![]() Or we've also seen cases where it automatically looks at the FTP traffic and adds their malscripts (malicious javascript) to certain files as they're being uploaded. While we haven't been able to isolate the virus, we've found that people who's websites have been compromised are typically using a PC that's infected with something that sniffs the FTP traffic and obtains the username and password, then the cybercriminals (hackers, crackers, whatever) use their automated systems to continually re-infect your website. FTP sends username and password in plain text. Too often people think that FTP is a safe and secure protocol - it's not. What we have found is that it's not the hosting provider, it's not some vulnerability in the software (Drupal), it's not some hole in a plugin - it's the PC you're using to send the files up to the server. We scan them for vulnerabilities and find they are relatively secure. We have been seeing a lot of websites getting compromised. Some one please help as this is causing av of many legit users problem in visiting the sites. What are the possible files that can give rise to the code when the page is generated? How can an internal search be made on the drupal files - downloading and searching by windows search do not show the malacious code. The hosts say they have no other cgi, files etc that can cause this and apprentlyĬhecking the web directory gives no suspicious file. This issue is reported in avast forums also ( do a google search on JS:Redirector-G ) The thing but in drupal apparently it still persists even after cleaning index files or freshly uploading js files. NewThis is happening with new installation of latest 5x drupal as well as other pages/scripts.įor some pages/scripts cleaning the index files ( index php, index.html) etc corrects \modules\img_assist\drupalimage\editor_plugin_src.jsĬan anyone tell me how the page is generated and where this could be coming from? It has been inserted between the end of the and the start of the tags \modules\img_assist\drupalimage\editor_plugin.js \modules\img_assist\img_assist_tinymce.js \modules\img_assist\img_assist_textarea.js These are some of the corrected files, I have checked that they are still uninfected: The problem is that the code is still showing up in the browser right after the tag and I need to find where this is in the code or database Once this has been fixed I'll upgrade but I need to find the problem first. If it is an FTP based attack that won’t prevent it happening again but at least I can identify the files and rectify it quickly now. I’ve removed the code and write protected the files in case it was a SQL injection attack. I have downloaded the site and run TextCrawler which identified 17 infected files I have been asked to support an old version of drupal 4.7.4 which has been infected with JS:Redirector-G This may not be drupal problem but ftp attack or sort of itīut need some urgent help to clean drupal or any module or utility in drupal I did not notice that at the bottom of each of your posts you say "Use NoScript, a limited user account and a virtual machine and be safe(r)!" Thanks for this advice.As version could not be changed I am repeat posting for drupal 5x ( and may be 6x also) Polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter) Do we have to reackon with an AVG/avast FP in this case? Response should be compressed with Brotli when Brotli compression is requested over HTTPSīut no security implications seen there. Static resources should have a long cache value (31536000) and use the immutable directive: public, max-age=0 Please post English here, else use the forum section for your language.Įrror here: hint #1: 'content-type' header media type value should be 'text/javascript', not 'application/javascript' If I turn NoScript off, Avast flags the threat "We've safely aborted connection to because it was infected with JS:Redirector-BMU. The subject of this thread was "Ebay Login - False Positive?" So is Avast posting a False Positive?Īs an additional protection from java script redirect type malware do you recommend using a browser extension in Firefox like NoScript? If this malware, JS:Redirector-BMU, were real, would an extension like NoScript stop it? The reason I ask is that today with NoScript active, Avast does not flag a threat warning when I get to the Ebay login page. ![]() Quote -Various AV will return it as clean, but we see no best policies followed here
0 Comments
Leave a Reply. |