3.4.9 malware

[RMweb]

I have a site still running 3.4.9 (do not ask! 😰) which has experienced a malware intrusion.

Inspecting the page source via Chrome I can see the following javascript block (highlighted with pink) planted within the header (shown top left in red). Could anyone please tell me which folder/directory would house that portion of ipboard_body code? I'm completely useless at finding where Invision places some of its code!

Any help appreciated.

[steve00]

If that code appears in all pages then likely global template

[RMweb]

7 minutes ago, steve00 said:

If that code appears in all pages then likely global template

Thanks Steve; that's got me heading in the right direction!

[AndyF]

I concur likely All Global Templates > Global Template (I forget the exact wording)

More importantly how did it get there.

Visit the security centre in the ACP. You *have* run the 'IPBoard .htaccess protection' tool at some point yes ? This writes "no execute" to various directories, so if something did get where it should not, at least it would not be able to be ran (as in via name.php) which would likely do more damage.

Also worth running the file/directory permission checker too.

[AndyF]

Oh the 'suspicious file checker' would be well worth running too although given the way it works it *will* by its nature list some 'safe' files as it picks on size/last modified etc but its a start at least. Really you're looking for something like a .php file in the /uploads directory which should not be there.

As daft as it may sound ensure that /conf_global.php is not writeable either, if you can chmod it down to 0444 that would be quite sensible.