Malware On The Server

[newtoallthis]

A few weeks ago, my SMF folders on the server became infected by 146 KB PHP files all having a similar name such as 3877544.php. These files infected SMF (and presumably the mods) and my Dokuwiki installation which is standalone but linked to SMF by a button at the head of the forum page. I believe that it is a base64 exploit.

I went through my SMF folders deleting these files and they have not returned. However, when removed from the Dokuwiki, they are automatically rewritten so it seems that the malicious script is still on the server.

My host will be installing SuPHP today to prevent reinfection by preventing chmodding to 0777 and has asked me to remove the infected files (which I can) but also the original malicious script.

Question is, how can I find it and what do I do with it when I find it?

[redone]

I would move hosts personally. Then go through your files before uploading to a new hosting provider checking your files and folders against a vanilla install of SMF.

~RedOne

[ziycon]

I would take a database backup and clear the web directory and upload a fresh set of SMF files and a backup of your site, its very hard to go through files and remove every piece of malware code.

Start fresh with clean files and a backup of your database and then look at putting your modifications/theme back in.

[newtoallthis]

Sad to read that the necessary action is so radical....but if that's what it's going to take...

Thanks for your help.

[Illori]

marking this topic solved as you have requested paid assistance.