Jump to content

Recommended Posts

Yeah I just found another location on the server the injected code was hiding in, and tore it out of there...

I have gone through every directory now and have made notes on the changed files and where they are, etc... so I will continue to check the entire directory every 24 hours for the next few nights and see if we get a file changed again. I had already reset all the passwords, etc to access the server so once I get the last remnants of the attack off the server we'll be good again.

This was ONLY a 'server code' attack, and NOT a database or content attack... no information about AA members/passwords/emails/etc was compromised as the database is on a completely different access. All this malware does is send you to a different website once in a while when you are flagged as 'new to the site' ie. coming from a search engine, etc. That's why typically using links, favourites, or bookmarks should not affect you. In the 11 years I have been handling this site this is by far the worst thing that's happened here and frankly, it could be SO much worse!! We're truly blessed! hahah

Share this post


Link to post
Share on other sites

Yeah... just rescanned and found that there's one little PITA file that creeped back in... off I go to scour the %&*(*%#@ server again...

Sigh.

Share this post


Link to post
Share on other sites

Technically... neither. It's an issue that crept into the hosting server through what I believe to be a vulnerability in our previous banner software. It's a replicating virus that I am continuing to battle - quite literally as we speak at this very moment! The host says it's my problem to deal with since I 'allowed' the security hole, the banner software people say it's not their problem because the little virus is not actually messing with their software and Invision says it's not their problem because it's not their server... even though the virus is changing the code in one of the Invision files every 48 hours or so.

So at this point I have basically stripped AA down to the bare bones, wiped and reinstalled everything from 'fresh' files and have gone through each and every folder so many times looking for replications I'm dizzy. I've found more then 300 files now, and it's exhausting. This virus is not 'supposed' to replicate... I'm supposed to have found the changed file, find the file that changes the file, and eradicate them both... but this is a 'new' variant... it's being difficult. And there's no real option for me to run an 'antivirus' on the server.

I have a few more tricks up my sleeve to try, and have just made some changes that I hope will stop it. Time will tell! If nothing else works I'll just back up the database, and move our hosting to a fresh server and reinstall everything from scratch. While the database uploads (takes a couple hours!) I can go through the uploads folders and make sure that's clean since it would be the only thing retained other than the posts/messages/users.

Fun, huh?? Glad I have a full time business to run during the day - otherwise I might be bored.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×