Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 23 May 2013, 12:11
John Lester's Avatar
John Lester John Lester is offline
 
Join Date: Nov 2004
Suspected hacking

According to google's webmaster tools there is a suspected instance of hacking on my site.

Dear site owner or webmaster of http://www.braintalkcommunities.org/,
We are writing to let you know that we believe some of your website's pages may be hacked. Specifically, we think that JavaScript has been injected into your site by a third party and may be used to redirect users to malicious sites. You should check your source code for any unfamiliar JavaScript and in particular any files containing "counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10". The malicious code may be placed in HTML, JavaScript or PHP files so it's important to be thorough in your search.
The following are example URLs from your site where we found such content:
http://www.braintalkcommunities.org/...aimer_rev.html
In addition, it's also possible your server configuration files (such as Apache's .htaccess) have been compromised. As a result of this, your site may be cloaking and showing the malicious content only in certain situations.
We encourage you to investigate this matter in order to protect your visitors. If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but also to identify and fix the vulnerability. A good first step may be to contact your web host's technical support for assistance. It's also important to make sure that your website's software is up-to-date with the latest security updates and patches.
More information about cleaning your site can be found at:
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634
Sincerely, Google Search Quality Team
So I visited the page in question (disclaimer url above) and received a "connection reset" message (it did not redirect at all). I attempted to download the file via ftp but it kept refreshing the request without downloading it. I also tried to dl the file via cpanel's file manager with the same result (continued refreshing of the request).

To be safe I did the following:
  1. Deleted the page in question via cpanel's file manager (couldn't do it via ftp ... kept refreshing the request)
  2. Removed all references to the page in question (it had 1 link in my footer in all of my styles ... no other reference to it anywhere on the site)
  3. Searched all templates via the acp for "counter" and "counter.php" and "style="visibility: hidden" found 0
  4. Searched the db via phpmyadmin for "style="visibility: hidden" found 0
  5. Searched the db via phpmyadmin for "counter.php" found 0
  6. Checked my access logs and error logs and found nothing relating to "counter.php" or the page in question. NOTE: I did find a few references to the old version of that page that hasn't been on the server in a couple of years.
  7. Checked .htaccess files and found nothing pointing to "content.php". Verified online .htaccess files with offline copies (matched exactly).
  8. Downloaded clean 4.1.12 pl 3 from vbulletin.com.
  9. Uploaded new clean 4.1.12 pl 3 over writing existing files
  10. Ran "suspect file version" and came back with expected results (I have a couple dozen non vb pages) and 1 unexpected but apparently normal result (index.php does not contain expected content ... or whatever sorry I have since left my acp and don't recall the exact message), I say this is normal because I compared the new fresh clean file with the backup offline file I have on my pc and they are identical expect for the date.
My question is this, should I do anything else to ensure that I don't have any malicious JS on my site?

I'm not worried about not having the disclaimer, it was outdated and I am working on the new version as it stands. I will most likely make it a php page vs html (for the headers n footers ).
Reply With Quote
  #2  
Old 23 May 2013, 13:10
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Whenever your hacked it's best to check for all types of Malicious files/codes etc instead of simply assuming it was one "file" as it were, for that try the info outlined here: http://www.vbulletin.com/forum/blogs...iller/3934768- especially run the queries to see if anything comes up.

On the one file you had trouble deleting, open a support ticket with your host and mention this to them, ask them to verify that the file was removed entirely - they may at that point decide to run some server-side scans it depends on your host and what importance they place on matters such as this.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #3  
Old 23 May 2013, 13:17
nhawk nhawk is offline
 
Join Date: Jan 2011
I'd also suggest checking php.ini to see if allow_url_fopen is enabled. That's a huge security risk and should be disabled.
Reply With Quote
  #4  
Old 23 May 2013, 23:39
John Lester's Avatar
John Lester John Lester is offline
 
Join Date: Nov 2004
Originally Posted by TheLastSuperman View Post
Whenever your hacked it's best to check for all types of Malicious files/codes etc instead of simply assuming it was one "file" as it were, for that try the info outlined here: http://www.vbulletin.com/forum/blogs...iller/3934768- especially run the queries to see if anything comes up.

On the one file you had trouble deleting, open a support ticket with your host and mention this to them, ask them to verify that the file was removed entirely - they may at that point decide to run some server-side scans it depends on your host and what importance they place on matters such as this.
Did those steps and did not find anything malicious. Host confirms that the file was deleted through the cpanel's file manager at the time I deleted it. They will get back to me once they finish going through the server to let me know if there are any issues.

Thanks, forgot all about those queries

--------------- Added 23 May 2013 at 23:40 ---------------

Originally Posted by nhawk View Post
I'd also suggest checking php.ini to see if allow_url_fopen is enabled. That's a huge security risk and should be disabled.
I have asked my host about this and am awaiting a response
Reply With Quote
  #5  
Old 26 May 2013, 10:24
John Lester's Avatar
John Lester John Lester is offline
 
Join Date: Nov 2004
Forgot to update the thread, host came back and said everything was clean after I had deleted the page in question. It was a very old (12+ years old) page coded by someone else. Now our privacy policy is in a custom made php page and template
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 17:30.

Layout Options | Width: Wide Color: