Viral site infections

LyubovL posted 21st of September 2009 in . 58 comments.

We've noticed some web sites have been infected with a new virus. Here is some advice for those whose sites have been infected:

The mode of infection seems to be to insert a small <iframe> at the top of the <body> section.
It may look something similar to this,

<iframe src="http://[url]" width=125 height=125 style="visibility: hidden"></iframe>

It appears that it is getting in via FTP details - obtained by a virus/malware on your computer.
This means you will have to do the following;

1) Contact everyone with FTP access to your site and get them to remove any data referencing the UserName/Password.
That includes removing any "stored" or "saved" info in programs such as SmartFTP/FileZilla etc.
They should have to manually type the UN/PW every time they connect.

2) Contact your host and ask if they can do the following, or do it by yourself;
Immediately change the FTP Access.
Provide a 503 response and a message stating the site is receiving Maintenance
Use a Backup to restore the site to working conditions
If No Backup is available - then you may need to search through All Files for "iframe" and carefully remove any reference of such that are found.  Further - seriously consider making Backups in future (keep 3 at a time). Infected files are index.*, home.*, main.* as usual.

3) Get everyone who had FTP details to Scan/Clean their system.
Programs such as MalwareBytes, AVGFree, SpyBotSearch and Destroy etc. are ALL worth having on any system.
You should also look into obtaining a REAL Firewall (do NOT rely on the Windows one!).
Only permit programs you know to pass through the Firewall.

Source: http://www.google.com/support/forum/p/Webmasters/thread?tid=0cdb473d121b6895&hl=en

 
Comments
·Oldest
·Top
Please login to post a comment.
fugum
fugum21st of September 2009
 
I had posted on this the other day. http://www.expertzzz.com/forumz/?action=goto&cat_id=2#action=goto&topic_id=18570. If this happened to your site, you need to change ALL of your passwords. Not worth messing around with. MalwareBytes now has an IP blocker like Spybot Search and Destroy. Spybot just manipulates your hosts file so that the bad sites are redirected to localhost. Not sure what Malwarebytes does but both are free. I have to say that Malwarebytes is a little bit better than Spybot. see more You should also stop using Internet Explorer. Use FireFox with the Add Blocker Plus module. Last but not least. Update your computer. You can block 80% of whats out there by simply keeping windows up to date. If you do not know how to do any of this, contact me. I will try and help you out to the best of my abilities. Free of charge.

I should not have to say this, but do not go to the site that the script directs you to. It is quite full of nastiness. For even more info see my post above in Expertzzz and read the article in Google.

But, the biggest point that I have is... I have only ever given my ftp details out to a very select few. They are AntonLV, Rayz, Simion and kolimarfey. If your site was hacked, do you have any of those names in common that have done work for you? Maybe we can narrow down who this actually came from.

Not trying to put blame on anyone. Just want that persons computer cleaned up so that they can keep on doing the great work that they do. All four of the guys that have worked on my site have been superb.
PermalinkReplyPlus0 pluses
CALTRADE
CALTRADE21st of September 2009to fugum
 
The password to my hacked site was only shared with Boonex, and no one else. A preliminary scan shows no malware on my computer, but I will use some of the other tools people have recommended here to make sure.
PermalinkReplyPlus0 pluses
killerhaai
killerhaai21st of September 2009to fugum
 
I have a very good security system, but a scan with the antimalware scanner comes up with 8 infections. Also a backdoor (pcctools) in Desktop 3.5.0 :) So use some tools more for your own safety.
PermalinkReplyPlus0 pluses
danielmarseille
danielmarseille21st of September 2009
 
see morehello,

I had this problem --


1
I programmed a computer scan at startup

2
I changed the FTP password

3
I removed the iframe in the infected files


infected files - all files
index.php - index.html - default.php

do not forget the file index.php (ray - skins)
and the
index.html file in the folder (templates - css)

Info

http://www.webologist.co.uk/2009/05/...to-remove.html
http://www.scmagazineus.com/Gumblar-...rticle/136836/
http://www.computerweekly.com/Articl...xaggerated.htm

daniel
PermalinkReplyPlus0 pluses
fugum
fugum21st of September 2009
 
Also look in the Admin folder under index.php. None of the others were changed on mine. And, this is not a problem with Dolphin. Any site can be hacked no matter what you are running on it.
PermalinkReplyPlus0 pluses
danielmarseille
danielmarseille21st of September 2009
 
