hi all
im new here, so be nice :)
in the last couple of days, the forum that I own has been infected with some sort of malicious virus or scripting. when a user visits the site, the web browser warns them that the site is dangerous and should not be visited. for this reason, we have put the forum into maintenance mode while we try and solve the problem.
im no expert in these matters, and have no way of knowing how to fix the problem. My partner has changed the permissions and also the password, to prevent a brute force attack.
Can anyone make any suggestions? I have no idea how to even access the scripting for the site, let alone what to look for and how to change it
I hope someone has some patience to humour me
thanks
what version of smf are you running? what file is causing the warning?
running 1.1.14
I have no idea what the file is, how it got in, or even where to find it :(
can you post a link to your forum?
sure, the site is
www.banditforum.co.uk
you would have to take it up with google
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.banditforum.co.uk/forum/
thanks I have done this by installing some DNS coding to the site. waiting for a reply from them at the moment
also check your files to make sure none have been modified without your knowledge. that warning showed in firefox but not in opera, so not all users would get the warning.
thanks. I've had the warning in firefox but not in IE. google also states that the site has not hosted any malware in the last 90 days. would this suggest that the site is in a stable enough state to allow users to continue using it?
that i cant say without checking all the files and the posts etc.
thanks. namesco host our server
I have checked through the files, and 2 directories listed as being recently modified I cant access.
When I try to view the directory it says "System error 13: Permission denied"
ask your host to look into why.
I would look at these 2 threads, betting it's the same attack.
http://www.simplemachines.org/community/index.php?topic=451702.0
http://www.simplemachines.org/community/index.php?topic=451581.0
i dont think so on this one, i dont get any messages from my anti-virus software like i have before on that other site.
also who is your host?
our server is with namesco. i think they are our host?
they look like a decent host, not oversold. has your host replied with any information about how this could have happened?
yes, their reply was as follows:
Thank you for your enquiry,
You will need to ensure the scripts are cleaned of all malicious code and update the software to the latest stable release to ensure all known security holes are patched.
I would also suggest a developer manually check the code for any security holes for maximum security.
they also recommended we changed the permissions for more secure ones, which we have done.
sounds like a host that does not track these things, i would suggest you find a host that would track these things, without it if you did have a security breach from within smf we would have a harder time finding out what happened.
thanks for your advice
ive just looked at the ftp index for the site.
when I click on the directories that I couldnt open within the server, this ftp index tells me that these directories do not exist, despite being right there in front of my eyes :-\
have your host check your file/folder ownership
thanks for all your help so far
got google webmaster tools up and running. it detected a suspicious script in a .js file in the javascript directory. I have removed the script from the file but the forum continues to give me the same warning message about malicious files.
got a guy looking over the coding for me soon hopefully
in the meantime, anyone got anymore suggestions?
Back everything up (including all of your files), uninstall all mods,
GET RID OF any executable files in your website. Maybe there is a malicious non-SMF file there to re-infect your files, and all it takes is a bot to come along and run it to cause you a problem again?
Do not delete your attachments. They have funny names on purpose. If you delete them, you'll only have to restore them from your backup.
Do a fresh install of all of your files, and re-install all of your mods.
That would get rid of EVERY executable file on your website, and give you all fresh new files. You would not need to track down the infected files, because they would be G O N E.