2 yabba Jun 26, 2005 08:51

Thanks. I'll check that out.
Wow - the obfuscated part writes an IFRAME tag, which then opens a page on the hacker's server, which downloads the newexpl.php.
Inside newexpl.php is this:
From: <x>
Subject: x
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64
PCFET0NUWVBF...
It looks like an email message with an attachment.
Now how did that get in there, thats my worry... a new level of spam?
From what I found in a quick google trip, the most likely candidate is that someone else in a shared hosting environment hacked their way into being able to edit your files. This has happened on WordPress and Mambo sites as well. I suspect that any CMS that uses .php templates probably could fall victim to this attack if the server is vulnerable, but that's just my theory.
Well, the other person online I saw affected was hosted by l40.net, and I am, so apparently they aren't secure.
After they have changed my IP address 2 times in the last few months, and broke the Coppermine functionality in the process, and now this, and their support is nonexistent, I think I will be finding another host.
Hi...
Well, I edited out the offending text above, and still my site seems to be infected. I have spent the last several weeks trying to find out whats going on, difficult because I've been away from home with only sporadic web access... and my webhost is no help.
This is my last plea for help, if I can't get this solved in the next couiple of days I'm just wiping my site clean and shutting down for good...
Any clues at all? Thanks.
I would change webhosts and do a clean install of b2evolution at the new host.
Check your template. just above </body> you have the following :-
From what I've read on the web, that's the line that's causing your grief.
¥