No this is not a dolphin problem
but a security problem on your computer
PermalinkReplyPlus0 pluses
tyke
tyke21st of September 2009
 
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
PermalinkReplyPlus0 pluses
Synergy
Synergy21st of September 2009
 
8-step Viruses/Spyware/Malware Preliminary Removal Instructions: http://www.techspot.com/vb/topic58138.html
PermalinkReplyPlus0 pluses
DosDawg
DosDawg21st of September 2009
 
to all of those who are not able to view the forums frequently enough to stay on top of this. this incident was reported in April of 2009.

wondering why it took 5 months almost to the day for it to become a concern for the community and boonex?

http://www.boonex.com/unity/forums/topic/Dolphin-or-Server-Hacked-.htm

Regards,
DosDawg
PermalinkReplyPlus0 pluses
shaneed
shaneed22nd of September 2009to DosDawg
 
Well, i posted about this too. I guess longer ago... But did'nt got too much feedback on it. Better later than never :)
PermalinkReplyPlus0 pluses
houstonlively
houstonlively21st of September 2009
 
If you all think there's virus problems on servers now, just wait until people unknown to you, start uploading files to your servers using D7's Files Module.
PermalinkReplyPlus0 pluses
Synergy
Synergy22nd of September 2009to houstonlively
 
This is a scary thought. I guess there will not be any virus protection to check it.
PermalinkReplyPlus0 pluses
houstonlively
houstonlively21st of September 2009
 
Then..... people posting all kinds of links to malicious web sites with the Sites Module, is going to be big time fun!
PermalinkReplyPlus0 pluses
ydrargyros
ydrargyros22nd of September 2009
 
this really is a Major Security Risk...
PermalinkReplyPlus0 pluses
Rammstein12
Rammstein1222nd of September 2009
 
I had the same problem with another website i own. After removing every iframe stuff, you need to change all your passwords. That won't help you too much if you don't scan your PC with an antivirus program and remove the trojan virus.

The real stuff that keeps away this infection is chmoding all index.php and index.html files with chmod444, this way the virus won't be able to write anything on your file. I tryed that and it really works. Give it a try and you'll thank me later, i assure you all! see more :)
PermalinkReplyPlus0 pluses
konzept
konzept22nd of September 2009
 
Looks like it works without problems right now.... Thanks! But I am afraid there will be problems because dolphin cant write to the index file, or not?
PermalinkReplyPlus0 pluses
shaneed
shaneed22nd of September 2009
 
Well, i dont want to remember how many times I've cleaned my Dolphin manually from this iframes... Is like 6-7 times?! And i did'nt knew where this comes from, especially that i have like 3 websites on the same account. And all of them got infected.

And yes, i use SmartFTP to manage my websites and Dreamweaver CS4.

Solution 1: Search in ALL of your files starting with INDEX.HTML , INDEX.PHP , DEFAULT.PHP , HOME.PHP and MAIN.PHP . Even if your page is called index_something.php or default_something.php see more . After you cleaned your files of iframes, change your FTP passwords by using a text editor such as Notepad and Copy/Paste it, because keyloggers can't detect copy/paste.

Solution 2: Backup your data and install a fresh Dolphin if you did'nt made too many customizations to your Dolphin, and change your FTP passwords using the same copy/paste method.

Solution 3: Reinstall your windows :)

I had made some investigations about this iframe injection and it seems that there's no other way for getting rid of this annoying thing.

P.S. : For me the 1st option worked. Good luck to you too!
PermalinkReplyPlus0 pluses
fugum
fugum26th of September 2009to shaneed
 
Did you change your passwords? That should be step 4. But why would you re-install windows? Use Malwarebytes and clean the computer up. A lot less work and time involved. It could be that your computer is not even infected. Meaning (as was with me) that someone you had work on your sites is infected.
PermalinkReplyPlus0 pluses
LightWolf
LightWolf22nd of September 2009
 
