebytes... found nothing odd. What should I do next?

 

[galaxyAbstractor]

I downloaded everything, including the email files to a folder on my computer, than scanned it with both MCAffee and Malwarebytes... found nothing odd. What should I do next?

antivirus-software wont find anything. You have to search trough all files for malicious code. A tip is searching for that domain in all script files.

Also this script might be able to find some malicious code: http://sourceforge.net/projects/phpantivirus/

 

[promurphy]

I did a windows search in the folder. No luck. I opened up every file in notepad and searched that way. No luck. I can't use the PHP Virus Scan because I'm on Windows.

 

[leafypiggy]

upload PHPvirusscan to your account on x10?

Install WAMP server?

You just need apache with a PHP config file...

 

[promurphy]

I'm sorry. I don't know what you mean.

I am beginning to think it is free hosting.

 

[descalzo]

What do you use server side includes for?

 

[promurphy]

Because I plan to use the same information elsewhere as I expand the site. Why do you care whether or not I use SSI?
Edit:
I'm sorry, I'm having a difficult time thinking this is something on my FTP space. Can an admin help me out here?

 

[Corey]

This is a common exploit, there is even a 41 page thread about it over on the cPanel forums.

Here are the most common ways reported:

1.) Vulnerable PHP Script (Poor Script, Out of date, etc...)
2.) One of your FTP accounts have been hacked, change all the passwords to each one.
3.) Poorly coded JS can also have the same effect as #1
4.) cPanel password hacked, change it.
5.) Host computer is infected

-Corey

 

[promurphy]

1. no PHP on my site

2. I changed my FTP password

3. I have js on my page that makes the pictures pop up. I'm struggling to see how this could be an issue

4. I changed my cpanel password

5. I did numerous scans on my two machines and am coming up with nothing.

 

[adamparkzer]

This may be a little far-fetched, but check your cron jobs to see if there's anything that may be adding that line of code to your pages on a periodic basis.

 

[promurphy]

I do not use cron jobs. This is a VERY simple website.

 

[adamparkzer]

I do not use cron jobs. This is a VERY simple website.

I understand that you don't use PHP or cron jobs, but it's possible that someone may have gained access to your account and added a cron job that alters your files on a periodic basis.

 

[Corey]

Well, I would be happy to move everything and just put a test index file to see what happens. This would mean your site would be down for the duration of the test.


-Corey

 

[promurphy]

Go for it. Can't do any more harm then what's already been done.
Edit:

I understand that you don't use PHP or cron jobs, but it's possible that someone may have gained access to your account and added a cron job that alters your files on a periodic basis.

Good thinking, I don't know how to check my cron jobs however.