Comments on: Web site hack loading microsotf.cn

By: ET

ET — Sat, 08 Aug 2009 08:23:32 +0000

I'm in the clear too so far.

By: Oliver

Oliver — Fri, 07 Aug 2009 03:05:07 +0000

Day 5 and I think I am in the clear :) :) :)

By: ET

ET — Wed, 05 Aug 2009 19:02:24 +0000

Day 4 for me too
setting permissions in Filezilla (index pages now 644), cleaning out the bad script in index pages, blocking IP, updating Adobe Acrobat Reader, changing passwords (although that didn't work in the past), disabling anonymous FTP in CPanel for Bluehost clients, doing scans with AGV and Malwarebytes (scanning never found anything in the past though), turning “register_globals” to “Off” in my php.ini file for my online store–I think those are all the steps I took. One step I didn't take yet but will is to update Cubecart for my online store. Not many people are posting anymore so I wonder if this hacker is busted.

By: Oliver

Oliver — Wed, 05 Aug 2009 00:05:41 +0000

Day 4 and still clean…I think my solution worked :)

By: Oliver

Oliver — Mon, 03 Aug 2009 22:25:19 +0000

Day 3 and still untouched

By: Oliver

Oliver — Mon, 03 Aug 2009 22:24:43 +0000

The site is actually mine and it is a Vbulletin site. There is no virus anywhere because the script was supposed to redirect anyone that clicked on it to another site with the virus on it. Unfortunately for whoever wrote the code, Vbulletin only interpreted it as a Parse error and would show you which file the error was on and which line of code.
This is what shows up as the error where ** is my site directory:

*Parse error*: syntax error, unexpected ';', expecting T_VARIABLE or '$' in* /**/**/**/showthread.php* on line* 352*

By: ET

ET — Mon, 03 Aug 2009 19:05:25 +0000

In repsonse to this: “I found that his account was the one that had been used to access the server files so it is quite possible that his computer had been compromised.” Does that mean that your client now has this virus and he needs to take all the measures you did to secure his computer and/or site?

By: ET

ET — Mon, 03 Aug 2009 18:31:25 +0000

Oliver,
Thank you for your answer. I will take those steps. I get so nervous too. My heart drops when I see that stupid script in my client's index pages.

By: Oliver

Oliver — Sun, 02 Aug 2009 20:35:34 +0000

Day 2 and site is still untouched even though I see many hits from IP's in China, Russia, Kazakhstan, Norway and many others. Fingers are crossed and I get nervous every time I click on my site.

By: Oliver

Oliver — Sun, 02 Aug 2009 20:30:54 +0000

Actually I disabled anonymous FTP and deleted an FTP account of one of my admins. Checking through the logs, I found that his account was the one that had been used to access the server files so it is quite possible that his computer had been compromised. I did all these actions through the hosts Cpanel.