MHTMLRedir.Exploit

Nuke Cadet Joined: Nov 19, 2004 Posts: 7

Thanks, actually I have two sites with the same problem:

http://my.powa.org/

http://my.poetryexpress.org/

Any help would be appreciated.

Nuke Cadet Joined: Nov 01, 2003 Posts: 6

Help... idont know what going on... I have a business... and well the site is now giving this trojan... So its in a sub directory until this gets resolved... So I know this may be asking alot but Support Moderators come out with a fix please. Also. If you could look at my code the site is at http://monsterden.com/v-web/portal/73/oldindex.php

Thanks a ton In advance....

ps... whoops dbl post please delete first.

Nuke Cadet Joined: Nov 19, 2004 Posts: 7

I have checked my database and haven't noticed anything unusual. But maybe I'm not looking in the right place.

http://my.powa.org/

http://my.poetryexpress.org/

Site Admin Joined: Aug 17, 2003 Posts: 12383

Seems the same hack - please read my posts. Simple steps: check your database and delete the added content from your footer fields. Apply security

Site Admin Joined: Aug 17, 2003 Posts: 12383

Doing some more digging, I see that these hacks all come from the range 61.78.61.*

These addresses are all registered under KOREA TELECOM Internet Operating Center. 61.78.0.0 - 61.85.255.255

I will be banning the first part - if worse comes to worse, ban the entire range.

Nuke Cadet Joined: Nov 01, 2003 Posts: 6

on my site listed above is this the code I am looking for?

Code:

??? I looked in the DB Didnt' see anything, I am not sure what I am looking for.

Posted: Sat Nov 20, 2004 6:36 am

jacebenson wrote:

on my site listed above is this the code I am looking for?

Code:

??? I looked in the DB Didnt' see anything, I am not sure what I am looking for.

I took the liberty of removing that, as yes, it is the code you are looking for. Remove that and you should be good.

I saw this last night, looks like someone found another sql injection exploit.

-sting

Nuke Soldier Joined: Sep 03, 2004 Posts: 22

I cant find it in my db either.. Where do you remove the code from?

Nuke Soldier Joined: Sep 03, 2004 Posts: 22

ok I did find it in my copyright. How I did it was search my databases for the string and you have to look for it in full text mode. Maybe this will help someone.

thanks for your help everyone

Nuke Cadet Joined: Nov 20, 2004 Posts: 2

can someone please check mine? I'm new to really diggin into Nuke. I am minorly proficeint in PHP but can't figure out where the nasty code is.

www.tauomegaphi.com

Nuke Cadet Joined: Nov 20, 2004 Posts: 2

thank you I found it in my copyright. . . thanks for the db search suggestion.

Nuke Cadet Joined: Nov 19, 2004 Posts: 7

Thanks to all for your help. I finally found and removed this, and everything works fine.

For others who may have this problem and not be too familiar with php MyAdmin, here's what I did:

1. Log in to php MyAdmin
2. Select "config" from list on left
3. Select "browse" tab
4. Click "T" symbol to expand text.
5. Look for offending code (mine was in the "Copyright" section)
6. Click "Edit" to access and delete code
7. Click "Go" to save changes
8. Test your site (mine worked fine)

Best wishes to all, and special thanks to Sting and Evaders99.

Nuke Soldier Joined: Nov 07, 2003 Posts: 33

Evaders99 wrote:

Doing some more digging, I see that these hacks all come from the range 61.78.61.*

These addresses are all registered under KOREA TELECOM Internet Operating Center. 61.78.0.0 - 61.85.255.255

I will be banning the first part - if worse comes to worse, ban the entire range.

I located the code in the Copyright area. Thanks to all the previous posts. Site works fine now, but how did you find what ip it came from?

Site Admin Joined: Aug 17, 2003 Posts: 12383

These hacks were blocked by the latest Admin Secure. That's how the IP was recorded.

Nuke Soldier Joined: Nov 07, 2003 Posts: 33

Is there any other way. I am using Protector 1.13