What is a malicous code attack?
Does the image to the right look unfortunately familiar?
If so then you (your website) have most likely been the victim of a malicious attack on your website.
Malicious attacks on your website usually happen when someone or something has compromised the HTML and files on your website and inserted some malicious code.
What does it do?
This malicious code (or malware) has the primary intention of being executed when ever innocent browsers of your site open the page where this code is situated. It can take the form of Javascript, Java applets , browser plugins or other pushed content. When these scripts are executed the end result is usually to compromise the “host” machine for other purposes such as the sending and broadcasting of unsolicited SPAM email or the further propagation of a virus.
What to look for
The first time most people know about any attack against their website is when they see a message like the image above. By this point the malicious code has already been doing what it is designed to to – running on unsuspecting browsers as they view your website. Lists such as Google’s SafeBrowsing blacklist are regularly updated with compromised sites to ensure that other innocent browsers get notified before the malicious code is executed.
You can, however, spot the malicious code before this point e.g. If your normally fast-loading home page suddenly takes a long time to open it could be because some other code is trying to execute at that point. If your most commonly accessed pages e.g. your index.html page, changes slightly or is edited with a new modified date that has not been actioned by you on the server then the file may have been compromised. If the source code of your home pages have changed and have some unexpected code within them then they may have been compromised.
How can this happen?
Malicious code can appear on your site in 3 main ways. 1) It is uploaded from your compromised machine by FTP or 2) Your FTP details for your server have been compromised and the amended file(s) have been uploaded from elsewhere or 3) (less commonly) some scripting language e.g. PHP on the website has been compromised and used to dynamically change the content of the pages on your hosting area.
What can you do?
First you must reset all FTP and server access details. This ensures that any compromised details are immediately invalid.
Secondly you must identify and remove the malicious code from the website which can sometimes mean deleting everything from your hosting area. This prevents any further visitors from falling victim to the code.
Thirdly you must recheck and rescan your local machine(s) to ensure there is no virus or other malware on your machines that could be involved in either the uploading of amended files or the compromising of FTP from your machine. (some viruses/trojans primary purpose is to scan a local machine for evidence of FTP details which it then serves to a drone server on the internet which in turn passes these details to hackers and other malicious code writers).
[Edit: Recommend that you run the anti-virus and anti-malware scans after rebooting the computer into SAFE MODE – thanks Chris]
How to avoid it
Make sure you have an excellent ftp and server access password policy in place. Change your password regularly.
It always amazes us how many people have very basic passwords and never, ever change them.
Make sure that your local machine(s) have the most up to date anti-virus and firewall software installed on them and that you run regular (weekly or even daily) scans on your machines to ensure they are fully protected.
What to do next
Once you are happy that you have resolved the issue and neutralised the malicious code you can approach the SafeBrowser blacklist sites and submit a reconsideration request of your website at:
http://www.stopbadware.org/home/reviewinfo
For ecommerce merchants the above image acts as an instant “closed door” to potential customers which can severely effect business. Prevention is by far and away the best method however if this does happen to you then follow the steps above and you should be able to minimise the damage caused and hopefully protect yourself against any future attack.
I would suggest that the anti-virus and anti-malwear programs should be run in windows under the SAFE mode rather than in the normal mode.
Chris,
Thanks for this additional, very valid, useful piece of information. We shall amend the article and add in your recommendation.