Hi jamesey,

This is a serious issue. Most likely the hackers got the code of your site, possibly the blogs username/password combination but most likely they have found the username/password of your cPanel / FTP. In fact it's not likely at that *only* a hack of the blog can result in injecting code to all of your server. The hackers use the blog because of it's php files they need to get their malware working.

Immediately change all passwords regarding this server and blog and notify your host. Your host will be able to determine (through the logs) when and where the hack took place. A likely scenario is that there is some master malware on your site that spreads whenever it finds (new) php files.

So please contact your host as soon as possible.

Good luck

dreamhost makes their logs available. go through them. need help? email them to me, Ill go through them

I hate to be the stick in the mud here, but the most likely scenario is, in fact, that your blog was hacked.

its not beyond any realm of common sense, and anyone quick to dismiss that as a possibility isnt being honest with themselves or you.

I would also be looking at your filesystem for any files that "dont belong". its my experience, that these sorts of exploits are the result of php rootshells being uploaded at some point, and then being used over and over again to perpetrate further damage.

Most users, when upgrading files, go the "overwrite" method, instead of the "delete first" method, and consequently, malicious scripts are never gotten rid of.

whoo wrote:

...
I would also be looking at your filesystem for any files that "dont belong". its my experience, that these sorts of exploits are the result of php rootshells being uploaded at some point, and then being used over and over again to perpetrate further damage.

Most users, when upgrading files, go the "overwrite" method, instead of the "delete first" method, and consequently, malicious scripts are never gotten rid of.

The hosting provider should be able to wipe out the malicious (virtual) resource so that the customer can install over known clean file system resources.

The password for the b2evolution administrator (at the very least) should contain a mix of upper and lower case characters and include numbers and non-alphabetical characters as well.

It is evident that when one leaves the login link to the blog resource visible and one uses an web site analyzer, the hits to the login resource are astonishingly high. Why? International miscreants will try their luck at cracking the password (often with dictionary-based attacks) at any time of day or night. Evidently, they succeeded in the case of our unfortunate friend above.

An utility --perhaps as a plugin to b2evolution--
where a (user set) limit to the login attempts is enforced, and the cracker IP is subsequently blocked and blacklisted, would be an welcome addition to further enhance the security of b2evolution.

It could be based on the model of fail2ban, although probably the hosting provider would be required to participate for those b2evolution users who can not access the (virtual) host operating system and/or Apache/IIS resources for their blog.

thanks guys. I've changed all my passwords and thoroughly deleted my b2evo /blogs directory before re-upping it.

I'm contacting dreamhost to get get the logs.

I'm seriously fucked. I badly need help. I don't want to lose 5 years of posts.

I changed all passwords related to my site.
I completely removed my installation of b2evolution.
I uploaded a whole new installation.

google still found malware and trojans coming from my b2evo install.

I think something is in my sql database.

I've removed my site for the last few days so I'd stop getting the google warning.

Is it possible that my sql database has been hacked and that's why my fresh installs of b2evo keep propegating links to malware/trojans?

how can I scan my sql database for this?

I'm not sure but does google provide up-to-date info? I mean maybe you should give it some time to rescan your site.

jamesey wrote:

how can I scan my sql database for this?

where are the links?

your sql dump is a text file.

First, determine where the links are, then look in the appropriate place inside your database, or just open the dump in a plain text editor and use the search.

You also need to make sure that you are not reusing any skin files that might have been edited, AND that you have completely 'cleaned out' your site via FTP.

Everything within the directories that had b2evolution in them, should be deleted. EVERYTHING.

Unless you do that, you run the risk of leaving malicious scripts on the site.

And Im going to say this again -- LOGS. It does not take days to get them. Bluehost uses cpanel and server logs are available right there.

I'm pretty sure i've had an sql injection. That's why every time I reinstall b2evo and use the same sql database, the error keeps happening.

I found a tool that will supposedly find out if this is true called scrawler. Anyone ever use it before?

http://www.softpedia.com/get/Security/Security-Related/Scrawlr.shtml

while that looks like a nifty tool, thats not going to do what anyone in this thread has suggested.
\\ namely me. :)