-
- 12 Posts
Hi All,
Google recently blackballed my site because it detected links to malware gstats.cn coming from my site. Using Fiddler I tracked the hack down to a few lines of obfuscated code added to dropdown.js. I cut these out and then went through my website check as much as I could. I found a file called flash.php in the assests/flash directory that unpacked a shell into the root (a57shell). I deleted this and then went through all directories changing all file access to 644 and remove write acess to directories for all except owner. I then changed all passwords. In you view is this enough? All code was at the latest revison but I also have other applications on my site (SMF and Gallery2).
My site appears to be back and working but I have a few problems - AjaxSearch no longer gives me a dropdown list (But a standard serach page produces results). I am pretty sure I have been too strict on file permissions for some files but I am reluctant to experiment. Can anyone advise what file permission to use for Ajaxsearch?
Is there anyway to audit my site periodically - checking chacksums for example for file changes and sending emails to me if they change?
Thanks for looking,
Paul
www.pharscape.org
The Adobe Acrobat reader had (has?) a flaw that allowed it to open javascript that would install a trojan on your computer to get login information and send it to the hackers. So you need to change all passwords to your server; FTP, SSH, whatever. And you need to clean that trojan out of your computer or it will just send the new passwords.
-
- 12 Posts
Thanks for your advice. All computers I use have now tested clean. Luckily only one machine uses Adobe so that was a quick patch.
I’ll now turn my attention to the prevention and getting my search working again.
Cheers,
Paul