Sorry ... most of you will probably consider this a REAL stupid question ... but ... here goes anyway. First off ... I am an admitted total idiot when it comes to most of this stuff.
Anyway ... I had taken an FTP copy/backup of my entire website as a "just in case" copy.
When my anti-virus was doing its scan ... it found 2 instances of the RSTBackdoor Virus in the forum installation. I KNOW it did not get there from ANYTHING I installed from SMF ... because I have unzipped copies of everything also on my computer ... and NOTHING was found in any of them. Just wanted to make that clear ... just in case someone thought I was accusing SMF :)
So ... is the only way those files could get into the SMF installation is by someone somehow hacking there way onto the site & uploading those files??? If so ... would it likely have been through the front door (becoming a member of the forum & then hacking???) ... or would it likely have been through an "attack" on the web server????
They say the threat risk of this virus is very Low ... but I want to get it off my site anyway. I have read the Removal info a number of times ... but my cognitive dysfunction seems to be getting in the way of me being able to understand/comprehend totally all that I am reading.
As I understand it ... I can just delete the 2 files without worry of it interfering with the operation of SMF. Does anyone know if that is a correct understanding??? Does anyone know if there are further steps I should be taking???
Oh yeah ... IF they came through the front door (by coming onto the forum) I am pretty sure I know when that happened. At the time .... I would have been running with 1.0.7. I am now using RC3. If that info matters.
Any input or feedback would be greatly appreciated.
Thanks for you time & patience
Peter
What are the filenames and what directory are they in?
OOOPS ... sorry. I meant to include those .....
The infected files are .....
{mywebsite}\forum\12.php is infected with PHP.RSTBackdoor
and
{mywebsite}\forum\attachments\82_2_php9bc09ee4e0eb91840f7c5207e1d84852 is infected with PHP.RSTBackdoor
Sorry about that ...
Peter
The second was attached, the first I've no idea how it got there could have been upload by another script or something.
Thanks for the response ... your efforts to help are appreciated.
In your opinion ... do you think I can just delete those 2 files and not worry about it affecting the operation of the SMF software????
Do you know if the PHP.RSTBackdoor virus would have "changed" any other files that I should be aware of ???
Thanks again for your efforts to help me.
Peter