I must have a setting wrong because when I follow your instructions, the data I enter in the Find what and replace with says that it can't find the data I am searching for. The reason is because it does not contain the whole data. Is there a setting within Notepad++ that I need to change?
@afoster, you may find Texcrawler to be helpful. Download it from http://www.digitalvolcano.co.uk/textcrawler.html
Have you alerted your host (if you use a hosting company) to the issue? The reason I ask is because if there is a server vulnerability, your site will just become reinfected over and over. I had that experience and the host wouldn't attend to the issue, so I had to move my site to a more security minded host.
I also had this issue a few months ago with my current host, but in that case, it was because of some script vulnerabilities I had with an old classic asp script I had on my site elsewhere. I had to delete all of that and tighten up all of my folder permissions. I converted my site to SSL, also. I used an uninfected backup to restore my site.
It is a good idea to set your site to do regular automated backsups, so if/when malicious code injections happen, you can revert to non-infected site code without having to manually remove it. Be aware that the malicious users may also have put code into your database, so automatic db backups are a good idea also. Scan your database for malicious code. You may want to change your database passwords.
(Just my two cents worth, in case any of this may be helpful to someone on down the line.)
Thanks for the tips...yes I have alerted the host. Their tech support told me about the code in the files so they are aware of it. I noticed this yesterday afternoon (Pacific time) and so far I have not seen any other signs of it.
I have updates of the database, about every two days...what would I be looking for in that instance?
I will download your Textcrawler software and see if that helps as I have a lot of files (other than ph-fusion files that have been infected.
Check for people who may have been made php-fusion admins without your knowledge. Check your custom pages' code, which will be in the database, for unauthorized changes. Using phpmyadmin, you can search for ".js" in your database to help discover malicious code inserted into it.
Easy if you know how to do it, which I don't. I will search for php scripts that will search for strings but I am afraid that the string is too long.
I tried using the Texcrawler and in both instances I got a Not responding when trying to search for the string. I don't know if it is caused by the length of the string or the program is not working properly. I am running it on a Vista machine which I believe should not be a problem.
Just search for the beginning parts of the malicious code. Actually, all you need is to search for ".js" (without the quote marks) -- some of the results, such as jquery, will be legit, and some may not. If your case is typical, the js document writes iframes that link to malicious downloads. And there may be a different iframe link for each one, as it is likely they were inserted by a bot. So, searching for the entire string would not be helpful anyhow.
As far as I can tell, the code is inserted in php, htm, html, txt, and js files and looks the same in all files. I will be honest and say that I did not compare the code from file to file but it is the same length and starts and ends with the <!--569aa9--> code
Therefore searching for ".js" as you suggest would not help me unless I misunderstand what you are saying.
You can view all discussion threads in this forum. You cannot set up a bounty in this discussion thread. You can start a new discussion thread in this forum. You cannot reply in this discussion thread. You cannot start on a poll in this forum. You cannot upload attachments in this forum. You can download attachments in this forum. You cannot up or down-vote on the post in this discussion thread.