GoFuckYourself.com - Adult Webmaster Forum - View Single Post

HEAT · 09-18-2009, 01:51 PM

Check your tmpl files in ct/templates directory. those are infected as well and also there are more .tmpl and .php(no Zend) files in some other dirs.
Just delete unnecessary files under the ct directory.(backups, welcome.html, example.html, old data, etc.)

But again, YOU MUST SCAN YOUR PC in advance of code removal.
The hacker has your ftp password. so he will inject the code again automatically. Moreover this hacker(his remote software) will scan other directories in /home. then it will attack other php sites too. My other TGPX and TEVS sites on the same box also got hit.
Once the hacker has your ftp login, changing file/dir permission won't be a solution.

I had found these malwares in my pc.
Exploit,PDF.JS-Gen
Trojan.Script.7685
These came from the injected code.

Remove them and reboot. Scan again with another antispyware, reboot, then change server passwords.
Now edit all infected files. Use server-side text editor or file manager.
If there is a blank line under the <body> tag. Scroll to right and you will find the hidden code.
DON'T load infected or suspicious php/html files with browser. Your PC will get malwares again and it will sniff new password when you using ftp.
So it's the most important that your pc is not infected by malwares during code removal.

Good luck.

09-18-2009, 01:51 PM
HEAT Confirmed User Join Date: Sep 2003 Posts: 2,255	Check your tmpl files in ct/templates directory. those are infected as well and also there are more .tmpl and .php(no Zend) files in some other dirs. Just delete unnecessary files under the ct directory.(backups, welcome.html, example.html, old data, etc.) But again, YOU MUST SCAN YOUR PC in advance of code removal. The hacker has your ftp password. so he will inject the code again automatically. Moreover this hacker(his remote software) will scan other directories in /home. then it will attack other php sites too. My other TGPX and TEVS sites on the same box also got hit. Once the hacker has your ftp login, changing file/dir permission won't be a solution. I had found these malwares in my pc. Exploit,PDF.JS-Gen Trojan.Script.7685 These came from the injected code. Remove them and reboot. Scan again with another antispyware, reboot, then change server passwords. Now edit all infected files. Use server-side text editor or file manager. If there is a blank line under the <body> tag. Scroll to right and you will find the hidden code. DON'T load infected or suspicious php/html files with browser. Your PC will get malwares again and it will sniff new password when you using ftp. So it's the most important that your pc is not infected by malwares during code removal. Good luck. __________________ 254-282-542