Malware and database update

Carmine_COLACINO · Mai 6, 2010, 8:59

Hello, I have been using spip for a while and until now I got no problems, apart from some people publishing junk mail on the site. I changed the option for sending messages to the site, and the problem was solved.
Now, however I am getting google malware messages blocking direct access to my site. Anybody has got the same problem and has any idea how to solve it?
I guess the malware must be in the ad/junk messages some people (almost all of them from China) published or tried to publish. Those message can only be made invisible (to visitors) but apparently not erased from the database, there's a way to erase them for good?
More importantly, how to check if there is malware ?

Any help appreciated.

Carmine Colacino
www.duesicilie.org

denisb1 · Mai 6, 2010, 9:46

More importantly, how to check if there is malware ?

hmmm.
I am so sorry, but Yes ! you have malicious link in your pages…

I think that all of your index.php files are compromised with an hidden iframe just before
the closed tag

[malicious code here]

it is an attack made by stollen ftp password (often the cause is filezilla)

you must clean all the computers which have an ftp access,
then you must modify the passwords (ftp, sql, spip)
then clean up you files (on your server) and empty the cache (all tmp/cache/)

good luck

@@@@@
E -00 comme on est very beaux dis !
' ) / |_ ==" { denisb @ laposte.net }`

Paolo · Mai 6, 2010, 9:51

Carmine,

I suggest that you write either to the English-speaking SPIP list, spip-en@rezo.net or to the Italian one, spip-it@rezo.net. The spip-trad list is really only for communication on matters concerning the translation of SPIP.

best wishes,
Paolo

On 06/05/10 22:59, Carmine COLACINO wrote:

Hello, I have been using spip for a while and until now I got no problems, apart from some people publishing junk mail on the site. I changed the option for sending messages to the site, and the problem was solved.
Now, however I am getting google malware messages blocking direct access to my site. Anybody has got the same problem and has any idea how to solve it?
I guess the malware must be in the ad/junk messages some people (almost all of them from China) published or tried to publish. Those message can only be made invisible (to visitors) but apparently not erased from the database, there's a way to erase them for good?
More importantly, how to check if there is malware ?

Any help appreciated.

Carmine Colacino
www.duesicilie.org
_______________________________________________
spip-trad@rezo.net - http://listes.rezo.net/mailman/listinfo/spip-trad
http://www.spip.net/
irc://irc.freenode.net/spip

epilibre · Mai 7, 2010, 12:09

Hi,

On Thu, May 6, 2010 at 11:46 PM, denisb <denisb@laposte.net> wrote:

More importantly, how to check if there is malware ?

hmmm.
I am so sorry, but Yes ! you have malicious link in your pages…

I think that all of your index.php files are compromised with an hidden iframe just before
the closed tag
[malicious code here]

In my case the malicious code is AFTER
wget http://www.duesicilie.org

=> The file returned is named « index.html »

Quite suspicious… I check SPIP :
wget http://www.duesicilie.org/spip.php

=> The file returned doesn’t contain the malware.

So that’s simple : just remove the file « index.html » which is at your root directory.

And change all your passwords of course.

Finally check the your root directory isn’t writeable by anybody (it shouldn’t be in 777

Good luck,

.Gilles

it is an attack made by stollen ftp password (often the cause is filezilla)

you must clean all the computers which have an ftp access,

then you must modify the passwords (ftp, sql, spip)

then clean up you files (on your server) and empty the cache (all tmp/cache/)

good luck
-- 
@@@@@
E -00 comme on est very beaux dis !
' ) / |_ ==" { denisb @ laposte.net }`

spip-trad@rezo.net - http://listes.rezo.net/mailman/listinfo/spip-trad
http://www.spip.net/
irc://irc.freenode.net/spip