Over the past few weeks, a lot of website owners have been facing issues with a malware that inserts code into certain files, meaning users who visit the website will then automatically be redirected to another website. The
c3284d is one such malware network that will insert malicious code into certain files on your website, which will redirect your users to another website, which will usually have “stats.php” in the URL. The worst thing about this malware is that it updates the URL redirect every few hours, seemingly automatically.
Examples of the code can be found here, and tend to infect index, header and .htaccess files. In order to fix this problem, you first need to clean every file of infection by deleting the offending code. Once complete, you can scan your website with the Sucuri Website Scanner, which will tell you if you’re in the clear. You will have to click re-scan after the first try to make sure you aren’t getting cached results.
Once you’ve verified your site is clean, do the following:
- Login to your hosting cPanel, and reset your FTP passwords for every website that is affected.
- Scan your computers for malware and viruses, particularly the ones you use to access the FTP of your website. Spybot doesn’t seem to find the problem, and Microsoft Security Essentials will find the problems after a full scan, but not a quick scan, and seems to let them through the real-time protection. Malwarebytes should also find the problems.
Just to be sure, don’t login to your site for 24 hours. If Sucuri maintains that your site is clean after this time, your problem was most likely related to the FTP passwords being stolen by malware on your system. The malware seems to change/add code every 8 hours or so. The reason this issue occurred is because you were probably logging into your FTP accounts using “Plain FTP”, and many FTP clients, including the very popular Filezilla, store these passwords in plain text. You need to make sure to use SFTP protocol in the future, as the passwords are then stored more securely.
Other courses of action you can take if this doesn’t work:
- Temporarily you can hold back this infection by inserting a comment line at the top of the header file, similar to /* wp_head(); wp_head(); */. This will trick the malware into inserting the code into a comment line, and should have no effect on the website. This call will be different for different content management systems, just look immediately below where the offending code keeps appearing, and put that in the comment line instead of wp_head().
- Contact your hosting provider, as this may be an issue on their end.
- Change your cPanel password.
- Change your website administrator account’s password.
- Check your SQL User database for users with administrator permissions, and delete these additional users.
- Create a new user for your SQL database, and delete the previous user. (Warning: be sure to update these details in the CMS config file).
- Update your .htaccess protection, Hackrepair.com provides a good list of known bad bots.
This sort of malware, known as, malvertising, has become more common in recent years, and this one in particular is plaguing many website owners. Try to stay vigilant, and let us know if any of this information helped.