Malware attack on multiple websites

[alberts]

Malware attack on multiple websites

I develop and keep track of a few websites that are hosted on various providers. Recently, two of my websites, hosted by different companies got hit by malware. Since the hosts don't want to help out in tracing the attacker and I don't have root access to the machines I know very little about the origin of the attack. It's a code injection attack inserting some javascript code into your .html files and index files. The code starts with an html comment and "0f2490". If you see something like that in your files delete it and look through all of them. The easiest way to do that is to grep for "0f2490". You can use the following command in linux to search through all your files for that string.

find . -type f -exec grep -inH "0f2490" {} \;

If anyone has any information regarding this type of attack, it would be muchly appreciated. The malware seems to be pretty new. Upon notifying one of the hosting providers, I was told that the site was scanned and it is malware-free, which of course was not the case. Microsoft only has noticed it on 08/08/2013, so 4 days ago. Of course I take all the precautions when developing, all my passwords are strong. My development machine is only used for development, and a full scan is ran each night. So i hope the breach was not due to my shortcomings.

If you have any information please post it here on Hacker News. Thank you.

[yogo]

Is the site hosted on a shared hosting plan? I've seen similar attacks to this on GoDaddy and HostGator where all evidence seems to suggest that it was either via ftp access or compromised cpanel. Cpanel was definitely compromised on hostgator several weeks ago.

[t0]

It's almost always the result of password guessing. The code injection happens after they get in and isn't really relevant to the attack.

[gesman]

How do you scan for malware? What kind of hosting platform and CMS you use?