gumblar.cn Malware attact on my site !

[keekwai]

Hi all
I did a search for "gumblar.cn" .. it seems no one else has got it yet .. but according to a Google search this tosser at "gumblar.cn" has been very active over the last 3 months.

Apparently he "brute forces" his way into your ftp account .. downloads files and re-uploads them with some sort of java script code. (no idea what he expects it to do .. but it does stop my site from working !)

Looking in my ftp window .. I could see many files that were uploaded on May 5th between midnight and 6 a.m (what a tosser!.. what a way to spend your time !)

My site was "riddled" with new uploaded files .. especially the includes directory. There was also a new file called "image.php" in the image directory .. I deleted that.

So .. I re-uploaded my entire sites backup on my pc (with the exception of "includes/config.php" .. That one I had to download .. remove the malware java script and re-upload it.

OK .. I checked and doubled checked that everything was squeaky clean again and tried to load my site.

NOW .. the problem .. I get the following error message ..

Fatal error: Class 'sql_db' not found in /****/****/teachermark.6te.net/includes/db/db.php on line 377

(I replaced some of the address with asterisks)

That line refers to my database name/password etc.

Does DF write anything to that file during installation? Did I overwrite anything by re-uploading a fresh copy of "db.php"?

Thanks in advance

[keekwai]

Sorry for the extra post .. no edit function for me yet! Here's my site address teachermark.6te.net

[greenday2k]

Code::

Parse error: syntax error, unexpected '<' in /home/vhosts/teachermark.6te.net/index.php on line 139

[Phoenix]

I moved this to the Server Chat area as it's highly unlikely to be a DF matter.

You'll need to Google this issue and take it up with your (free) host.

Regrettably, you get what you pay for

[keekwai]

greenday2k wrote:

Code:: Parse error: syntax error, unexpected '<' in /home/vhosts/teachermark.6te.net/index.php on line 139

I just got home from work. The index.php file has been attacked again ! This time at 1pm today.That's what causing the syntax error. Heres the code that was added to the end of my index.php file. I know it won't help .. but I'll just post it for curiosities sake.

{script removed - DF policy}

So ..I re-uploaded a fresh copy of index.php .. and now I am back to the aforementioned error again .. namely ..

Quote::

Fatal error: Class 'sql_db' not found in /home/vhosts/teachermark.6te.net/includes/db/db.php on line 377

[keekwai]

Phoenix wrote:

I moved this to the Server Chat area as it's highly unlikely to be a DF matter. You'll need to Google this issue and take it up with your (free) host. Regrettably, you get what you pay for

So no help for people on free hosts from DF? Thanks.Looks like it time to change hosts and CMS.

[Phoenix]

Change CMS by all means but don't expect any difference in a free shared host environment, especially one that appears to be compromised. No CMS will survive an attack through the server itself and you did indicate your FTP was compromised - we cannot stop that.

I sincerely meant "you get what you pay for" - you will get zero help from a zero cost host and I believe your host, and perhaps even one of more of the other free clients, to be the source of your problem.

It is not possible for us to solve what appears to be a hosting issue - have you even discussed it with them?

[Eestlane]

I had the same problem on pretty lousy server host (it still runs php 4 and also support is non existant). Twice.

Which seemed to help was changing the folder permissions to 755 instead of 777 and file permissions to 644.

Also, change all passwords (cpanel, ftp, mysql user).

To fix the site itself, you have to reupload the files probably.

[keekwai]

Before I posted this query .. I created a subdomain and did a fresh install of Df .. works OK.

As for my original site .. I re-uploaded my complete uninfected backup site plus the config.php with the above malware script removed and get the "Fatal error: Class 'sql_db' not found in /home/vhosts/teachermark.6te.net/includes/db/db.php on line 377" error.That looks like a DF problem to me. But if no one want to help .. then fair enough .. like you said .. "you get what you pay for" .. and DF is free. I can wear that. No complaints.

Thanks

[Eestlane]

Maybe you should try using the files from the original archive as maybe the backup has some broken files in it.

dragonflycms.org/Downl...ils/id=28/

[keekwai]

The backup is the original archive .. with additional modules and blocks etc added. I make the changes on the backup on my pc first .. then upload.None of it has been downloaded.. except for when I originally downloaded the zipped original of course.... (with the exception of Album pics and user avatars

[rlgura]

back to the original error again - I think your host server is compromised.

Anyway, the sql_db class is defined by the db abstraction layer which is defined in includes/config.php.

make sure your config.php is uncompromised and has the following entry:
define('DB_TYPE', 'mysql');
this will include the includes/db/mysql.php file which defines that class

[keekwai]

Would someone be able to post a copy of a normal config.php (df 9.2.1) file here so I can compare it with mine? Just remove your db name /password of course!
Thanks

[rlgura]

Code::

<?php /********************************************* CPG Dragonfly CMS ******************************************** Copyright (c) 2004 - 2007 by CPG-Nuke Dev Team http://dragonflycms.org Dragonfly is released under the terms and conditions of the GNU GPL version 2 or any later version $Source: /cvs/html/install/config.php,v $ $Revision: 9.5 $ $Author: nanocaiordo $ $Date: 2007/04/23 10:43:36 $ **********************************************/ if (!defined('CPG_NUKE')) { exit; } define('DB_TYPE', 'mysql'); define('DB_CHARSET', NULL); // NULL (is default), latin1, utf8, etc. $dbhost = 'localhost'; $dbname = 'df'; $dbuname = 'user'; $dbpass = 'pass'; $prefix = 'cms'; $user_prefix = 'cms'; # -- $adminindex ----------------------------------------- # The filename of the admin index page I'd like to use for # my site # # If you change this to something other than it's default # value, you must also rename the file called 'admin.php' # to the new value you assigned to this variable # # default: admin.php # -------------------------------------------------------- $adminindex = 'admin.php'; # -- $mainindex ------------------------------------------ # The filename of the main index page I'd like to use for # my site # # If you change this to something other than it's default # value, you must also rename the file called 'index.php' # to the new value you assigned to this variable # # default: index.php # -------------------------------------------------------- $mainindex = 'index.php'; # -- admin demo mode ------------------------------------- # Alter the following value to activate the administrative # system demonstration mode, enabling my users to browse # my administration menu in a read-only environment # # true = enabled # false = disabled # # default: false # -------------------------------------------------------- define('CPGN_DEMO', false); # -- debug mode ------------------------------------------ # Alter the following value to activate debug mode, which # will show debug messages to all users, instead of # administrators # # Warning: Enabling debug mode is NOT recommended for # production websites # # true = enabled # false = disabled # # default: false # -------------------------------------------------------- define('CPG_DEBUG', false); # --- WARNING -------------------------- # Do not touch anything below this point # unless you know what you're doing # -------------------------------------- $CensorList = array('zak'); $DeniedUserNames = array('operator'); //session_save_path('/home/SOMETHING/tmp');

[keekwai]

Thanks for that rigurra. It's identical to mine (except for the censor list) .. back to the drawing board.

I think I'll drop the database .. re-install DF .. if it's working I'll drop the new DB and upload the old one and see how that goes.