10 Replies Latest reply: Oct 8, 2011 10:42 PM by noellle
noellle Level 1 Level 1 (0 points)

I have been dealing with the Flashback trojan on my mac, thought I got that settled, and was just alerted that my business website, www.kristenbuchmann.com has been hacked or something with that Flashback trojan!!! I don't know which came first.  

Anyway, if you visit the site youself, you will see that it says that my site may harm your computer and may contain malware....DON'T CLICK ON THE LINKS! I started this discussion on my previous post about my Mac's Flashback trojan. I will copy and post a bit in another post below.

 

I changed my password with my hosting company's web panel and my ftp passowords. I have to remember and figure out how to change my sql passwords...

 

I also have a web panel password for two other parts of my site (a wordpress blog hosted on my site and also a flash site with a separate web panel,) but they have urls that are part of my site, so I am nervous to click through to change them. What should I do ???

 

I tried to follow steps on some liks I followed and just got stuck because I don't understand. I will post those questions also in a post below.


MacBook Pro, Mac OS X (10.6.8)
  • 1. Re: Flashback virus hacked my business website and computer. What should I do?
    noellle Level 1 Level 1 (0 points)

    In the thread where I started this discussion,

     

    MadMacs0 wrote:

     

    OK, I clicked on Lifestyle Portraits, I think, and was redirected to macosxsoftwareupdate.org-slash-flashplugin-slash-7f-slash- (I used -slash- for / so that people won't be tempted to click on it) which is the site I've been watching. As I said yesterday, that address has been removed from the DNS database, so it doesn't work, but you still need to clean that redirect off of your site in order to get Google to take you off the blacklist and if that site ever goes active...well you know what happens next.

     

  • 2. Re: Flashback virus hacked my business website and computer. What should I do?
    noellle Level 1 Level 1 (0 points)

      Below is another excerpt from the previous thread. Hope this is helpful and not confusing!:

    MadMacs0 wrote:

     

    This site has some tips on what to do and how to contact them. I think someone is going to have to scan the code on your pages and remove whatever is causing it....

     

    but you still need to clean that redirect off of your site in order to get Google to take you off the blacklist

     

     

     

    Are you saying that I need to clean it by having someone scan it and remove it?

     

    I started to follow the steps linked to that site -http://25yearsofprogramming.com/blog/20070704.htm

     

    and can't get past the first step. I use Dreamhost, which doesn't use cpanel.

     

    So, I want to take my site offline using the method on the link I mention above, but I can't figure out how to make an .htaccess code because this page: http://www.javascriptkit.com/howto/htaccess.shtml

     

    said:

    htaccess files must be uploaded as ASCII mode, not BINARY. You may need to CHMOD the htaccess file to 644 or (RW-R--R--). This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security. (For example, if you have password protected directories, if a browser can read the htaccess file, then they can get the location of the authentication file and then reverse engineer the list to get full access to any portion that you previously had protected. There are different ways to prevent this, one being to place all your authentication files above the root directory so that they are not www accessible, and the other is through an htaccess series of commands that prevents itself from being accessed by a browser, more on that later)

     

    and I am so LOST. I don't understand it. I don't have an .htaccess file, and I am SO tired from staying up late dealing with all of this, first on my Mac, and now on my website.

  • 3. Re: Flashback virus hacked my business website and computer. What should I do?
    noellle Level 1 Level 1 (0 points)

    In case it's helpful, below is the name of my previous thread about the Flashback trojan on my mac.

     

    Finder shows strange letter and number strings, programs "quit unexpectedly"

    Thanks!

  • 4. Re: Flashback virus hacked my business website and computer. What should I do?
    noellle Level 1 Level 1 (0 points)

    Oh and I need to find a trustworthy website scanning service (I hope free!) that will be able to find the bad code. does anyone know of some? thanks!!

  • 5. Re: Flashback virus hacked my business website and computer. What should I do?
    andyBall_uk Level 7 Level 7 (20,305 points)

    right at the top of most/all of your html source pages is a line trying to load a script from sweepstakesandcontestsnow which would (maybe only sometimes) have loaded content from macosxsoftwareupdate or other sites - leading (when I tried) to a download from adobe-software-update, which is different from the first few flashback variants.

     

    This may not be directly related to you having installed the thing - they have to get the code out there somehow & commonly use insecure sites & hosts to do so.

  • 6. Re: Flashback virus hacked my business website and computer. What should I do?
    noellle Level 1 Level 1 (0 points)


    andyBall_uk wrote:

     

    right at the top of most/all of your html source pages is a line trying to load a script from sweepstakesandcontestsnow which would (maybe only sometimes) have loaded content from macosxsoftwareupdate or other sites - leading (when I tried) to a download from adobe-software-update, which is different from the first few flashback variants.

     

     

     

    thank you, andyBall_uk! so If I go and delete that code at the top and change my passwords, am I ok?

     

    Also, I think that I  don't have the latest version of Wordpress. Perhaps that is an insecurity? I don't remember if I have that backed up automatically or not, but I certainly haven't backed it up in ages. Is that included in the most/all of my html source pages? (blog located at www.kristenbuchmann.com/blog.) or can I safely back those up now and back up my database and then install the new version of Wordpress (if those are the steps - I can't remember what to do to update Wordpress right now.)

     

    Thanks!

  • 7. Re: Flashback virus hacked my business website and computer. What should I do?
    andyBall_uk Level 7 Level 7 (20,305 points)

    the wordpress pages & pure flash pages don't appear to be affected, you should be able to check the modified dates of the altered files & look for any others with that same date.

  • 8. Re: Flashback virus hacked my business website and computer. What should I do?
    andyBall_uk Level 7 Level 7 (20,305 points)

    it seems the most common hack using sweepstakes... would have added code to your php files

     

    http://www.travelswithakazoo.com/2011/09/how-embarassing/

     

    and that code writes the link in question to the html files, seemingly not all of them.

  • 9. Re: Flashback virus hacked my business website and computer. What should I do?
    Linc Davis Level 10 Level 10 (117,700 points)

    Kristen, it's imperative that you take that site down right away and leave it down until it's fixed. Not only are you spreading malware, you're exposing yourself to legal liability and damaging your professional reputation. Securing a web application is beyond the scope of these forums. This is your business and you need the help of a consultant.

  • 10. Re: Flashback virus hacked my business website and computer. What should I do?
    noellle Level 1 Level 1 (0 points)

    Thank you for everything. I passed on the information you gathered to my web builder friend, and she cleaned everything up for me and has asked that Google remove it from the blacklist.

     

    Thanks!