Jump to content

Bad file being inserted into my sites


Recommended Posts

I often find a file inserted into the root directory of my forum and it's titled something like this:

"5a29c72470e92aa04d38589f1d49262d"

And it contains this code:

180.76.5.111|180.76.5.180|66.249.73.39|123.125.71.100|60.169.78.52|180.76.5.151|180.76.5.187|180.76.6.212|157.55.32.105|180.76.5.51|180.76.5.48|180.76.5.149|49.212.172.234|91.224.246.104|91.121.1.146|112.123.169.28|180.76.5.168|180.76.5.66|180.76.5.55|180.76.5.99|180.76.5.190|

Looks harmless enough, however, each site that contains this file shows that it is infected when I run it through securi.net.

If I delete the file, it comes right back.

I've been finding this in various sites across different servers that are not connected to each other.

Ideas?

Link to comment
Share on other sites

180.76.5.x is Baidu, if I recall correctly, it's a search engine spider that doesn't like to obey crawling rules... But it's not the problem here... Your site has been compromised...

You need to run the php/cgi protection, and you need to upload a completely fresh copy of all IP.Board and any app files...

Also, run the tools to search for security threats in the ACP... ACP > Security center... If it returns a file that doesn't look right, ask us and we'll tell you if it's safe to remove...

But you need to upload a FRESH copy of your board files before you do that... Something may have been injected in your core files that could trigger a security alert.

Link to comment
Share on other sites

This is a symptom of your site being compromised. The malicious code that is inserted or present on your server is sending bad HTML to each visitor who requests the page (i.e. a redirect to a malicious site, or an attempt to download a virus), and logging the IP address so that the malicious code is not sent to that visitor again until the next day (which makes it harder to track/test the problem).

I would recommend having your host scan your site for any malicious files. You can also submit a ticket so that a technician can provide you with steps to clean your site out.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...