News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Site redirect from malicious code in forum files

Started by pokerfacemac, March 04, 2012, 02:39:35 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

pokerfacemac

March 04, 2012, 02:39:35 AM
I am having a problem with my site. If I visit it using my browser, it looks normal. However if I go to the same URL on my iPad or iPhone using its browser, I get redirected to a different site (not mine).

My hosting company said they have found malicious code and here is the list of files that they found:

public_html/forum/Themes/default/languages/dg.php
public_html/forum/Themes/default/languages/s.php
public_html/forum/Themes/default/languages/style.css.php
public_html/forum/Themes/default/Recent.template.php~
public_html/forum/Sources/Subs-Post.php~
public_html/forum/Sources/Security.php~

I am a completely noobie to this but I am wondering if its possible for SMF files to cause a redirect when uses are visiting my primary site and not the forum. I have SMF 1.1.6 installed. Thanks.

French

#1
March 04, 2012, 03:08:51 AM
Did you install/activated perhaps Tapatalk App on your iPad or/and iPhone.?

Kermit

#2
March 04, 2012, 10:48:33 AM
First 3 files are not so familiar ones,but the rest (with ~ in the end) are default SMF which were created as backup on installing modifications files,you may want to run this php file for being sure about whether some of your files have been infected or not

http://www.simplemachines.org/community/index.php?topic=313201
My Mods
Please don't PM/mail me for support,unless i invite you
Formerly known as Duncan85
Quote
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."

A. Einstein

MrPhil

#3
March 04, 2012, 12:53:13 PM
A file named "style.css.php" is a dead giveaway that you've been hacked. Unless you know that those first three files belong there as part of a mod installation, you should rename them to deactivate them and eventually erase them if it proves that they are unnecessary for the normal functioning of your site.

I don't know what your host found in the backup (~ suffix) SMF files. It's odd that the current active files (without ~) wouldn't also have the same infection, if there really is one. The three SMF files are inactive anyway (they can't be run), so you can probably leave them alone.

pokerfacemac

#4
March 05, 2012, 03:07:32 PM
Thanks. I have installed no mods or other apps. However, upon further digging, it appears that my htaccess file (located at the public_html folder) had been replaced. Once I removed that, it started working again. I didn't think this problem could be related to the forum but I wanted to make sure. I'm going to also run the kb_scan (thanks for the link).

I will rename the files and then delete them if it doesn't affect the forum.

Thanks very much for the replies.
Print
Go Up Pages1
User actions
Advertisement: