0
Welcome Guest! Login
0 items Join Now

Malicious PHP Code

Last Post
Search Topic
    • 's Avatar

    Malicious PHP Code

    Posted 12 years 7 months ago
    • Hello... This is not something I believe to be happening to the ROK files, but rather to index.php and other .php files. I had posted on facebook a link to my website. destinationself.com I received a message back from a person that they clicked it an nothing came up. Naturally, I clicked the link from the posting on my phone and got a 404.lflink.com website. Caught off guard, I went to my computer and typed destinationself.com and my website came up. I closely looked at my website address and the link address from my fb post and they were the same. I go to FB on my computer and click on the link... once again I get the redirect.

      I then google the link and got someone else asking a similar question. Leading nowhere I decide to google my site. It comes up and I click on the link. Once again, the redirect.

      I check my other sites and same thing. What is going on?

      I found this article on google that said to look for a eval(base64_decode code in php files. I did and found it.

      Thoughts? How do I get my sites back and how do I keep this from happening again?!?!

      The sites were working this weekend.
    #879519

  • Re: Malicious PHP Code

    Posted 12 years 7 months ago
    • Nightmare

      I solved this for a client a few weeks back.

      We ran a check on the backed up files and merged with the new files created AFTER the back up (clean sweep first of course using Kaspersky).

      We then changed ALL passwords associated with the domain (db, ftp etc) and then uploaded AFTER DELETING ALL THE OLD FILES and installed a great component by rsjoomla (firewall. If you go to their fb page and like them you get it half price. I am NOT an affiliate btw just use their components).

      Ours differed slightly as they came in via the js folders but I am optimistic the process would be similar to prevent this again.

      Once this is installed activate LOCK DOWN.

      To date, this has stopped it.

      HTH

      Regards
      Daren
    • Daren Jephcote. Technical S.E.O. Consultant.
      Join in the conversation on Twitter .
      I offer expert, Technical SEO Services to an exclusive list of clients. They enjoy error-free, high ranking website results that help them thrive online.
    #879531
    • 's Avatar

    Re: Malicious PHP Code

    Posted 12 years 6 months ago
    • Thanks. I am noticing that it is everywhere! It appears to be a nightmare. My plan to just delete everything except my configuration.php, my .htaccess, and my php5.ini files (and my database) and reload everything. I don't have many components and I haven't been running backups. I just downloaded Akeeba yesterday but that wouldn't have helped.

      I will look at RSFirewall. I have used their products before.

      I am not sure my plan will work, but I can't think of anything else. My actual computer isn't infected with anything is it? I am running SOPHOS and so far so good.

      Any idea how this happened? I noticed some stuff in my error logs and the names looked familiar. I think it was an exploit but I am not sure from where or how.
    #879681
    • 's Avatar

    Re: Malicious PHP Code

    Posted 12 years 6 months ago
    • Any idea why/how my sites keep getting malicious PHP code? It has happened again. After I restored my sites last time I installed RSFirewall and it still happened! I don't know what is going on.

      Someone please give me some advice...

      One of the lines that says critical from RSFirewall...

      2 critical 19.10.2012 05:30:00 66.249.73.66 0 /gallery/whale-tours/193-photo5 A core Joomla! file has been modified.

      I clicked on the ip and it came up as google and it is affecting ROKGALLERY.
    #882978
    • 's Avatar

    Re: Malicious PHP Code

    Posted 12 years 6 months ago
    • Still happening.... Every Friday morning it appears. I pretty much only have rockettheme components on my sites. I called GoDaddy and they swear (but can't tell me where) that it is something on my sites that is allowing the access.

      I changed all the passwords (again).
    #885474

  • Re: Malicious PHP Code

    Posted 12 years 6 months ago
    • It will continue to happen until you find and remove the malicious code. It's normally an extra file somewhere within the site, but could also be embedded within a legitimate 'file'.

      Changing passwords will do you no good until that code is first removed.

      Once 'clean', install Admin Tools and configure to protect your site.
    • CMYKreative : Graphic Design , Web Design , Printing , Banner Ads , Branding and more.
    #885504
    • 's Avatar

    Re: Malicious PHP Code

    Posted 12 years 6 months ago
    • I appreciate the comments, however it doesn't help me figure out what is causing it. The bad file, or code.
    #885505

  • Re: Malicious PHP Code

    Posted 12 years 6 months ago
    • If you haven't changed any original files, extract the template files locally and re-upload them and replace ALL site files.

      Keep your configuration.php, .htacess but check these are clean also.

      You could also try installing Admin Tools and run a check on your actual site files now to see if any files have been changed, but I have a feeling that this might only work from 'new' . . . i.e. once installed it checks to see which files (if any) have been altered since it was installed.

      Does your hosting not have any backups at all that you can use to restore?
    • CMYKreative : Graphic Design , Web Design , Printing , Banner Ads , Branding and more.
    #885507

Time to create page: 0.078 seconds