Maybe we should put a flea collar on our pc and websites...Grrr hate these fleas..Had my 6.1.5 hacked but so far 6.1.6 is okay... And DosDawg you are right this should have been posted a while back to keep us all on alert, even if it is "not" a dolphin problem. But you know I have never had My websites hacked tell I started using Dolphin...Hmmm seems to me someone does not want boonex to have a great product that will give others a run for their money. I am starting to think maybe this see more comes from a ex-member. Or another person connected with another software development to keep dolphin from going global.
PermalinkReplyPlus0 pluses
Show all 17 replies
DosDawg
DosDawg22nd of September 2009to LightWolf
 
lightwolf,
yeah i gave up my conspiracy theorist hat long ago. this has nothing to do with dolphin. this is an age old hack that has been brought back to life. iframes in my lifetime were wearing us with postnuke, wordpress, b2evo, phpnuke, drupal, and many more of the more popular cms' releases.
PermalinkReplyPlus0 pluses
CALTRADE
CALTRADE22nd of September 2009to LightWolf
 
It may be true that "it has nothing to do with Dolphin" but that is not the same thing as saying it has nothing to do with Boonex. This virus spreads by ftp password sharing, and several of us have shared our passwords with Boonex and no one else. We all have to clean up our procedures on this.
PermalinkReplyPlus0 pluses
LightWolf
LightWolf23rd of September 2009to LightWolf
 
I don't share my ftp or cpanel passwords with others. I have only given it out to 1 person and she would not hurt my site as it runs on her server. I have turned down a lot of people wanting to help me over the years here and asked for this info, but something always say's "no way" stupid move,it's just a name online. Is that person honest? Can you say for sure? Or just a good talker? Would you let this person watch your child? Cause to most their sites are their babies...lol
PermalinkReplyPlus0 pluses
bigal022822nd of September 2009
 
If you need to give access to anyone via FTP, cPanel, phhMyAdmin, etc., create a temporary account for them and then delete the account once they are finished. I read somewhere about creating passwords by taking the first letter from an easily remembered phrase that like The Quick Brown Dog Jumped Over The Lazy Fox which is TQBDJOTLF. Add a few numbers or symbols to the mix to make it even more difficult. You can change it once a month by using 01 - 12 for the months, or whatever suits you. I've see more been doing this for some time now, and even if no one has successfully been able to hack my sites, I feel better knowing I've been doing it. I get about 4000 to 5000 attempts a day trying to crack my pop3 accounts. I set my password attempts to 2 so that after two attempts, it blocks any further attempts from that IP.
PermalinkReplyPlus0 pluses
CALTRADE
CALTRADE23rd of September 2009to bigal0228
 
Good suggesting. There are people here spreading the misinformation that this has nothing to do with sharing your FTP - even though all the reports on this say that is exactly what has happened.
PermalinkReplyPlus0 pluses
DosDawg
DosDawg23rd of September 2009to bigal0228
 
im just gonna try to add some information here for the obliquely misinformed. boonex didnt hack your site, didnt necessarily contribute to your site being hacked, and most likely you allowed it yourself in most cases.

If you are using an unsecured FTP client, you are in danger of exposing your passwords to hackers because the passwords are passed between your FTP client and your website in plain text. Use a program like WinSCP, or a FTP client that allows you to connect to your site using SFTP, see more SCP. Both of these methods encrypt your user name and password, making it much more difficult for a hacker to discover them, even if they intercept them with some sort of packet sniffer.

Lock her down!

so as you can see here, it has nothing to do with MALWARE being on your computer to start.

How it works:

Hackers are likely relying on an automated tool to do the dirty work, the hackers add IFrame code to the saved search results on the sites. The next visitor that uses the search tool is then redirected to another Web site by the IFrame code. The second site in turn puts up a message telling the user that a new codec (coder/decoder) needs to be installed. Accepting the codec takes the user to still another site, which actually hosts the malware — a new variant of the Zlob Trojan horse — and installs it on the victim’s PC.

Since i would presume that this word-press site, which anybody who has been around the internet and utilizing open source applications for any period of time has most likely used a WP site, so do you think the owner of that site gave his password to boonex, and boonex had their site infected as well. doubtful.

