Finally worked out Pastebin.
Here’s the index.php with the extra coding
<script src=”http://pastebin.com/embed_js.php?i=B1QguY7h”></script>
And here’s the ‘rogue’ code translated
<script src=”http://pastebin.com/embed_js.php?i=uus6mihQ”></script>
Have disabled All-in-one SEO plugin and so far so good. Fingers crossed, that was the issue. If so, all I need now is a reliable SEO.
It’s Back. And yes it looks like some kind of hack. Norton is stopping an attack by “Blackhole Toolkit”.
I have had online checks done of the website and it’s coming up clean
This is very worrying. Guess I’ll have to clean out the website.
It’s a hack, the long string of characters is base 64 encoding and it’s filtering out bots and showing an iframe to real visitors. Within the iframe from another site is some malicious javascript. Your site is infected.
It’s trying to filter out a lot of bots actually so some security crawlers might not be seeing the code. Trust me, you’ve got some cleaning up to do but first you need to secure the server/site and lock it down. Take it offline until you are sure it’s clean.
This is probably not the way to do this but this is what I did.
I copied the files to my hard drive using Filezilla. Sure enough Norton 360 picked up two Trojans in the Simple Forum avatar files. (I immediately afterwards did a deep virus check with Norton 360 to make sure I hadn’t infected my computer.)
I also contacted my host (Sureserver) and they got their hacking experts on to it. This is what I should have done as soon as aI noticed the website behaving oddly. Anyway, they found a third Trojan in the same directory.
They also later discovered that a rogue “base64/eval” code in the phpmyadmin folder was dumping the rogue code in my index.php file. They advised me to kill phpmyadmin as there have been a lot of attacks through those files which are no longer required in any case.
EVERYBODY SHOULD DO THIS NOW! UPGRADES DON’T REMOVE REDUNDANT FOLDERS OR FILES AND THEY ARE VULNERABLE TO ATTACK.
meanwhile I ran the plugin “Exploit Scanner” which picked up literally hundreds of ‘potentially” dangerous code. I copied the results to Sureserver (Word arranges it into a neat table) and they assured me there was no dangerous code in what the scanner had picked up.
As of now I’ve been going about 10 hours without a repetition of the attacks (touch wood). I am now backing up and changing passwords. I have also removed the ability for members of my forum to upload their own avatars.
Oh, and by the way, for the record, it had nothing to do with All-in-one SEO. Sorry about that.
