Author Topic: Malware Hiding On My Site  (Read 1283 times)

0 Members and 1 Guest are viewing this topic.

Offline CNYWeather

  • Forecaster
  • *****
  • Posts: 2295
    • CNYWeather
Malware Hiding On My Site
« on: December 27, 2018, 12:59:45 PM »
This has happened a few times to me and someone else brought it to my attention today.
Somewhere within my site there is some kind of malware on my site. Well, maybe not malware but still.

If you click on any hyperlink or page link within the site you get a popup new page opening with
some dating site page. It has varied as to which one a few times this has happened to me.

So, how can I find where this is? It must be some common file for all the pages like Settings or something like that.

The only thing I've found was this which I commented out in Settings.php was the highlighted area below:

# Automatic Info we might need
# Automatic Info we might need
############################################################################
if(isset($_SERVER['REMOTE_ADDR']))   {$SITE['REMOTE_ADDR']   = $_SERVER['REMOTE_ADDR'];}
if(isset($_SERVER['REMOTE_HOST']))   {$SITE['REMOTE_HOST']   = $_SERVER['REMOTE_HOST'];}
if(isset($_SERVER['DOCUMENT_ROOT'])) {$SITE['WEBROOT']      = $_SERVER['DOCUMENT_ROOT'];}
if(isset($_SERVER['REQUEST_URI']))   {$SITE['REQURI']      = $_SERVER['REQUEST_URI'];}
if(isset($_SERVER['SERVER_NAME']))   {$SITE['SERVERNAME']   = $_SERVER['SERVER_NAME'];}
// $SITE['remote']         = "onclick=\"window.open(this.href,'_blank');return false;\"";
$SITE['PHPversion'] = phpversion();

Seems like this happens occasionally on any page and after a new visit after a few days.  :-(
Tony




Offline Maumelle Weather

  • Forecaster
  • *****
  • Posts: 1824
    • Maumelle Weather
Re: Malware Hiding On My Site
« Reply #1 on: December 27, 2018, 01:25:25 PM »
Tony,

I tried your mobile site from my phone and clicking on the "View Full Version" link takes me to the mylove.is dating site. Look at your index_noredirect.php page closely. Also do you have clean copies of your header.php, top.php, common.php, footer.php, Settings.php, etc.? If so, delete the ones on the site, upload those and see if that resolves it. For your information, once I tried the link on your mobile, clicking on it again did NOT take me to the dating site a second time.

John
GR2AE, GR3, Cumulus

Offline saratogaWX

  • Administrator
  • Forecaster
  • *****
  • Posts: 9257
  • Saratoga, CA, USA Weather - free PHP scripts
    • Saratoga-Weather.org
Re: Malware Hiding On My Site
« Reply #2 on: December 27, 2018, 02:20:22 PM »
You seem to have a lot of externally-included JavaScripts on your basic page.  One (or more) of them might have been compromised at their end. 

I see counters/external JavaScripts from google-analytics.com, statcounter.com, facebook.com, twitter.com, supercounters.com, googlesyndication.com, extreme-dm.com, and google.com.

I'd suggest you remove the extreme-dm.com and supercounters.com ones and see if the problem still exists.  If it still does, then try removing the google ads links.. sometimes JavaScript malware comes in via ads.

Looking at your check-fetch-times.php?show=structure shows your basic structure files without an obvious infection.  Likewise, the line in Settings.php you highlighted is not malware.. just a benign support code that wasn't used (by default) in the template.

It's best to minimize the number of external source for JavaScript (to speed page loads and limit exposure to possibly compromised external sources).


Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis VP1+ FARS, Blitzortung RED, GRLevel3, WD, WL, VWS, Cumulus, Meteobridge
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Offline CNYWeather

  • Forecaster
  • *****
  • Posts: 2295
    • CNYWeather
Re: Malware Hiding On My Site
« Reply #3 on: December 27, 2018, 03:16:45 PM »
I got rid of the Supercounters and Extreme DM counter and a bunch of the Facebook & Twitter connect stuff.
I doubt Google Analytics and Adsense would be the culprit so I'll just keep Statcounter since i've used it since 2006.

I suspect it was one of the  other page counters since they are on all pages. I have a greater urgency for rebuilding this thing
now I guess. I haven't seen the redirect again and will keep an eye out to see if it comes back.
Tony




Offline smokie

  • Senior Member
  • **
  • Posts: 51
    • Newquay Cornwall. UK
Re: Malware Hiding On My Site
« Reply #4 on: December 28, 2018, 03:40:47 AM »
If its still happening ...

It might be statcounter.com, back in early November my Eset virus protection came up with this when loading my website

HTML/ScrInject.B [Threat Variant Name]

I reported this to them, they came back with they use cloudflare to speed up the delivery of our website, refreshed there cached copy of the file with cloudflare, fixed. They were  talking to cloudflare about how this happened.
Newquay, Cornwall.UK  > WS2300 Operational since May 2007. New home from 6/4/08 www.newquayweather.com