WordPress Users Beware of IFrame Hack

Posted 04.15.2009 by Frank J in Internet, Security,

source:http://www.techjaws.com/wordpress-users-beware-of-iframe-hack/

Hackers continue to subvert hundreds of thousands of Web pages with IFrame redirects that send unwary users to malware-spewing sites. It was apparently reported that these IFrame redirects have slowed, but they’re still occurring at an alarming rate. A friend of mine, who owns the blog called YourSEOSucks, was recently exposed to the IFrame hack using WordPress 2.7.1.

Sticky: Solution For Iframe Java Script Hack
How does this hacking takes place:

This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug. Those accounts files are affected whose FTP logins are leaked.

Beleive me, I am reasearching behind this iframe and java script hack from last 10 months.

ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER !!!!

How it's done
This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.

After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!


This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.

===============================================
Solution:
===============================================

For Server Administrators:

If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP

For individual person owning just a domain and not server:

If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop

You must have removed the code many times and it comes again, why ???
As you dont change the FTP password. So change that first.

Just changing password is not complete solution but is the first step.
Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.

Just do the two things:

1) Change the FTP or root password of server
2) Clean format the PC

and take care in future, you dont visit any lof the virsu links made by this hack.
Also to keep your password secure I would suggest you to use any password manager software like:

http://keepass.info/

This is a FREE OpenSource Software

I can assure you this is confirmed solution and will definitely help you all.
Please try it and also when you are confirmed, please spread this message in as many forums as you can so that others also come to know how to stop it.

so as you can all read and this just in case you were wondering is a reliable dependable source:

Source:http://forums.cpanel.net/f7/solution-iframe-java-script-hack-78595.html

houston you are correct, i just want it to be understood this had nothing to do with boonex or dolphin. has nothing to necessarily do with sharing your password at all. if you are on a shared hosting environment, this can be accomplished. if your password for FTP is not encrypted, you can be compromised.

i hope this clears up the air so that we all have some sort of understanding.

the iframe hack has been around for ages that i am aware of, and its a rather common exploit on sites, they have changed their methodology to some degree, but basically you can rest assured it has nothing to do with being incompetent, its more to do with unknowing, that makes those who have been torched victims.

Regards,
DosDawg
PermalinkReplyPlus0 pluses
digit
digit23rd of September 2009
 
This is all sounding a bit ominous pour moi.

where are those rm -r keys?
PermalinkReplyPlus0 pluses
CodeSatori
CodeSatori23rd of September 2009
 
No software is specifically vulnerable for insertions of this particular iframe-snippet, any more than it is to any other data insertions. There are two possible scenarios here:

1. If Dolphin code has security holes that allow malicious code insertion, or that allow remote fetching of data that gives access for the same, then this is a Dolphin issue, and any other data insertions will also be Dolphin issues; not separate issues, just the one bug that allows insertions.

2. Then again, if Dolphin see more doesn't have such security holes, and the insertions happen over compromised FTP accounts, or any other avenue except by interaction with Dolphin, then this isn't a Dolphin issue. As simple as that.

If anyone is interested in finding out which of the two the case might be in your particular case, start screening your HTTP and FTP access logs to see which way the bogeyman came in and changed the files.
PermalinkReplyPlus0 pluses
DosDawg
DosDawg23rd of September 2009to CodeSatori
 
indeed code, read the logs. this will tell just about any and everything you need to know. there are also monitoring apps that you can run on your server that show activity from any and all ftp and ssh logins.

Regards,
DosDawg
PermalinkReplyPlus0 pluses
CodeSatori
CodeSatori23rd of September 2009
 
Now I don't mean to be picky, but isn't LyubovL's post a verbatim copy of this (Autocrat @ Google Webmasters):

http://www.google.com/support/forum/p/Webmasters/thread?tid=0cdb473d121b6895&hl=en

Please respect the author and credit your sources. It's good for him, it's good for people looking for more information, and it's good for one's own reputation.

(For example, the source post has pertinent information on scanning your entire site for other infected files, along with notes on other see more variants to search for.)
PermalinkReplyPlus0 pluses
DosDawg
DosDawg23rd of September 2009to CodeSatori
 
i do believe you are correct, but i think lyubov got it from the forums. but you are correct, you should always state your sources, and give credit. i try to do that with each post i do if i use somebody else work. good call CodeSatori.

Regards,
DosDawg
PermalinkReplyPlus0 pluses
DosDawg
DosDawg23rd of September 2009
 
im just gonna try to add some information here for the obliquely misinformed. boonex didnt hack your site, didnt necessarily contribute to your site being hacked, and most likely you allowed it yourself in most cases.

