miekiemoes Wrote:Sherlock, please take your sites offline ASAP!!!!! Not sure why you have not done this already. This is irresponsible if your sites are infected and download malicious content and you keep them online - everyone who clicks the link get infected as well. Add a .htaccess so no one can temporary visit them as long as they are infected.
The link you posted here to your forum/site also downloaded this file.exe to my desktop (luckily I've watched it in a VMware)
Mods, or Sherlock, can you edit your first link to your site, so no-one can click the link?
Thanks.
Thanks for that. But the real malicious code is only placed on the forum site
But he has placed this secretely beneath every site
snipped.
Please tell me why has he placed this.
And he has placed it very down at the bottom thinking i won't see it.
You can see 80 sites of mine at:
http://www.unblock24.com
there is a list there, anyway, goto "page source" if you use firefox and yu can see the code at the bottom.
What does it do?
For the ones who already clicked above link..
It installs a backdoor trojan which downloads more malicious content to your system.
It also installed a service called "msupdate" - which holds the file C:\WINDOWS\system32\mssrv32.exe
You won't be able to delete the file from Windows normal mode, since it's hooked under svchost.exe, but you can delete it from Windows Safe mode since the service is not loaded then. So delete the mssrev32.exe file.
Then, go to start > run and type:
sc delete msupdate
Sherlock, remove all iframes from your index pages.
Sherlock, please do not post active links to your sites... we don't want anyone get infected here. Thanks.
I'll take a look at it asap.
This is the exploit you're dealing with:
http://www.malwaredomainlist.com/mdl.php...ststat.net
Above link is safe to click
So, as I said in my previous post - put a .htaccess to all your sites so no one can visit them.
Then from a clean computer, change all your passwords (since they are known).
Then remove all these iframes below from every site/page which is infected.
Then clean your infected computer (see my above post)
miekiemoes Wrote:This is the exploit you're dealing with:
http://www.malwaredomainlist.com/mdl.php...ststat.net
Above link is safe to click
So, as I said in my previous post - put a .htaccess to all your sites so no one can visit them.
Then from a clean computer, change all your passwords (since they are known).
Then remove all these iframes below from every site/page which is infected.
Then clean your infected computer (see my above post)
Should I remove the iframes from the same computer or a clean one?
And how do I remove the iframe from the forum? Even when I uploaded a clean index.php, it still shows the iframe in the page source and did not change!
Check your theme files as well to see if the code is placed there.
Basically, check all your files for this insertion and check your database for a post where this code may be inserted as well.
miekiemoes Wrote:Check your theme files as well to see if the code is placed there.
Basically, check all your files for this insertion and check your database for a post where this code may be inserted as well.
Ok, my wonderful host fixed everything. And my other sites look fixed too.
Please just take a look if everything is fine now?
Secondly, i have upgraded the forum. What can and must be done to prevent this from happening again.
Thanks
I see a folder "OpenSSL" in C:
What does it do!!! ??
Good to hear you solved it.
Quote:What can and must be done to prevent this from happening again
Always make sure you run the latest forumsoftware - so whenever there's a new update available, update asap! Subscribe to the mailing list here:
http://www.mybboard.net/mailing-list
Then you'll get notified about new releases/updates.
And don't forget to change all your passwords.