Malware undeletes files I have already deleted from the server

[midwest32]

I'm at a loss here and have called host company and they say everything is fine on their end. Basically deal with it myself. My client uses a cart called effortlesse, all I realty get is FTP access nothing more and the only things that I have done were design changes to the site.

I feel like this issue runs deeper that I can help with. Also a weird thing is a log file for the day before this all happened is locked and I can't get into it.

I don't know if I am giving I guys enough here but anything would be great.

 

[Jack]

Hello and welcome to malwaretips.com,
1.Did you asked the Security team of the hosting company to run a scan of site?
2.Usually when malware in injected into a site, is commonly the result of a compromised password due to a virus-infected PC.
Most likely a users password was stolen via a password scraper or keylogger that resides on their local PC or network. So no matter how many changes we make to the password as soon as they type it into FTP or Cpanel its immediately sent off to this script that then injects the files.
Trojan Zeus/Zbot is the most common vector of attack, so I strongly suggest that your client and all those who have a FTP accounts to scan their computer for malware with the following tools:
Malwarebytes Anti-Malware : http://www.malwarebytes.org/products/malwarebytes_free/
HitmanPro : http://www.surfright.nl/en/hitmanpro/
Emsisoft Emergency Kit : http://www.emsisoft.com/en/software/eek/
If you suspect that your computer or your client is infected, then we can run additional scans.


3.Change the passwords for all users and all accounts (for example, FTP access, administrator account, content management system authoring accounts).Do not use old passwords, generate new ones.
Check your users: It's possible that the hacker created one or more new accounts

4.What's the URL of the site,can you disclose it , so I can take a look at the source code of the site?


5.Run a scan of the website with the following tools:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://siteinspector.comodo.com/

 

[midwest32]

Thanks Jack,

I appreciate the feed back.

1. They said that they did run some sort of scan and they didn't find any infection in there system.

2. I checked my Mac and found a couple of Trojans which I cleaned up. I'll have my client scan for any virus' as well.

3. They have to go through this company to change the FTP password but it has been a couple days since they asked to have it changed, so I will make sure to have then check back in on the status of that.

4. It is studio1220.com I have cleaned it up but more than likely has been infected again.

I used sucuri and for the moment it is malware free.

 

[Jack]

Hello midwest,
The site seems to be clean (including the JS) however please keep in mind that these attacks usually are due to poor security on users computer.....Tell your client to install and run a scan wit the 3 tools that I have recommended in my previous post. Also he needs to properly secure its computer so that this won't happen again.

 

[midwest32]

Will do, thank you so much, I will keep u posted on the status of the site.