When I open a ticket I was told:
I am sorry to hear of this trouble! Unfortunately, performing a forensic
analysis of how this happened in your case, or conducting a full security
audit or repair of your sites/code is beyond the scope of the support
that I can provide. That said, I am happy to point you in the right
Embedded codes/malwares are becoming a more and more common method that
spammers use to try to promote their sites or distribute their malware.
The fact you've noticed this on your pages is likely a sign that your
site has been compromised in one or more ways.
Note that simply replacing the damaged code with old code from before the
attack is rarely effective, as this alone will not address the attack
vector that was used to damage your site. Unless you find, and fix, the
vulnerability that allowed this to happen in the first place, you will
remain susceptible to continued defacement of your site.
Here's some information you can use to help to identify what may have
happened and how to rectify it and possibly prevent it from happening
The two most common entry points for a compromised website are
(1)vulnerable, typically out-of-date web scripts (blogs, forums, CMS,
etc.)or (2) a compromised FTP/SSH user password.
1) All web scripts you have installed under your domain should always be
kept up-to-date with the most recent version available from the vendors'
website, as these often contain security patches for known issues. Older
versions of well-known and popular web software (including Wordpress,
phpBB, PHPNuke, PostNuke, etc.) are known to have vulnerabilities that
can allow injection and execution of arbitrary code. Also make sure not
to store 'archive' versions of old software in an open web directory --
if you intend to keep these they should be stored under your FTP user's
home directory, not under a domain directory. Finally, some plugins for
popular software (such as Expose for Joomla) have been found to introduce
similar vulnerabilities. It's a good idea to search the internet for
information about a plugin and ensure it doesn't have any known issues
After updating your software, it is imperative that you go through all
files under all directories for the user which has been compromised and
ensure that any files which have been written to / modified have been
removed. It is common for 'hackers' that exploit web scripts to upload
innocuously-named scripts which they can use to further compromise the
site more easily, even after the initial vulnerability is closed --
including scripts to send spam mail or execute arbitrary shell commands
under your account via a simple web page interface.
A helpful tip for finding files of this nature is to look for files or
directories that have timestamps that occurred since you last modified
your site, or that occurred around the time that the 'hack' took place;
still it is best to examine all files as even a single missed file can
allow the site to be re-compromised.
2) A bit less frequently, FTPs password can be compromised and used to
modify files. The most important part of securing your account in this
case is to change your FTP user's password via the (USERS > MANAGE
USERS) -> "Edit" area of the control panel. Passwords should not contain
dictionary words and should be a string of at least 8 mixed-case alpha
characters, numbers, and symbols. The best option for selecting a new
password is to use our "Pick a password for me" feature. Check that box
near the bottom of the page then click on the "Save Changes" button. The
system will generate a very strong random password for this account. It
will be displayed on the next page.
It is recommended to always use Secure FTP (SFTP) or SSH rather than
regular FTP, which sends passwords over the internet in plaintext. You
should not use any passwords that you've used with other services, and
ideally you should never use the same password for email, control panel,
and FTP/SSH. Finally, you should always ensure that you've got up-to-date
virus/malware screening on your computer to ensure that it is not
Follow these links for more information on Strong Passwords...
Though this alone will not fix the problem, you may be able to recover
your old files using the "Restore" option under the "Actions" column for
your domains on the "Manage Domains" section of the panel (but if you do
this, realize that the backups may contain bad code as well, so this is
not a fix in and of itself).
For database restores, go to (GOODIES > MANAGE MYSQL) in the control
panel and click on the "Restore DB" button across from a specific
You might also want to check out this article in our Wiki for more
information about how to deal with a hacked site...
I have submitted your account for a scan for known vulnerabilities, and
malicious code, that may provide more account-specific information. It
could take several hours for the scan to complete, depending upon the
number of accounts awaiting the scan, but the scanner will write you with
a report of what it finds. If you do not receive such a report within 24
hours, please let us know so we can make sure the scan properly completes
and you receive the results.