December 11, 2012 in Classic self-hosted technical help
I often find a file inserted into the root directory of my forum and it's titled something like this:
And it contains this code:
Looks harmless enough, however, each site that contains this file shows that it is infected when I run it through securi.net.
If I delete the file, it comes right back.
I've been finding this in various sites across different servers that are not connected to each other.
180.76.5.x is Baidu, if I recall correctly, it's a search engine spider that doesn't like to obey crawling rules... But it's not the problem here... Your site has been compromised...
You need to run the php/cgi protection, and you need to upload a completely fresh copy of all IP.Board and any app files...
Also, run the tools to search for security threats in the ACP... ACP > Security center... If it returns a file that doesn't look right, ask us and we'll tell you if it's safe to remove...
But you need to upload a FRESH copy of your board files before you do that... Something may have been injected in your core files that could trigger a security alert.
This is a symptom of your site being compromised. The malicious code that is inserted or present on your server is sending bad HTML to each visitor who requests the page (i.e. a redirect to a malicious site, or an attempt to download a virus), and logging the IP address so that the malicious code is not sent to that visitor again until the next day (which makes it harder to track/test the problem).
I would recommend having your host scan your site for any malicious files. You can also submit a ticket so that a technician can provide you with steps to clean your site out.
This topic is now archived and is closed to further replies.
Started Wednesday at 05:14 PM
Started September 8
Started August 13