Chinese hacker hacked my website

[johnpatel]

Hello,

Recently one Chinese hacker hacked my website and he placed some malicious scrips in some of the files. Also, he messed up my website homepage. It shows some hacking images with Chinese written language.

Then I took my website's backup on my computer and scan all the website files in avast software. But avast do not track any malicious script files.

Can you please help me with how can I clean my website files using avast?

Please let me know if you need any further details from me.

Thanks in advance

[Pondus]

Is your website online now?

Check it here  >>  https://sitecheck.sucuri.net/

Post link to scan result


you may also upload and scan your website code here  >>  www.virustotal.com

Post link to scan result

[johnpatel]

I have scanned it in sucuri and it shows "Unable to scan your site. Timeout reached"
https://sitecheck.sucuri.net/results/https/www.gradecalculator.tech

and virustotal shows all well.
https://www.virustotal.com/gui/url/02a9c97d15c3644c9ad2edafab1b6d24ba91f32cbaf9454972d3eba8bc46c8f5/detection

Yes my website is live: https://www.gradecalculator.tech

I have restored my old backup after hack.

[Pondus]

I have scanned it in sucuri and it shows "Unable to scan your site. Timeout reached"
https://sitecheck.sucuri.net/results/https/www.gradecalculator.tech

You may ask Sucuri why ... there is a chat

If you need website protection, Sucuri is the one to ask  https://sucuri.net/

and virustotal shows all well.
https://www.virustotal.com/gui/url/02a9c97d15c3644c9ad2edafab1b6d24ba91f32cbaf9454972d3eba8bc46c8f5/detection

Did you just scan the URL ?   that is just a URL blacklist check

You have to upload the HTML code as a file and scan it to see if it contain anything malicious

[johnpatel]

Ok let me check.
Thanks for your advice and support.

[johnpatel]

I have uploaded my website files and folder in virustotal and after scan they gave me more than 50 files with malicious script.
Thanks support team to solve my issue.

[polonus]

Some major configuration errors found, some scans fail for the web address you mention.

Here you have some improvement recommendations based on linting:
https://webhint.io/scanner/6621268d-f132-4637-9424-2ccc0900c31c

Here a fileviewer scan for where your site is redirecting to:
https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Z313e2IuW15zLmZdfXRoLmd9YHB1YmxbXmA%3D~enc

Retirable jQuery libraries:

bootstrap   3.4.1.min   Found in -https://grweb.ics.forth.gr/public/assets/js/bootstrap-3.4.1.min.js<br>Vulnerability info:
High   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   
jquery   3.2.1.min   Found in -https://grweb.ics.forth.gr/public/assets/js/jquery-3.2.1.min.js<br>Vulnerability info:
Low   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   
Medium   Regex in its jQuery.htmlPrefilter sometimes may introduce XSS

Javascript SRC ->

error -> TypeError: Cannot read property 'style' of null
 /public/:108

Javascript 11   (external 5, inline 6)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

consent.cookiebot.com/​uc.js
INLINE: function onSubmit(token) { $( "#w-form" ).submit(); } func
295 bytes

INLINE: checkNonCookieResponse(); function checkNonCookieResponse() {
934 bytes

grweb.ics.forth.gr/public/assets/js/​jquery-3.2.1.min.js
grweb.ics.forth.gr/public/assets/js/​bootstrap-3.4.1.min.js
INLINE: document.getElementById("currentYear").innerHTML = new Date().getFullYear()
84 bytes

grweb.ics.forth.gr/public/assets/js/​animate.js
INLINE: $(document).ready(function() { $("#domain").focus(); //add
495 bytes

www.google.com/recaptcha/​api.js?hl=el&render=onload
INLINE: onload();
9 bytes

ONCLICK: /* a.onclick = */ Cookiebot.renew()
35 bytes

ONCLICK: /* a.onclick = */ Cookiebot.renew()
35 bytes

Re: Externally Linked Host   Hosting Provider   Country   
    -eregpublic.eett.gr   Hellenic Telecommunications and Post Commision   Greece    
    -www.ics.forth.gr   Foundation of Research and Technology Hellas   Greece

Somehow you have to take this up with the hosting party.
Your domain is now pointing to a hosting party with a domain address on IP 185.201.11.156
that is hosted in Cyprus by person: Hostinger NOC
address: Hostinger International Ltd.
address: 61 Lordou Vyronos
address: Lumiel Building, 4th floor
address: 6023
address: Larnaca
address: CYPRUS

Does all this ring a bell?

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)