John Lester
05-23-2013, 10:11 AM
According to google's webmaster tools there is a suspected instance of hacking on my site.
Dear site owner or webmaster of http://www.braintalkcommunities.org/,
We are writing to let you know that we believe some of your website's pages may be hacked. Specifically, we think that JavaScript has been injected into your site by a third party and may be used to redirect users to malicious sites. You should check your source code for any unfamiliar JavaScript and in particular any files containing "counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10". The malicious code may be placed in HTML, JavaScript or PHP files so it's important to be thorough in your search.
The following are example URLs from your site where we found such content:
http://www.braintalkcommunities.org/BTC_disclaimer_rev.html
In addition, it's also possible your server configuration files (such as Apache's .htaccess) have been compromised. As a result of this, your site may be cloaking and showing the malicious content only in certain situations.
We encourage you to investigate this matter in order to protect your visitors. If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but also to identify and fix the vulnerability. A good first step may be to contact your web host's technical support for assistance. It's also important to make sure that your website's software is up-to-date with the latest security updates and patches.
More information about cleaning your site can be found at:
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634 (http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634)
Sincerely, Google Search Quality Team
So I visited the page in question (disclaimer url above) and received a "connection reset" message (it did not redirect at all). I attempted to download the file via ftp but it kept refreshing the request without downloading it. I also tried to dl the file via cpanel's file manager with the same result (continued refreshing of the request).
To be safe I did the following:
Deleted the page in question via cpanel's file manager (couldn't do it via ftp ... kept refreshing the request)
Removed all references to the page in question (it had 1 link in my footer in all of my styles ... no other reference to it anywhere on the site)
Searched all templates via the acp for "counter" and "counter.php" and "style="visibility: hidden" found 0
Searched the db via phpmyadmin for "style="visibility: hidden" found 0
Searched the db via phpmyadmin for "counter.php" found 0
Checked my access logs and error logs and found nothing relating to "counter.php" or the page in question. NOTE: I did find a few references to the old version of that page that hasn't been on the server in a couple of years.
Checked .htaccess files and found nothing pointing to "content.php". Verified online .htaccess files with offline copies (matched exactly).
Downloaded clean 4.1.12 pl 3 from vbulletin.com.
Uploaded new clean 4.1.12 pl 3 over writing existing files
Ran "suspect file version" and came back with expected results (I have a couple dozen non vb pages) and 1 unexpected but apparently normal result (index.php does not contain expected content ... or whatever sorry I have since left my acp and don't recall the exact message), I say this is normal because I compared the new fresh clean file with the backup offline file I have on my pc and they are identical expect for the date.My question is this, should I do anything else to ensure that I don't have any malicious JS on my site?
I'm not worried about not having the disclaimer, it was outdated and I am working on the new version as it stands. I will most likely make it a php page vs html (for the headers n footers :D ).
Dear site owner or webmaster of http://www.braintalkcommunities.org/,
We are writing to let you know that we believe some of your website's pages may be hacked. Specifically, we think that JavaScript has been injected into your site by a third party and may be used to redirect users to malicious sites. You should check your source code for any unfamiliar JavaScript and in particular any files containing "counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10". The malicious code may be placed in HTML, JavaScript or PHP files so it's important to be thorough in your search.
The following are example URLs from your site where we found such content:
http://www.braintalkcommunities.org/BTC_disclaimer_rev.html
In addition, it's also possible your server configuration files (such as Apache's .htaccess) have been compromised. As a result of this, your site may be cloaking and showing the malicious content only in certain situations.
We encourage you to investigate this matter in order to protect your visitors. If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but also to identify and fix the vulnerability. A good first step may be to contact your web host's technical support for assistance. It's also important to make sure that your website's software is up-to-date with the latest security updates and patches.
More information about cleaning your site can be found at:
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634 (http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634)
Sincerely, Google Search Quality Team
So I visited the page in question (disclaimer url above) and received a "connection reset" message (it did not redirect at all). I attempted to download the file via ftp but it kept refreshing the request without downloading it. I also tried to dl the file via cpanel's file manager with the same result (continued refreshing of the request).
To be safe I did the following:
Deleted the page in question via cpanel's file manager (couldn't do it via ftp ... kept refreshing the request)
Removed all references to the page in question (it had 1 link in my footer in all of my styles ... no other reference to it anywhere on the site)
Searched all templates via the acp for "counter" and "counter.php" and "style="visibility: hidden" found 0
Searched the db via phpmyadmin for "style="visibility: hidden" found 0
Searched the db via phpmyadmin for "counter.php" found 0
Checked my access logs and error logs and found nothing relating to "counter.php" or the page in question. NOTE: I did find a few references to the old version of that page that hasn't been on the server in a couple of years.
Checked .htaccess files and found nothing pointing to "content.php". Verified online .htaccess files with offline copies (matched exactly).
Downloaded clean 4.1.12 pl 3 from vbulletin.com.
Uploaded new clean 4.1.12 pl 3 over writing existing files
Ran "suspect file version" and came back with expected results (I have a couple dozen non vb pages) and 1 unexpected but apparently normal result (index.php does not contain expected content ... or whatever sorry I have since left my acp and don't recall the exact message), I say this is normal because I compared the new fresh clean file with the backup offline file I have on my pc and they are identical expect for the date.My question is this, should I do anything else to ensure that I don't have any malicious JS on my site?
I'm not worried about not having the disclaimer, it was outdated and I am working on the new version as it stands. I will most likely make it a php page vs html (for the headers n footers :D ).