1 nelsonguirado Nov 21, 2008 03:55
3 john Nov 21, 2008 04:39
Delete all your B2 files and upload a fresh set and see if that makes a difference.
I would check the JS content of your site for any scripts that are not default B2 or ones that you have added yourself.
4 nelsonguirado Nov 21, 2008 04:58
OK. I'll try that. I don't feel like going line for line.
5 nelsonguirado Nov 21, 2008 06:12
Why do you think it's only on a couple of blogs?
6 nelsonguirado Nov 21, 2008 06:42
I looked at the source of the offending page and got (you can see where the trouble starts after "<body><div style="position:absolute;left:-74402px;top:":
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<base href="http://www.nelsonguirado.com/skins/evocamp/" />
<script type="text/javascript" src="/plugins/am_audio_player_plugin/audio-player.js"></script>
<style type="text/css" media="screen">
<!--
/* Visiglphs Plugin styles */
.vg1, .vg2, .vg3, .vg4, .vg5 {margin:0;padding:.1em;}
.vg1 {width:1.1em;height:1.1em;}
.vg2 {width:2.7em;height:2.7em;}
.vg3 {width:4.3em;height:4.3em;}
.vg4 {width:5.9em;height:5.9em;}
.vg5 {width:7.5em;height:7.5em;}
-->
</style>
<title>Asymmetric Music</title>
<meta name="description" content="Asymmetric take on rock, soul, and classical." /><meta name="keywords" content="rock, modern rock, soul, r&b, conservative music, christian music, fun music, decent music" />
<meta name="generator" content="b2evolution 2.4.5" /> <!-- Please leave this for stats -->
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://www.nelsonguirado.com/index.php/music/?tempskin=_rss2" />
<link rel="alternate" type="application/atom+xml" title="Atom" href="http://www.nelsonguirado.com/index.php/music/?tempskin=_atom" />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://www.nelsonguirado.com/xmlsrv/rsd.php?blog=30" />
<meta name="viewport" content="width = 750" />
<link rel="stylesheet" href="style.css" type="text/css" />
<script type="text/javascript" src="http://www.nelsonguirado.com/rsc/js/functions.js"></script><script type="text/javascript" src="http://www.nelsonguirado.com/rsc/js/rollovers.js"></script>
</head><body><div style="position:absolute;left:-74402px;top:-56110px"></div><!--823697339--><h1>extended hotel stay chicago</h1> After signing up for <a href="http://iccec-europe.org/gallery/?info=214" title="stay chicago hotel extended">stay chicago hotel extended</a> service, it's easy to get started with adding your first trip. SWF loading //
7 john Nov 21, 2008 06:55
So, just delete it and see how you go.
8 nelsonguirado Nov 21, 2008 07:23
I copied the files over my installation and it didn't work. Also, I was hoping somebody would know how they hacked me so I could avoid it another time.
9 sam2kb Nov 21, 2008 07:32
The same problem http://forums.b2evolution.net/viewtopic.php?t=17247
Check the file index.main.php in skin folders and delete "bad" <div> tag
10 yabba Nov 21, 2008 07:41
Can you post the code from your /skins/_html_header.inc.php && skins/_body_header.inc.php ?
Alternatively could you pm me an ftp / pma login?
¥
11 nelsonguirado Nov 21, 2008 17:40
/skins/_html_header.inc.php
<?php
/**
* This is the HTML header include template.
*
* For a quick explanation of b2evo 2.0 skins, please start here:
* {@link http://manual.b2evolution.net/Skins_2.0}
*
* This is meant to be included in a page template.
* Note: This is also included in the popup: do not include site navigation!
*
* @package evoskins
*/
if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page directly.' );global $xmlsrv_url;
require_js( 'functions.js' );
require_js( 'rollovers.js' );skin_content_header(); // Sets charset!
