Problem with index.php

[rolfw]

One of my users Emailed me to say that the site was activating his Antivirus shield, so I ran the site though Black Widow and found that every time the index page was called, it brought up this URL

_http://58.35.235.153/~pozitive/pics/index.php?264730676b8385

So I looked at the page source and found this at the bottom:

Code:

Content visible to verified customers only.

Not sure how it got there, or how long it has been there although my member said it started on sunday, but I am just changing my server login, can I simply over write the index php with a new version?

I'm running 5.62, are there any known backdoors or exploits?

PS. have now managed to edit out the script after disabling my antivirus, butI'm concerned that it may return.

[Chuck S]

Yes you can overwrite all files to get rid of that provided the code is coming from our end and there is no exploits we are aware of at this time.

I would be very interested here to hear from you exactly where you edited and then we might be able to respond a bit more here on some ideas. As it stands now without a link and some more info I can not say much here on this.

[rolfw]

I simply removed the code above from the very bottom of this page Chuck, my forum homepage is linked to in my profile.

[Chuck S]

Okay cool but that I was asking is what file was the code in? Was this in your footer the index.php itself or a tempate?

[rolfw]

Sorry, thought I'd put that, but hadn't, it was in index.PHP, have checked a few of the other php pages and it doesn't seem to be in any of them.

[Chuck S]

Interesting I would suggest you check your server for files that look strange or do not belong and remove them. Usually from what I see you need to actually ftp to the server or ssh in and edit the file to add that so this may be an indicatiuon of a security issue elsewhere on the server with a foreign file that is letting people get in your server and change things

[rolfw]

Thanks Chuck, yes had worked out that it couldn't be altered from the Admin CP in Photopost, have now changed the Control panel login and FTP login as a precaution. Any idea what extension a file would have which would enable this?

[Chuck S]

No honestly I would not. filenames can vary so you would need to browse and look at any directories on your server that are 777 and see if there are any files that should not be there. Kind of a tedious process but keeping to directories that people might be able to access via holes in applications you may have on your server that have security issues will narrow things down. Like Michael P one of the developers here had an issue on his site one time and turned out to be flash chat he had installed with his vbulletin forum.

[rolfw]

OK thanks, may well get the server manager to have a look for me, he would have a better idea of what should and shouldn't be there, plus I only have access to my cpanel, whereas there are multiple sites on the server.

In the meanwhile, I'll check it every day with BlackWidow.

Thanks for your help.

PS. As a matter of interest, what does the file photopost_anywhere.php do?