We have a site that was compromised possibly via poorly managed file permissions (my fault). Site is on a shared server and it may be that another site on the server was compromised and we were targeted from there - don't know for sure. We have vBulletin and Photopost sharing a database and login data. It seems Photopost was compromised first, and then the forum was compromised. We had a recent version of vBulletin (circa 3.5 or 3.6), but not the most recent.
After much reading here and elsewhere, I have upgraded to 3.8.3 and changed the names of the admincp and modcp folders. Haven't quite mastered how to password protect using .htpasswd and .htaccess, but I'm working on it. I've set myself up as an undeletable user. Also, checking permissions on all files.
But... there remains a script right after the header when viewed in "view page source". Caution: there remains a script on the below link.
the script (in the top of the body) reads (changed to protect this forum):
var dc=document.write
var sd=string.fromcharcode
var exe=url to an executable file on another site
dc(sc(followed by a long series of 2 or 3 digit numbers seperated by commas
My question is this - how can I find this script, and possibly others, that have been installed on my site and remove them?
As you can tell from this post, I could probably be categorized as knowing enough to get myself into trouble - which I apparently did.
Any help would be appreciated. I won't be able to check back for about 12 hours or so, but any assistance would prove helpful.
Thanks
After much reading here and elsewhere, I have upgraded to 3.8.3 and changed the names of the admincp and modcp folders. Haven't quite mastered how to password protect using .htpasswd and .htaccess, but I'm working on it. I've set myself up as an undeletable user. Also, checking permissions on all files.
But... there remains a script right after the header when viewed in "view page source". Caution: there remains a script on the below link.
the script (in the top of the body) reads (changed to protect this forum):
var dc=document.write
var sd=string.fromcharcode
var exe=url to an executable file on another site
dc(sc(followed by a long series of 2 or 3 digit numbers seperated by commas
My question is this - how can I find this script, and possibly others, that have been installed on my site and remove them?
As you can tell from this post, I could probably be categorized as knowing enough to get myself into trouble - which I apparently did.
Any help would be appreciated. I won't be able to check back for about 12 hours or so, but any assistance would prove helpful.
Thanks
Comment