Hi all,
Need some advice - In fact I need some HELP! - a site Im working on a for a client has been hacked. A copy of the Google’s Chrome browser report is included below with all the references to the exploit and its location. Also flagged in AVG - site tries to download an Active X control in Internet Explorer
Using Modx Version: 0.9.6.3 / PHP 4 / Register_Globals is set to OFF. I had the problem with the reflect snippet being left in the install folder : /assets/snippets/reflect/snippet.reflect.php - renamed this to .txt file - made no difference.
List of snippets installed above the standard includes: Easy Events, GoogleMap, MaxiGallery, mPlayer, XSPF JukeBox, YouTube, Easy Newsletter, NewsPublisher.....
Now it seems the site is going to be blacklisted by Google, too
See Google Chromes report below:
The website at www.[edit:hackeddomainname].co.uk contains elements from the site gstats.cn, which appears to host malware - software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for gstats.cn.
Learn more about how to protect yourself from harmful software online.
Return to the previous page.
If you are the owner of this website, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Centre.
Safe Browsing
Diagnostic page for gstats.cn
What is the current listing status for gstats.cn?
Site is listed as suspicious - visiting this website may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 4 pages that we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time that Google visited this site was on 2009-06-01, and the last time that suspicious content was found on this site was on 2009-06-01.
Malicious software includes 7 scripting exploit(s), 3 trojan(s).
This site was hosted on 2 network(s) including AS48856, AS41947 (WEBALTA).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, gstats.cn appeared to function as an intermediary for the infection of 23 site(s) including istage.hk/, thaisubtitle.com/, gcc.mn/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 26 domain(s), including nebeskelampiony.cz/, istage.hk/, gcc.mn/.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
Return to the previous page.
If you are the owner of this website, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Centre.
Safe Browsing
Diagnostic page for gstats.cn
What is the current listing status for gstats.cn?
Site is listed as suspicious - visiting this website may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 4 pages that we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time that Google visited this site was on 2009-06-01, and the last time that suspicious content was found on this site was on 2009-06-01.
Malicious software includes 7 scripting exploit(s), 3 trojan(s).
This site was hosted on 2 network(s) including AS48856, AS41947 (WEBALTA).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, gstats.cn appeared to function as an intermediary for the infection of 23 site(s) including istage.hk/, thaisubtitle.com/, gcc.mn/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 26 domain(s), including nebeskelampiony.cz/, istage.hk/, gcc.mn/.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
Return to the previous page.
If you are the owner of this website, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Centre.
Safe Browsing
Diagnostic page for AS48856
What happened when Google visited sites hosted on this network?
Of the 57 site(s) we tested on this network over the past 90 days, 5 site(s), including, for example, saho-ltd.com/, loskut.cn/, hyipi4nvestment.com/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2009-05-26, and the last time suspicious content was found was on 2009-05-26.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 17 site(s) on this network, including, for example, 95.129.144.0/, bizoplata.ru/, startdontstop.ru/, that appeared to function as intermediaries for the infection of 4456 other site(s) including, for example, livrosweb.com/, diocesejounieh.org.lb/, c4lpt.co.uk/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 32 site(s), including, for example, martuz.cn/, bizoplata.ru/, startdontstop.ru/, that infected 40918 other site(s), including, for example, diocesejounieh.org.lb/, doae.go.th/, prachinburi-museum.go.th/.
Next steps:
Return to the previous page.
Advisory provided by
Safe Browsing
Diagnostic page for AS41947 (WEBALTA)
What happened when Google visited sites hosted on this network?
Of the 14474 site(s) we tested on this network over the past 90 days, 435 site(s), including, for example, uatraf.org.ua/, traff.org.ua/, eltaroute.com/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2009-06-03, and the last time suspicious content was found was on 2009-06-03.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 26 site(s) on this network, including, for example, s100.ucoz.ru/, brockenmon.cn/, web-masteru.net.ru/, that appeared to function as intermediaries for the infection of 130 other site(s) including, for example, thaidvd.net/, wowcheater.net/, brajeshwar.com/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 36 site(s), including, for example, total-virusprotection.com/, s100.ucoz.ru/, newslentarss.ru/, that infected 170 other site(s), including, for example, krestania.sk/, all4meat.com/, bissnes.org/.
Next steps:
Return to the previous page.