If you are using an unsecured FTP client, you are in danger of exposing your passwords to hackers because the passwords are passed between your FTP client and your website in plain text. Use a program like WinSCP, or a FTP client that allows you to connect to your site using SFTP, see more SCP. Both of these methods encrypt your user name and password, making it much more difficult for a hacker to discover them, even if they intercept them with some sort of packet sniffer.

Lock her down!

so as you can see here, it has nothing to do with MALWARE being on your computer to start.

How it works:

Hackers are likely relying on an automated tool to do the dirty work, the hackers add IFrame code to the saved search results on the sites. The next visitor that uses the search tool is then redirected to another Web site by the IFrame code. The second site in turn puts up a message telling the user that a new codec (coder/decoder) needs to be installed. Accepting the codec takes the user to still another site, which actually hosts the malware — a new variant of the Zlob Trojan horse — and installs it on the victim’s PC.

Since i would presume that this word-press site, which anybody who has been around the internet and utilizing open source applications for any period of time has most likely used a WP site, so do you think the owner of that site gave his password to boonex, and boonex had their site infected as well. doubtful.

WordPress Users Beware of IFrame Hack

Posted 04.15.2009 by Frank J in Internet, Security,

source:http://www.techjaws.com/wordpress-users-beware-of-iframe-hack/

Hackers continue to subvert hundreds of thousands of Web pages with IFrame redirects that send unwary users to malware-spewing sites. It was apparently reported that these IFrame redirects have slowed, but they’re still occurring at an alarming rate. A friend of mine, who owns the blog called YourSEOSucks, was recently exposed to the IFrame hack using WordPress 2.7.1.

Sticky: Solution For Iframe Java Script Hack
How does this hacking takes place:

This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug. Those accounts files are affected whose FTP logins are leaked.

Beleive me, I am reasearching behind this iframe and java script hack from last 10 months.

ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER !!!!

How it's done
This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.

After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!


This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.

===============================================
Solution:
===============================================

For Server Administrators:

If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP

For individual person owning just a domain and not server:

If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop

You must have removed the code many times and it comes again, why ???
As you dont change the FTP password. So change that first.

Just changing password is not complete solution but is the first step.
Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.

Just do the two things:

1) Change the FTP or root password of server
2) Clean format the PC

and take care in future, you dont visit any lof the virsu links made by this hack.
Also to keep your password secure I would suggest you to use any password manager software like:

http://keepass.info/

This is a FREE OpenSource Software

I can assure you this is confirmed solution and will definitely help you all.
Please try it and also when you are confirmed, please spread this message in as many forums as you can so that others also come to know how to stop it.

so as you can all read and this just in case you were wondering is a reliable dependable source:

Source:http://forums.cpanel.net/f7/solution-iframe-java-script-hack-78595.html

houston you are correct, i just want it to be understood this had nothing to do with boonex or dolphin. has nothing to necessarily do with sharing your password at all. if you are on a shared hosting environment, this can be accomplished. if your password for FTP is not encrypted, you can be compromised.

i hope this clears up the air so that we all have some sort of understanding.

the iframe hack has been around for ages that i am aware of, and its a rather common exploit on sites, they have changed their methodology to some degree, but basically you can rest assured it has nothing to do with being incompetent, its more to do with unknowing, that makes those who have been torched victims.

Regards,
DosDawg
PermalinkReplyPlus0 pluses
LyubovL
LyubovL23rd of September 2009
 
We raised the question about this virus as we found out that the problem took on a wider scope amongst our clients. Not all of our customers are tech savvy, and lots of them simply start their online business with little knowledge. We were faced with several infected websites during the last week, and the BoonEx staff- developers, support, marketers and sales were warned immediately, as were the owners of the infected sites.

