We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Urgent: Site down, possible malware

November 02, 2012 3:04pm

Subscribe [3]

  • #1 / Nov 02, 2012 3:04pm

    koko.pelli

    176 posts

    Hi All,

    If you could help I would be very grateful. A client site has gone down and it looks like it could be a malware issue. When I go to the site in safari it says Warning: Visiting this site may harm your computer.

    The URL is http://www.thejudge.co.uk

    When I go with Chrome, I get the front page but with no stylesheet applied, and all internal pages are 404.

    When I log in to the control panel, I get a message stating the index.php file has changed and whether I would like to accept changes.

    Would really appreciate any advice you can give.

    Thanks in advance

  • #2 / Nov 02, 2012 3:40pm

    koko.pelli

    176 posts

    Edit* I have got the site back up, it seems they added some files to the root, and changes the htaccess file to try to redirect to http://onlinepartsupply.com

    Removed that and reconfigured the htaccess and the site is back up, but still not sure whether any other files were harmed.

  • #3 / Nov 04, 2012 11:42am

    koko.pelli

    176 posts

    I am still getting the malware warning, is there anything specific I can do to find out why that is caused?

  • #4 / Nov 05, 2012 8:56am

    Ian Ebden

    312 posts

    Hi. Sorry to hear about your attack. Happened to me once a while back and it’s not much fun. Chances are it was probably just a file-based attack, so your database should still be clean. I’d check it against a backup though all the same (you do take backups right?).

    First protocol is to change all your passwords – especially your FTP. Secondly, I’d look at changing host. Sounds dramatic, but if you’re on shared hosting there is obviously a weak point somewhere there that could be exploited again very soon. These attacks tend to recur once they’ve found you.

    Next, I’d check through all your directories looking for newly created files – especially .htaccess ones.

    Lastly, I’d strongly consider moving your entire system folder above the public webroot and renaming your admin.php. Pretty easy to do and practically eliminates such attacks from happening again:

    http://ellislab.com/expressionengine/user-guide/installation/best_practices.html

    Hope that helps.

  • #5 / Nov 05, 2012 2:57pm

    Shane Eckert

    7174 posts

    Hey there koko.pelli,

    Ian is right on with his suggestions. It’s most certainly an infected file.

    Taking the security precaution is also a really great idea. Refreshing all your files would be good.

    Can you tell us where you are now? How are things going?

    Cheers,

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register