Ouch! It's always a mess when the website get's hit.
A few questions which may help diagnose how the rogue script get in:
1) was there a scripts/_images/infantryman-s-fighting-forum/cjs-rocken-web-page.html created on your website (including the scripts directory? (WFlash default is a 'Scripts' directory, not a 'scripts' directory AFAIK).
2) do you have access to the raw Apache logs for your website? The raw FTP logs for your website?
( if so, I have some analysis programs I can run on copies of the logs to do some sleuthing for you .. PM me if you're interested and have access to the logs)
3) are any other files/directories on your website looking 'strange' (new directories? new files?)
It's unlikely that someone sneaked in via the WFlash updates or methods as they confine writing to specific text files in their own directory (and the filename isn't specified directly by URL).
Best regards,
Ken
Hi Ken...
Thanks for the response. I zapped all the files I didn't recognize as mine so I can't recall much about them except that the first bit of evidence that I had a problem was the appearance of odd windows/statements on the main page which was them a WeatherLink load.
The example I posted in my OP was taken from the log for today. It returned a 404 error for whomever sent it my way. I believe that the literally hundreds of such files that I uncovered might well have had a "Scripts" directory listed.
I can get the RAW Apache logs for for the last 300 hits. The hits that actually created the adverse effects on the website have already rolled off the log and I didn't think to archive them (I am now doing so). I am interested in checking into the origin of the files that I have available to me. I will PM you on that.
At this time, I don't see any odd files or directories. I reviewed permissions with my hosting company and, after I had gone in and made what I thought were moves to the good for security, they confirmed that I have permissions set to a fairly protective level.
I'll DL the logs and send you a PM. Thanks.
...Bob
BTW, I isolated the IP addresses for the 6 sites that appeared to be hitting with "infantryman like" scripts and blacklisted them I'll give it several hours and check the access logs again and see if that had any effect.