Malware warning
Permalink
After updating my theme to the latest version I got a lot of problems with editing my sitehttp://www.schelfhoutdancing.nl When updating blocks notes like falseID were displayed instead of updated succesfully. After making a support ticket, presuming it had something to do with the update, I noticed that my environment had lots of spam in it: long rows of urls with numbers and websites. I restored the original index.php and suddenly I can edit my blocks again. Strange, because I didn't think the index.php had something to do with that. The problems however are still not solved. At the moment I connot go to my dashboard, because the warning pops-up that this site contains malware. What is the problem and how can I solve this?
Yea, as ryan said, its pretty much always the server and not c5
Thank you very much Ryan,
I had this once before, reinstalled my pc, cleared the server and built the website from scratch again. No problems after that until it now seems I have the same problem again. I am changing to a new host now, hopefully their security is better.
What I don't understand is why I can just acces my website without warning, I can edit any page without problems now, but I can't go to the dashboard. I checked the dashboard files, but they seem to be alright. The only folders which were changed when the problems started was the 'files' folder and the 'packages' folder. The other folders weren't changed over the last month. What file/folder could be triggering the dashboard area to give the warning?
Could it be over after changing server, reinstalling concrete5 and uploading the database? I know it is a little bit off topic, but how to manage that with the installed theme and add-on's?
I had this once before, reinstalled my pc, cleared the server and built the website from scratch again. No problems after that until it now seems I have the same problem again. I am changing to a new host now, hopefully their security is better.
What I don't understand is why I can just acces my website without warning, I can edit any page without problems now, but I can't go to the dashboard. I checked the dashboard files, but they seem to be alright. The only folders which were changed when the problems started was the 'files' folder and the 'packages' folder. The other folders weren't changed over the last month. What file/folder could be triggering the dashboard area to give the warning?
Could it be over after changing server, reinstalling concrete5 and uploading the database? I know it is a little bit off topic, but how to manage that with the installed theme and add-on's?
I didn't see anything unusual on your site before, but I looked again and on the default concrete style pages like the 404, login etc.
http://www.schelfhoutdancing.nl/bla...
I saw some javascript at the bottom that didn't look harmful, but wasn't familiar.
-- To get a cleaner install running on your new server here's the process that I'd follow:
- Download the a fresh copy of concrete5.4.1.1 from our downloads page
- upload it to your server just like you were setting up a fresh install
- clear your site cache, disable site cache, set the debug mode to developer, clear your logs if you don't care about the log data
- export the database from your existing site
- import the database into the new server
- copy only the following files from your old site to their corresponding location on your new site:
/config/site.php
/files/*
/packages/*
any other overrides that you have made like if you had a custom theme in /themes or any of those other root level folders.
- update your config/site.php to have your new database settings, comment out the lines with BASE_URL and DIR_REL in there if they exist.
Then test and see if it works.
http://www.schelfhoutdancing.nl/bla...
I saw some javascript at the bottom that didn't look harmful, but wasn't familiar.
-- To get a cleaner install running on your new server here's the process that I'd follow:
- Download the a fresh copy of concrete5.4.1.1 from our downloads page
- upload it to your server just like you were setting up a fresh install
- clear your site cache, disable site cache, set the debug mode to developer, clear your logs if you don't care about the log data
- export the database from your existing site
- import the database into the new server
- copy only the following files from your old site to their corresponding location on your new site:
/config/site.php
/files/*
/packages/*
any other overrides that you have made like if you had a custom theme in /themes or any of those other root level folders.
- update your config/site.php to have your new database settings, comment out the lines with BASE_URL and DIR_REL in there if they exist.
Then test and see if it works.
@SchelfhoutR
The reason is that maybe you haven't removed all of the infection. Generally the initial infection attacks the index.php and sometimes proliferates to other files on the server. You might have only removed the spreading mechanism.
When I visit your "For Sale" page. My goggles chrome goes nuts warning me about a JS:IFrame infection. But a few others I tried seemed OK.
Here is more info on what JS:IFrame is, along with tips (and downloadable scripts) on how to find them.
http://diovo.com/2009/03/hidden-iframe-injection-attacks/...
The reason is that maybe you haven't removed all of the infection. Generally the initial infection attacks the index.php and sometimes proliferates to other files on the server. You might have only removed the spreading mechanism.
When I visit your "For Sale" page. My goggles chrome goes nuts warning me about a JS:IFrame infection. But a few others I tried seemed OK.
Here is more info on what JS:IFrame is, along with tips (and downloadable scripts) on how to find them.
http://diovo.com/2009/03/hidden-iframe-injection-attacks/...
Here's my guess at what's happened:
Someone or something has gained access to your hosting account and was able to modify the index.php file to inject malware into all the pages on your site. Your browser has identified the site as containing malware and will continue to pop up those errors until that's somehow reset.
Here's what I'd do to recover from the event.
- make sure you local machine is virus / malware free & updated.
- change your hosting account password to something very secure.
- go through your entire site looking for any files that look out of the ordinary - keep a close eye on file timestamps as that may give you an idea of when something has changed.
- change your concrete5 password