SOLVED Locating Malicious Code
-
-
- eTechS
- Rocketeer
- Posts: 77
- Thanks: 1
-
Hello,
I am presently troubleshooting a fewe issues that have recently arisen on my site www.eTech.TV The first issue is that I see that there seems to be some malicious code that is pointing to a site ending in .RU
Whenever I click on a link on the top menu bar, there is a message waiting for hf9955hf.bget.ru , most likely some click spam.
I am looking for the best way to find where this is being referenced. Any ideas?
Thanks in advance for any advice.
-
-
-
- DanG
- Preeminent Rocketeer
- Posts: 36750
- Thanks: 3229
- Custom work done
-
USTechHelp wrote:
Hello,
I am presently troubleshooting a fewe issues that have recently arisen on my site www.eTech.TV The first issue is that I see that there seems to be some malicious code that is pointing to a site ending in .RU
Whenever I click on a link on the top menu bar, there is a message waiting for hf9955hf.bget.ru , most likely some click spam.
I am looking for the best way to find where this is being referenced. Any ideas?
Thanks in advance for any advice.
Would you please create a Super Admin login for me along with FTP access info and place it in the SECURE part of your Reply
This image is hidden for guests.
Please log in or register to see it.
so that I can take a look.
-
-
-
- DanG
- Preeminent Rocketeer
- Posts: 36750
- Thanks: 3229
- Custom work done
-
USTechHelp wrote:
Updated FTP Info
Hi
Neither the Admin logins or FTP ones are working for me
Admin:
With your access info, I'm getting a login errorWarning
Username and password do not match or you do not have an account yet.
FTP login:
Error: Connection timed out
Error: Could not connect to server
Could you double check them please.
-
-
-
- eTechS
- Rocketeer
- Posts: 77
- Thanks: 1
-
Dan,
Let me catch you up, it's been one hell of a week! Since my original post a lot has gone on, but let me give a full explanation of what ocurred. The issues started as a malicious script using my MTA to send SPAM. I was able to locate the script and deleted it but then 10 hours later it reappeared as another script,so the spammer seems to have created themselves a pretty good back door under the.TV domain.
Because I was blacklisted by a few major carriers, I had to take drastic action and dumped the domain, which actually cured the problem.
While communicating with my Hosting provider, we noticed a cPanel directory in duplicate which they told me to delete, which in turn had some configuration files and crashed cPanel, never to return. Because of the potential for backdoors and now missing cpanel config files, it was decided to provision a new server and manually transfer the files from server to server since the cPanel CPMove function didnt work.
I first recreated all the accounts on the new server and I did manual SQL backups on the old server and created new SQL databases/Users on the new server then used RSynch to synch up the directories. For the most part the emails boxes are intact and working and I'm now dealing with SQL issues and trying to figure out why the sites will not work with database connector issues. eTechHelp.com is being used as an example before fixing the rest of the sites.
So, malicious code is gone and I'm on new server with new code installed from scratch, but now have database issues.
If you want to take a peek, I have both servers credential posted in the secure area. Let me know if you can access it
Look for me on SKYPE. I'll be on until this is resolved.
-
-
-
- DanG
- Preeminent Rocketeer
- Posts: 36750
- Thanks: 3229
- Custom work done
-
USTechHelp wrote:
This problem has been solved
AwesomeThis image is hidden for guests.
Please log in or register to see it.
I found this while Googling your issue A Super Fast Way to Clean a Hacked Joomla Website
-
-
-
- eTechS
- Rocketeer
- Posts: 77
- Thanks: 1
-
Hi Dan,
Ended up having to move to a new server with a fresh OS. In the process of rebuilding the TV site since the backups had malicious code that I was a bit nervous about restoring. Will be a busy few days here
-
Time to create page: 0.073 seconds