Think I got hit with malware somehow
Select messages from # through # Forum FAQ
[/[Print]\]

Evolution-Xtreme -> General Support

#1: No icon Think I got hit with malware somehow Author: bobdude PostPosted: Tue Mar 14, 2017 3:26 am
    —
 I  received  an  email  today  with  the  following  information  from  my  hosting  ISP:
 
 Due  to  the  negative  impact  to  our  systems,  we've  removed  the  following  malware  from  your  files:
 
 html/blamable-filenames.php
 
 html/coordinated-indirect.php
 
 html/forgivable-glasswort.php
 
 Unfortunately,  our  scans  also  flagged  other  content  that  could  be  malicious,  but  due  to  the  nature  and  usage  of  these  files,  we  did  not  remove  them  as  this  should  be  reviewed  by  a  website  administrator  first.  We  recommend  you  log  in  to  your  hosting  account  to  review  the  following  content  and  remove  if  necessary:
 
 html/.htaccess
 
 html/admin/language/lang-english_new.php
 
 html/broadener-deb.php
 
 html/language/JAG_Whos_Been/lang-english_new.php
 
 html/modules/Calendar/includes/index_prevv1.php
 
 html/modules/Feedback/index_old.php
 
 html/modules/Reviews/admin/index_noversion.php
 
 html/themes/RD-BlueTech/scopbin/911006_backup.php
 
 html/_vti_pvt/writeto_new.php
 
 I  looked  at  my  .htaccess  file  and  it  points  to  coordinated-indirect.php  and  is  totally  different  than  what  I  had  set  up.  
 
 Please  let  me  know  what  I  should  do  to  fix  this.

#2: No icon Re: Think I got hit with malware somehow Author: coRpSELocation: Back of your mind!!! PostPosted: Tue Mar 14, 2017 10:18 am
    —
 Well,  I  am  betting  most  of  those  files  don't  belong.
 
 How  long  has  your  site  been  up?
 What  custom  mods/modules  did  you  have  on  your  site?
 
 To  start,  I  probably  start  over  on  the  site  with  fresh  files.  You  probably  can  keep  your  DB,  but  I  would  start  with  clean  files.  Next,  I  would  go  over  and  make  sure  you  didn't  create  any  security  holes.  I  will  try  doing  another  video  tutorial  on  that  either  tonight  or  tomarrow.  If  you  like  to  talk  more  about  this,  feel  free  to  hop  on  my  TS3,  just  go  to  my  site  and  look  on  the  right  side  of  my  site  for  my  TS3  info.
 
 Somehow  they  got  on  your  site  and  put  files  through  out  your  site,  so  I  would  also  change  your  FTP  passwords  and  limit  who  has  access  to  that  to  trusted  people.  Change  also  your  cpanel  passwords  for  security.  Make  sure  certain  scripts  are  only  open  for  trusted  members  and  make  sure  Sentinel  and  the  HoneyPot  is  installed  or  configured  on  your  site.
 
 Last  tip,  and  this  goes  out  to  a  bunch  in  the  community,  never  leave  installer  scripts  on  your  site.  Always  delete  them  once  the  script  is  installed.  I  have  worked  on  a  few  site  where  I  found  like  10+  installer  scripts.
 
 But  overall,  I  would  get  rid  of  all  the  files  you  have  and  start  over  with  fresh  files.  The  only  file  I  wouldn't  delete  is  the  config.php,  for  that  has  all  your  DB  info,  so  at  least  make  a  backup  of  that  and  upload  all  fresh  files  excluding  the  install.php  and  the  install  folder,  then  just  edit  in  the  info  from  the  old  config.php  to  the  new  config.php.

#3: No icon Re: Think I got hit with malware somehow Author: bobdude PostPosted: Wed Mar 15, 2017 5:50 am
    —
 My  site  has  been  up  since  2013  with  no  mods  installed.  But  I  think  I  found  out  what  I  did  or  actually  did  NOT  do.  After  my  last  install  I  never  updated  the  .htaccess  file  and  set  it  up  in  NukeSentinel.  
 