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php locale_lang() ?>" lang="<?php locale_lang() ?>">
<head>
<?php skin_content_meta(); /* Charset for static pages */ ?>
<?php skin_base_tag(); /* Base URL for this skin. You need this to fix relative links! */ ?>
<?php $Plugins->trigger_event( 'SkinBeginHtmlHead' ); ?>
<title><?php
// ------------------------- TITLE FOR THE CURRENT REQUEST -------------------------
request_title( array(
'auto_pilot' => 'seo_title',
) );
// ------------------------------ END OF REQUEST TITLE -----------------------------
?></title>
<meta name="description" content="<?php $Blog->disp( 'shortdesc', 'htmlattr' ); ?>" />
<meta name="keywords" content="<?php $Blog->disp( 'keywords', 'htmlattr' ); ?>" />
<?php robots_tag(); ?>
<meta name="generator" content="b2evolution <?php app_version(); ?>" /> <!-- Please leave this for stats -->
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="<?php $Blog->disp( 'rss2_url', 'raw' ) ?>" />
<link rel="alternate" type="application/atom+xml" title="Atom" href="<?php $Blog->disp( 'atom_url', 'raw' ) ?>" />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="<?php echo $xmlsrv_url; ?>rsd.php?blog=<?php echo $Blog->ID; ?>" />
<meta name="viewport" content="width = 750" />
<link rel="stylesheet" href="style.css" type="text/css" />
<?php include_headlines() /* Add javascript and css files included by plugins and skin */ ?>
<?php
$Blog->disp( 'blog_css', 'raw');
$Blog->disp( 'user_css', 'raw');
?>
</head><body>
<?php
// ---------------------------- TOOLBAR INCLUDED HERE ----------------------------
require $skins_path.'_toolbar.inc.php';
// ------------------------------- END OF TOOLBAR --------------------------------echo "\n";
if( is_logged_in() )
{
echo '<div id="skin_wrapper" class="skin_wrapper_loggedin">';
}
else
{
echo '<div id="skin_wrapper" class="skin_wrapper_anonymous">';
}
echo "\n";
?>
<!-- Start of skin_wrapper -->
skins/_body_header.inc.php
<?php
/**
* This is the BODY header include template.
*
* For a quick explanation of b2evo 2.0 skins, please start here:
* {@link http://manual.b2evolution.net/Skins_2.0}
*
* This is meant to be included in a page template.
*
* @package evoskins
*/
if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page directly.' );// By default, this does nothing. It's just here as a placeholder.
?>
12 sam2kb Nov 22, 2008 03:16
Did you check the index.main.php file ?
13 nelsonguirado Nov 22, 2008 03:16
OK. I changed everything. I'm willing to pay somebody to fix this thing.
14 afwas Nov 22, 2008 15:28
The number 823697339 seems to be the signature of this virus (Google it). The negative position (the numbers) is large but more or less random, the (spam)link is random. Try a filesearch on that number and start with the skinfiles. The index.php file is the common place of infection. Most likely this is javaScript added. Probably the content of the script looks like garbage.
Change the password for your cPanel and FTP. According to whoo blogs can be infected by people that have access to it
Unfortunately I can't find information on this specific virus.
Good luck
15 sam2kb Nov 22, 2008 15:44
Read here for answers :) http://forums.b2evolution.net//viewtopic.php?t=17247
16 afwas Nov 22, 2008 15:52
Apart from the fact that it was PHP and not javaScript I was close ;)
Wel done sam2kb
Nelsonguirado, do you have the FCKEditor plugin installed on the blog?
17 nelsonguirado Nov 24, 2008 04:07
Thanks guys. You saved me. Special thanks to Sam2K and Yabba for finding the problem. I wish it would have been before Google banned me, but at least I can try to rebuild.
By the way, it was some rootkit code called "cooper.php" in a barely used folder on my site and then the code to access this file was placed on my php files. The code was on almost every one of my files and was in base 64.
Again, I really appreciate it.
18 nelsonguirado Nov 24, 2008 04:08
I don't have FCKE editor.
19 nelsonguirado Nov 29, 2008 07:28
I discovered the exact same hack attack on a very unrelated Simple Machines forum I run.
That means that the perpetrator was almost assuredly not somebody I know, which is great news. It also means, I think, that if you have any php programs, you should check for the issue, especially if you're on Bluehost.
On this blog too.
http://www.nelsonguirado.com/index.php/music/