SMF Support > SMF 2.0.x Support

Nasty, Hidden Virus on Simple Machines

(1/14) > >>

We had a slightly outdated version of 1.something that got infected with a virus called the Blackhole Exploit. We removed it, upgraded the software to 2, and are continually running malware/virus scanners on our server. It keeps coming up clean. We even tried getting different brands of virus scanners and they come up clean.

However, some users are continually telling me their virus software is going off when visiting the site. Today I had a visitor tell me he plugged in a brand new computer, visited a couple sites fine, hit ours and the virus software went off and crashed his browser, eventually it chewed his hard drive until the machine would no longer run at all.

I'm at a loss here. Not sure what to look for or where. But my server host is now suggesting I go through *every single possible line of code* in the website (Literally millions and millions of lines) to look for something out of the ordinary. Since I don't spend a lot of time looking at simple machines code, I'm not sure I would notice what is out of the ordinary...

Any advice? Ideas? Suggestions?

First off I would suggest trying to restore a clean backup that you know is not infected, if that's not possible I would suggest backing up the web root directory and database then clear all the files from the SMF root directory and then upload a fresh version of the SMF files and see if that solves it.

Edit: An after thought, if your on shared hosting it could be another hosting account on the server that is infected, I recently saw a very nasty installer virus take hold of a shared hosting environment, affected multiple hosting accounts until properly removed.

have you changed your passwords? i would suggest that and upload fresh files to override what you have currently. also i would ask your host if they know how this happened, it may be a server side issue.

I did change all the passwords.

I did not do a fresh install - I upgraded from the 1.x to the latest 2.x. Then I customized the interface, so I suppose if I do a fresh install, all that will be lost?

Is it possible it's in the database? If so how in the heck does one check for that.

Did I mention this is a VERY active forum, and I cannot lose the posts that are up there now.

I am on a dedicated server.

if you upload fresh files you will not loose your members/threads etc they are in the database, but you would loose your mods to the code which can be reapplied.

i dont know if a virus can be in the database but i doubt it is possible.


[0] Message Index

[#] Next page

Go to full version