Icy Phoenix

Hello, I need help with a Icephoenix board. I had lots of "malware" things going on on the forum recently, so I checked what I could do, to eliminate the worm in the Admin index. I've been into CrackerTracker and I think when I pressed Security Recovery, now the Admin index doesn't work, and the Forum looks like it lost all main graphic things.
Check it out -

Link Removed - WARNING: The website has an active virus.

Please help

i m not expert . but to me seems that are missing some files on your server

did u checked if all files of icyphoenix are there ?

Limun wrote: [View Post]

i m not expert . but to me seems that are missing some files on your server

did u checked if all files of icyphoenix are there ?

Well I think they must be, I didn't delete anything, I just emptied the logs for bad logins and so on. It won't connect me to ACP.

And as you said, I am not an expert either.

well nothing cost you to check..
specialy .css in template what u use and i think u use icyphoenix so style_ice.css

Limun wrote: [View Post]

well nothing cost you to check..
specialy .css in template what u use and i think u use icyphoenix so style_ice.css

Brate ništa se ja ne razumem u takve stvari, znam da postavim forum ali ove .css i mysql stvari nemam pojma.

I don't know anything about .css and mysql things.

MySQL returned an empty result set (i.e. zero rows). (Query took 0.0003 sec)

Omg Some databases are empty, but I still see posts,topic and such on the forum. LOGIN_IP is empty, as the IP_Acronyms whatever that is.

man dont panic...
your database its ok i think


look this
http://limunicy.freehostia.com/

is it similar view like your ? i just deleted my style_ice.css from templates/mg_themes and got same result like your

Limun wrote: [View Post]

man dont panic...
your database its ok i think


look this
http://limunicy.freehostia.com/

is it similar view like your ? i just deleted my style_ice.css from templates/mg_themes and got same result like your

Yes its the same, but thats design, still I can't access ACP and nothing else. I can just watch the forum and the first page. Can you tell me how to repair this? Hvala ti brate.

well first try upload "style_ice.css" from your before made beckup to templates/mg_themas (i supose that this style is icyphoenix what you use)

you have beckup ?

also before this beckup this one "style_ice.css" what is in your server and put it in some safe place

maybe is not this problem and i m wrong...but try it

You have an active Virus embedded in your home page and your link has been removed.

Please see your first post.

Quote:

JS/Psyme is detection for malicious code embedded in web pages (often on compromised websites). This code attempts to exploit unpatched security vulnerabilities in order to install malware onto the system. Visited web pages are cached in the Temporary Internet folders and antivirus software scanning these folders will

[more] http://antivirus.about.com/od/virusdescriptions/a/jspsyme.htm

slavija333, did you add some extra code (like visit counters) or any HTML block?

Lopalong wrote: [View Post]

You have an active Virus embedded in your home page and your link has been removed.

Please see your first post.

Quote:

JS/Psyme is detection for malicious code embedded in web pages (often on compromised websites). This code attempts to exploit unpatched security vulnerabilities in order to install malware onto the system. Visited web pages are cached in the Temporary Internet folders and antivirus software scanning these folders will

[more] http://antivirus.about.com/od/virusdescriptions/a/jspsyme.htm

I know sorry, this is what I wanted to remove, but instead I suppose I removed the thing I shouldn't.

buldo wrote: [View Post]

slavija333, did you add some extra code (like visit counters) or any HTML block?

I added, statcounter, then freemeteo, then google translate, a chat hosted on other site and so on why?

And btw limun I don't have any backup what now? anyone has an idea?

slavija333 wrote: [View Post]

And btw limun I don't have any backup what now? anyone has an idea?

check in your ftp root templates/mg_themas if you have this file "style_ice.css"

or send me on PM ftp username and pass so i will check if you want

You should shut your site down until you either get rid of the virus by elimination or re-installation, because all you are doing at present is helping to spread the thing.

Lopalong wrote: [View Post]

You should shut your site down until you either get rid of the virus by elimination or re-installation, because all you are doing at present is helping to spread the thing.

Damn, can I somehow save the topics post and registered users? I would appreciate any solution.

slavija333 wrote: [View Post]

Damn, can I somehow save the topics post and registered users? I would appreciate any solution.

for this download your database via your cp panel on server or phpMyadmin

Limun wrote: [View Post]

slavija333 wrote: [View Post]

Damn, can I somehow save the topics post and registered users? I would appreciate any solution.

for this download your database via your cp panel on server or phpMyadmin

You have any time or MSN to explain to me how can I do that? Sorry to disturb you, neću ti uzeti dugo vremena

slavija333 wrote: [View Post]

Damn, can I somehow save the topics post and registered users? I would appreciate any solution.

Depending on your host, you could .zip the whole forum and download it to your PC, else you could just download the whole thing as it is.

The second option will take some time, but it may be wise to back up the forum that way - infected or not.

If you need any more help, then consider giving someone your FTP and CPanel details (You can always change them later). You could also PM me the EXACT details of your config.php file, and I'll see if I can connect to your DB from here.

I do not think the virus has got into his webpage because of some code he added thought the ACP/CMS, so I recommend you to get the logs form your server from 2 weeks ago you detected the virus was active in your website. I think that should be engough time.

Please, get that logs as faster as you can, as the servers only storage that logs for 1-2 months. The most secure way is to contact your hosting support staff.



Please, try to get them and send them to whoever you want at the Staff.

Also, make a backup of the actual files and the database and storage them out of any webserver. They could being required by the Staff when we get the vulnerability the hacker used to inyect those malignant code in order to make the security issue patch.

slavija333 wrote: [View Post]

I added, statcounter, then freemeteo, then google translate, a chat hosted on other site and so on why?

Because I think that the advice you get depends by one of those services (probably the counter), try to turn off those blocks and see if you get notifications.

i will add this...

in his database he have

about 124 ip_ tables (i have on my 147)
and he also have phpbb tables

and second strange thing

in my base al ip_ are type MyISAM

but in his some ip_tables like ip_logins are InnoDB

The phpBB prefixes suggest that that someone has been trying to install phpBB mods without changing the prefix in the SQL ?

It could have also opened up avenues for exploits, as I understand that some of the old mods didn't have escape strings for Db queries. Don't know a real lot about that though, as the only thing I know is what I read.

InnoDB is an alternative DB that either the server may be using or the MOD applications may be using. That's how I read it here. Whether it's compatible with IP and MySQL is another matter.

http://en.wikipedia.org/wiki/InnoDB