jefferis
03-15-2011, 05:37 PM
Hi folks, I went onto our site and found a folder at our web root (1 level above our vB install) called "undeniable" which was 777 in permissions. When I looked in there, I found a lot of pages that put header spam advertizing content on the forum pages, but it used existing pages with renamed urls (So, IOW, the ad pages don't show up in our forum itself but only by accessing this rogue folder).
A sample page might be named zachary-walker-argus.html
And I cannot find any links in the pages that go outbound to any particular ad site, but there is content added to the page in the comment and post areas like:
<title>"Argus cam lock || electronic ballast argus diagram"</title>
<div class="art-sheet-bl">One under-20 he had forced with frank, and after that she had to raise her impression then, argus cam lock.
Macarthur had the correspondent of eating over a preferred japan.
These unusual problems require have the claim including current.
Real samples are less strategic to hinge absence if they are organic the pinfall would be dragged and the club would be subjected.
Same accounts debating of the medicaid didn as mo healthnet was mastered as a communication.
North american spots is such a new life that the time has to engulf more than well a haven to drive estimates to crack up.
<li><p>argus firearms</p><p>brinkley argus online paper</p><p>brighton argus michigan</p><a href="http://www.OURWEBSITE/2011/01/sti-month-january-2011/" >STi of the Month – January 2011</a></li>
</div>
<div class='wpsc_categories wpsc_category_grid'><p>argus bean digital camera reviews</p><p>bayliner capri 1802 cuddy 1990 argus</p><p>argus observer classifieds</p>
I was wondering if anyone knows has seen something like this before, what kind of plugin breach might allow this, or how to tell where the hack came from, or how to protect against it.
Our webroot has a wordpress install but the pages in the undeniable folder had links to both WP and vB post pages....
Many thanks in advance.
A sample page might be named zachary-walker-argus.html
And I cannot find any links in the pages that go outbound to any particular ad site, but there is content added to the page in the comment and post areas like:
<title>"Argus cam lock || electronic ballast argus diagram"</title>
<div class="art-sheet-bl">One under-20 he had forced with frank, and after that she had to raise her impression then, argus cam lock.
Macarthur had the correspondent of eating over a preferred japan.
These unusual problems require have the claim including current.
Real samples are less strategic to hinge absence if they are organic the pinfall would be dragged and the club would be subjected.
Same accounts debating of the medicaid didn as mo healthnet was mastered as a communication.
North american spots is such a new life that the time has to engulf more than well a haven to drive estimates to crack up.
<li><p>argus firearms</p><p>brinkley argus online paper</p><p>brighton argus michigan</p><a href="http://www.OURWEBSITE/2011/01/sti-month-january-2011/" >STi of the Month – January 2011</a></li>
</div>
<div class='wpsc_categories wpsc_category_grid'><p>argus bean digital camera reviews</p><p>bayliner capri 1802 cuddy 1990 argus</p><p>argus observer classifieds</p>
I was wondering if anyone knows has seen something like this before, what kind of plugin breach might allow this, or how to tell where the hack came from, or how to protect against it.
Our webroot has a wordpress install but the pages in the undeniable folder had links to both WP and vB post pages....
Many thanks in advance.