@CodeSatori
YOU are right, the solution was found in Google, and it's see more my fault that we hurried to prevent mass infection of sites and forgot to mention sources. Thanks for the note, it was corrected.
PermalinkReplyPlus0 pluses
CALTRADE
CALTRADE25th of September 2009to LyubovL
 
LyubovL - I was one with an infected site, and I would like to thank you for your quick response and good information. One of your "moderators" is making the ridiculous claim on his blog that people are saying "Boonex hacked my site". I want you to know that absolutely no one said that - he just made it up. You are right though - not all your customers are tech savvy but most know that this was an automated process. It would be absolutely absurd for someone to say that Boonex see more would "hack" their sites if you sent them their passwords- that makes no sense at all - and that is why no one said that. It was a false accusation made by this moderator who for some reason wanted to fabricate some drama.

As all the good information here notes, this problem is caused by password sharing. I appreciate your telling us that "the problem took on a wider scope amongst our clients" - I don't need to know any more than that. I know you have taken this issue seriously and I don't have any problem at all sharing my access information with Boonex. Keep up the good work.
PermalinkReplyPlus0 pluses
houstonlively
houstonlively25th of September 2009to LyubovL
 
"lots of them simply start their online business with little knowledge."

How true this is. If people would take the time to learn how things work, they would be less frustrated all of the time.
PermalinkReplyPlus0 pluses
CALTRADE
CALTRADE26th of September 2009to LyubovL
 
So true - some people don't even have live sites on Dolphin, yet they use this forum for no other reason than to mock and attack people using it to get support.
PermalinkReplyPlus0 pluses
fugum
fugum26th of September 2009
 
WinSCP works really well. Free SFTP program to use with your site. I went through my logs. My site was not scanned (someone listening for passwords). The person or persons must have gotten the password from somewhere else. My other sites (non Dolphin) were not affected so this had nothing to do with my computers.
PermalinkReplyPlus0 pluses
shaneed
shaneed26th of September 2009
 
TIP: One click iframe code removal for Dreamweaver users!

I went mad when i found out that i have to clean my site from another iframe injections. This time were less files infected and easier after i found the easy way to get rid of this shit. Yes, i say it again SHIT :)

Assuming you followed the instructions i posted previously on this blog, you guys, instead of removing the iframe code one by one from your files, use the following steps:

1. Use the "Find & Replace" feature, see more and insert the iframe code, and after that select "Entire site" from the dropdown menu by leaving the "Replace" field BLANK. This way, it will clean all the malicious code from your infected website files.

2. Upload your cleaned files on your server.

I admitt i had to remove the iframe code one by one until just now, when i discovered the magic tool. :) Especially when you have hundreds/thousands of files . And i'm glad i could share it with you all, right away. Cheers!
PermalinkReplyPlus0 pluses
LightWolf
LightWolf26th of September 2009to shaneed
 
Nice info, thanks for sharing with all...Such good karma there.
PermalinkReplyPlus0 pluses
omi_omi
omi_omi28th of September 2009
 
Is that virus attack is worldwide ?

Is there is any automated way to remove from code should we remove manually.. from the code ?

Thanks,
Omi
PermalinkReplyPlus0 pluses
fugum
fugum2nd of October 2009
 
No automated way. Remove the code and change all of your passwords. Best is to replace it with a backup. You should keep at least three backups. One a week depending on the size of your site.
PermalinkReplyPlus0 pluses
fugum
fugum2nd of October 2009
 
This is a response to DosDawg. Your research sounds good. But, why was only my Dolphin site effected? If this was a browser hack, all of my sites would be effected. This happened to someones machine that works or worked for Boonex or does a lot of work for us web site owners. There are users that only gave Boonex their data. So, a machine in their organization is more than likely the culprit. That is really not a big deal and it happens to the biggest and best companies. You can not protect against see more every attack. You can be prepared for the eventuality of one and have good and thorough backups. Time is money. Save both time and money and make backups.
PermalinkReplyPlus0 pluses
 
 
Home
Features
Pricing
Hosting
Support
About
StartDemo
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.

Blogs

Dolphin.Pro News
BoonEx News
Our Journey
Social Software World
Community Voice

Help

Support Forums
Documentation
BoonEx at GitHub
Custom Jobs
Contact Support Team

Product

Dolphin.Pro Features
Live Demo & Sandbox
Download Packages
Pricing & Order
Contact Sales Team

Company

Contact Us
About BoonEx
Privacy Policy
Terms & Conditions
© BoonEx Pty Ltd
SSL
© BoonEx
Home
Features
Pricing
Support
Hosting
About
Demo
PET:0.10584306716919