 So  far  I  went  through  and  deleted  all  of  the  extra  files  that  are  listed  in  my  initial  post.  I've  actually  updated  my  .htaccess  and  .staccess  files  and  installed  honey  pot  v2.2  along  with  updating  NukeSentinel.  But  since  you  have  recommended  starting  from  a  fresh  install  I'll  be  doing  that  this  weekend  just  to  make  sure.  
 
 One  error  that  I  kept  running  into  in  the  .htaccess  file  is  this  line:
 
 Options  All  -Indexes
 
 By  default  it  is  not  commented  out  and  was  causing  me  to  get  a  internal  error  500.  I  have  commented  it  out  and  it  seems  to  be  working  well  now.  Recommend  if  you  are  making  a  new  how-to  video  that  you  include  this  fix  as  it  was  driving  me  crazy  trying  to  figure  out  what  was  causing  my  site  to  not  work  while  setting  up  the  .htaccess  file  correctly.  
 
 The  other  line  that  I  couldn't  get  to  work  correctly  was  this:
 
 AuthUserFile  "/home/nuketest/.htpasswds/public_html/passwd"
 
 Am  I  supposed  to  change  this  to  something  else?  If  so  were  is  it  supposed  to  point  to?  Thank  you  for  your  time  and  assistance  with  this.

#4: No icon Re: Think I got hit with malware somehow Author: coRpSELocation: Back of your mind!!! PostPosted: Wed Mar 15, 2017 9:52 am
    —
 The  AuthUserFile  should  be  linked  to  your  .staccess  file.  You  will  get  the  code  to  put  in  its  place  when  you  set  up  Sentinel.  I  will  go  over  that  in  my  video.  I  am  about  to  do  that  now.  When  i  am  done  with  the  video,  I  will  post  the  link  here.

#5: No icon Re: Think I got hit with malware somehow Author: bobdude PostPosted: Thu Mar 16, 2017 5:08 am
    —
 Sounds  good.  I  looked  at  my  .staccess  file  and  it  has  my  admin  name  and  a  string  of  random  code  after  it.

#6: No icon Re: Think I got hit with malware somehow Author: coRpSELocation: Back of your mind!!! PostPosted: Thu Mar 16, 2017 11:16 am
    —
                                                   
bobdude  wrote  (View  Post):                
Sounds  good.  I  looked  at  my  .staccess  file  and  it  has  my  admin  name  and  a  string  of  random  code  after  it.                

 
 Thats  correct.  That  string  after  your  name  is  your  password  encrypted.

#7: No icon Re: Think I got hit with malware somehow Author: bobdude PostPosted: Sat Mar 18, 2017 6:14 am
    —
 Ah  OK,  I'm  not  sure  how  to  link  it  to  my  .staccess  file  so  looking  forward  to  see  how  to  make  sure  I'm  set  up  correctly  then.   Shocked

#8: No icon Re: Think I got hit with malware somehow Author: coRpSELocation: Back of your mind!!! PostPosted: Sat Mar 18, 2017 12:00 pm
    —
 I  am  done  making  the  video,  I  just  have  to  edit  it.
 
 Update:  Here  you  go,  http://www.headshotdomain.net/modules.php?name=Tutorials&t_op=showtutorial&pid=41

#9: No icon Re: Think I got hit with malware somehow Author: bobdude PostPosted: Sun Mar 26, 2017 12:21 am
    —
 Awesome,  thank  you  and  sorry  for  long  response  time.

#10: No icon Re: Think I got hit with malware somehow Author: bobdude PostPosted: Sun Mar 26, 2017 2:04 am
    —
 OK,  watched  the  video.  Great  info  and  as  I  was  checking  my  settings  as  you  went  through  them  caught  one  that  I  hadn't  changed  yet  for  the  dump  directory  that  I  didn't  see  on  any  other  help  videos  that  I've  watched.  But  now  that  is  updated  as  well.
 
 Thanks  again  for  all  of  the  help.

#11: No icon Re: Think I got hit with malware somehow Author: coRpSELocation: Back of your mind!!! PostPosted: Sun Mar 26, 2017 6:44 pm
    —
 No  problem.



Evolution-Xtreme -> General Support


output generated using printer-friendly topic mod. All times are GMT - 5 Hours

Page 1 of 1