Jump to content
Дизайн и модификация IPS Community IPBSkinsBETA
Search In
  • More options...
Find results that contain...
Find results in...
Sign in to follow this  
Karagor

Яндекс обнаружил вредоносный код на форуме

Recommended Posts

Это после того как сайт был проверен? Какой вердикт?

 

Вредоносный код:

  • обращается по адресам, которые находятся в чёрном списке Яндекса, как распространители вредоносного ПО;
  • содержит exploit (по данным поведенческого анализатора Яндекса);

Вот обращение по адресу который находится в черном списке яндекса может быть проблемой - это встроенные изображения или скрипты с сторонних ресурсов. Но поведенческого анализа я не вижу, возможно это старые данные. Перепроверьте сайт и ждите отчета.

Share this post


Link to post
Share on other sites

Проверка была до того как я сделал то, что вы сказали.

Я запросил перепроверку еще 2-го числа, ответа пока нету - сижу жду.

Очень надеюсь, что ваши рекомендации возымели действие.

Share this post


Link to post
Share on other sites

Админ отписался, что пытались авторизироватся в АЦ с двумя админских аккаунтов (из трех). Пытались один раз для каждого аккаунта. Пароли использовали конкретные, не случайные, что подтверждает предположение взлома через инъекцию и утечку паролей администраторов.

Метка зараженного сайта с него уже сняли после перепроверке в яндекс вебмастере (примерно за три - четыре дня).

Share this post


Link to post
Share on other sites

Наконец-то прошла перепроверка и радость:

 

Последняя проверка сайта 9 Февраля 2015 не выявила страниц, содержащих вредоносный код. В результатах поиска сайт выводится без пометок.

 

Огромное спасибо всем и особенно siv1987!!!

 

Сделал для себя вывод, что медлить с установкой патчей никогда не стоит.

Share this post


Link to post
Share on other sites

Guys i have identical problem but i cant find solution.

Can i write here in english language?

Share this post


Link to post
Share on other sites

The solution for this problem is on the first page of the second message. Use google translate.

 

Основная суть лечения заключается в:

Share this post


Link to post
Share on other sites

You have a virus. Can check this at url myforum.pl/index.php?ipbv=hash&g=js White page means that the forum is infected. You need:

- delete virus from template includeJs, group Globals in admincenter (from all skins). Sometimes the virus is left only in the cache, so proceed to the next step.

- rebuild skins cache

- change passwords all users who have access in admincenter! It is very important.

- change password from database

- change password form ftp

- install the all latest security patches or upgrade to latest version

- additionally find shells on ftp

Share this post


Link to post
Share on other sites

Yea i saw that. But i hawe question. On my comunity i have 2 skins. And i dont really know is my includeJS is clean from suspicius code. Below i paste two of my files. Please check it for aditional suspicius code:

 

http://wklej.org/id/1637307/
http://wklej.org/id/1637306/

 

Thx a lot

Share this post


Link to post
Share on other sites

Sometimes the virus is in only the cache. Then you need to rebuild caches skins to remove malware from cache - Template Tools -> Recache Skin Sets

Share this post


Link to post
Share on other sites

Sometimes the virus is in only the cache. Then you need to rebuild caches skins to remove malware from cache - Template Tools -> Recache Skin Sets

 

After this issue is gone, but it back after couple days. But i saw sometching strange. its back always in monday. I was check in ACP and only one cron job runs every monday:

 

http://prntscr.com/65vsnt

 

is this posible the problem is something there ?

Share this post


Link to post
Share on other sites
After this issue is gone, but it back after couple days.

You change the password of all administrators? Change password from db? It is important, because allegedly hacking occurs through leakage of passwords. Also, be sure to install the all latest security patches.

 

is this posible the problem is something there ?

Maybe. But this is a standard task, need to watch the code from this task. Attach the file /admin/applications/core/tasks/minifycleanup.php

Share this post


Link to post
Share on other sites

For now i do

- rebuild skins cache

- change passwords all users who have access in admincenter! It is very important.

- change password from database

- change password form ftp

- additionally find shells on ftp <-----------------dont find any strange files

 

 

minifycleanup.php but its after recache

 

http://wklej.org/id/1637342/

Share this post


Link to post
Share on other sites

minifycleanup.php but its after recache

Minify is clean.

 

For now i do

Ok. Now wait and watch the forum. Pay attention the unsuccessful attempts to log in the admincenter. More code should not appear. If appears again, need a more comprehensive approach to the problem. Most likely somewhere there is a backdoor that want to find.

Share this post


Link to post
Share on other sites

Ok... for now i send to you BIG THANKS

Share this post


Link to post
Share on other sites

You are install the latest security patches from the november 2014? Version 3.4.7 installed before this date is vulnerable. Make sure that your distribution is fresh.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...