yesterday i noticed that sometimes on my webpage shows up javascript errors.
when i went to source code, i found that one of .js files was totaly replaced with a ton of porn links.
i checked the ftp for this file, but there was just old javascript file without any changes.
yet i go back to check source code via browser and indeed there was again original .js
today i visited my webpage again and the problem repeated.
- first visit showed me ton of porn pages
- cached .js file was hacked
- but after clearing browser cache js go back to oryginal
i checked all files on my ftp against my offilne version, but all files are without any change.
in last few years i was attacked by xss few times but in every case it was easy to diagnose and fix. but now i spend 12h and didnt find infection.
do you have any idea how to find it?
Most likely they’ve found an exploit inserting XSS data in your DB and / or CMS files, which then is displayed when you go to a specific page.
You seem to be using Quick CMS and it might contain some flaw somewhere, however if you’ve developed any custom functions yourself this might be where the problem is.
When you insert data into a DB always use the mysql escape function, and when you output the data from the DB on to the page use the php htmlentities() function, this will protect you from XSS attacks.