runtime error

iain sherriff · January 24, 2014, 06:02:27 PM

will the host be able to tell where it came from ?

Arantor · January 24, 2014, 06:13:14 PM

Maybe. Ask them.

@Shambles: it is not wrong to appreciate the subtlety and ingenuity of something like that. I just wish they'd channel their skills into producing new good software rather than attacking things.

iain sherriff · January 24, 2014, 06:18:18 PM

Im a bit at arms length as I Admin the forum, have FTP access but not CP or dB access. The host is looking at it.
I have gone through what I can and removed all traces I can see.
The forum is for a business that is subject to a lot of flack from trolls and has been attacked before unfortunately.

iain sherriff · January 24, 2014, 06:30:43 PM

I've just realised the bit about one line

that is sneaky

Arantor · January 24, 2014, 06:33:33 PM

Not just the fact it's on one line, it's one line - but with enough spaces that to the casual observer, you'd never notice anything was amiss. When I first looked at it in Notepad++, I thought... there's something weird here, because I couldn't *immediately* see something awry.

iain sherriff · January 25, 2014, 04:35:29 AM

that code was in every index.php file.

kat · January 25, 2014, 05:30:13 AM

Quote from: Sir Cumber-Patcher on January 24, 2014, 06:33:33 PMI couldn't *immediately* see something awry.

When I looked, it was the fact that the scrollbar, at the bottom, indicated that there was a LONG line, somewhere, that gave me the hint. So, I whacked it over to the far-right and voila! There it was.

iain sherriff · January 25, 2014, 07:15:35 AM

I cottoned onto that in the end. Also the file size was way too big.
I thnik it is all OK now...........just not sure if the dB and server will be infected but that is being checked

kat · January 25, 2014, 07:22:45 AM

Do yourself a favour, Iain... Read my sig.

Click it, for the "How?".

If you think it's clean, do it right now.

You know you want to.

iain sherriff · January 25, 2014, 08:28:51 AM

done................

kat · January 25, 2014, 08:34:59 AM

Only the one?

Seriously, I take two, now, in case one's corrupt. Especially when I get the db.

iain sherriff · January 25, 2014, 08:51:23 AM

OK
Have to rely on the owner to get the dB

kat · January 25, 2014, 11:08:42 AM

Make sure he does something. Regularly. Your forum can be rebuilt, easily enough. But, the database, which stores all of your members, posts, &c?

Not so easy. (Fookin' difficult, really)

iain sherriff · January 25, 2014, 06:47:55 PM

I know it is regularly backed up by the host. Going to see if I can get phpmyadmin access after this.

kat · January 26, 2014, 10:26:40 AM

Good finkin'.

iain sherriff · March 06, 2014, 04:40:00 AM

K@ I have PMd you about this.

kat · March 06, 2014, 05:16:28 AM

Goddit.

I don't see anything weird, though. Does one have to be logged-in?

iain sherriff · March 06, 2014, 05:30:03 AM

Nothing shows visually and it seems to behave as it should. I assume the code is some sort of data harvesting ?

kat · March 06, 2014, 05:36:12 AM

You're getting that some chunk of code, in index.php, are you?

Might be an idea to have a word with your host. They should have raw access logs and be able to figure-out who's getting in and how.

iain sherriff · March 06, 2014, 06:49:54 AM

It's exactly the same as you saw at the start of this topic, in every index.php.

Host is looking at it now.

News:

runtime error

kat

kat

kat

kat

kat

kat

kat