Malware martuz.cn
-
-
- Carolyn Whiting
- Rocketeer
- Posts: 85
- Thanks: 0
-
I got a virus and it ran through all of my sites (10+) on the server. I located the script and removed it, I thought, but when I login to the backend of one of my sites I see it still connecting to martuz.cn. Google says it is clean.
Question one is how do I get rid of it?
Question two is how did I get it? I see that it is a .pdf exploit and I just added Docman to my extensions. Or did it come in through FTP? How can I find out?
I'm running Joomla 1.5.10, using FireFTP, Host is WebHostingBuzz
www.4eyesight.com
-
-
-
- prim
- Preeminent Rocketeer
- Posts: 17290
- Thanks: 217
- Before doing anything at all to your sites i suggest you do an AV scan of your computer. I believe you are infected...
- Please reply with a direct link to the issue & create a new thread for each new issue.
A template is only as good as the content that goes into it
- DanG
-
-
-
- Roeland_A!
- Preeminent Rocketeer
- Posts: 10193
- Thanks: 71
-
:arrowu: Pretty sure you are infected, do what Prim suggested.
Read some information here:
blog.unmaskparasites.com/2009/05/18/mart...-of-gumblar-exploit/
to get some ideas on how far this may go. - *Karma comes in many forms, my personal favourite is the random saucepan from the sky* J.Spencer 17-02-2009
-
-
-
- Carolyn Whiting
- Rocketeer
- Posts: 85
- Thanks: 0
- Thanks Prim and Roeland. Doing scans now. Thanks for the www.blog.unmaskparasites.com link. That is a great one!
-
-
-
- Carolyn Whiting
- Rocketeer
- Posts: 85
- Thanks: 0
- I've cleaned my computer with several different av scans (found several), looked for can cannot find more malware scripts on my website, and still my site is trying to connect with martuz.cn. I've attached a .jpg. Please help me find the problem.
-
-
-
- Roeland_A!
- Preeminent Rocketeer
- Posts: 10193
- Thanks: 71
- Uhm, your site or your browser is trying to connect to martuz.cn Maybe you have some kind of rootkit on your home computer or on your webserver, or even worse, on both. Can you send me a PM with a link to your site?
- *Karma comes in many forms, my personal favourite is the random saucepan from the sky* J.Spencer 17-02-2009
-
-
-
- Ano Hito
- Rocketeer
- Posts: 87
- Thanks: 0
-
I had a similar attack on one of my sites, best thing to do is save a copy of your config file to your computer and then delete all your files, including any javascript files you might have.
If this is anything like the now dead Gumbar one it can be located in every php file as well as javascript file on your site.
I would also take the time to download, install and learn Joomlapack, also make sure that your config file is locked up (permissions is set properly) and move outside of your site's public root. - Template: J! 3.x Paradigm
Add-ons: OSMap : OSMeta : RSForms! Pro : DISQUS Comments for Joomla : MailChimp Intergration : AddThis Smart Layers : Administrator Lock : Akeeba Backup
-
Time to create page: 0.072 seconds