| Question: |
Why my domains are already available 2nd week?Got an email Virus? People Perusia with email [email protected] can`t give an adequate answer?My request via the support button at the top of the page, and remains ignored |
| Answer: |
1. after You have received the message you have to answer it. there only advise to open a ticket in the section of Those.support that You did...had to do it immediately without losing much time. 2. from Your website have already re-sent the spam ~zemius/spamlog.txt 3. clean Your local computer of the virus, possibly infecting himself. 4. enter Your Internet IP address (see here www.whatismyip.com) we will give you access to your account that You did the cleaning it. then Your account will be restored. In fact this is done in an hour and wait two weeks is not needed. |
| Answer: |
Hello. What kind of two weeks they are ! ? Your account has Russells spam you were notified about it 23-12-2014 you what topricin did not respond to this notification , 30-12-2014, again the virus. You need to Solve the problem. Inform Your ip> we will open for You access. you will need to change all passwords and proveriti website Viruses were here
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/views/modules/book/ajax.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/views/modules/user/search.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/views/plugins/views_wizard/views_ui_node_revision_views_wizard.class.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/ctools/images/blog.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/ctools/stylizer/plugins/export_ui/stylizer_ui.class.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/ctools/tests/plugins/cached/ctoolsCachedPluginArray2.class.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/ctools/tests/plugins/cached/ctoolsCachedPluginArray.class.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/ctools/plugins/content_types/custom/xml.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/token/dump.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/xmlsitemap/xsl/ajax.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/cck/modules/press.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/themes/dshablon_2/box.tpl.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/modules/filter/filter.api.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/modules/system/theme.api.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/modules/block/tests/header.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/modules/overlay/images/files.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/modules/poll/plugin.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/modules/node/file.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/modules/simpletest/tests/upgrade/drupal-6.user-password-token.database.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/modules/simpletest/tests/upgrade/drupal-6.translatable.database.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/themes/seven/model.php: Php.Trojan.StopPost FOUND
/home/zemius/ADD_DOMEN/ezokatalog.ru/profiles/testing/dump.php: Php.Trojan.StopPost FOUND
/home/snike/hack/zemius/proxy.php: Php.Malware.Mailbot-1 FOUND
the spam was sent otsuda /home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/ctools/views_content/plugins/relationships |
| Question: |
Are you interested in my local IP? Here he 109.171.112.222 |
| Answer: |
this is not a local and external ip but it needed. Please take the action on the website in the folder /home/zemius/ADD_DOMEN but before that, check all other sites and change passwords |
| Question: |
The spam was sent from my local machine or your server? And here the antivirus on my local machine? I`m all clear. |
| Answer: |
the spam was sent from your website the spam was sent from here
/home/zemius/ADD_DOMEN/ezokatalog.ru/sites/all/modules/ctools/views_content/plugins/relationships if you are sure that you have everything clean then the problem may be in the site itself, or rather in ujazvimosti site. you`ve updated it? |
| Question: |
For several years I have been using 3 hosting services, they are the same scripts Денвер7. First time having this problem.. .Are you sure that the problem is the vulnerability of the script and not hosting? |
| Question: |
Error in previous post, not Денвер7, and Drupal 7. |
| Question: |
Another question, how do you check the scripts for viruses? What are you doing this? |
| Answer: |
we have a few antivirus programs on the server. files are regularly checked using clam , avg, maldet and other scripts. you can check using http://www.revisium.com/ai/ hosting is cloudlinux with cagefs that fully isolates the accounts from each other and virtualizes the space on each account. The problem may be just in the scripts of the site or stolen you have passwords. |
| Question: |
I don`t have access to the folder ADD_DOMEN.How do I what is there to fix? |
| Answer: |
access DL avarege ip open |
| Question: |
Yes now went |
| Answer: |
please check the sites and change all passwords. the websites of unlicensed or hacked plugins and components, remove them same thing with the theme. very often hacking is through nih http://blog.fox-it.com/2014/11/26/cryptophp-a-week-later-more-than-23-000-sites-affected/ |
| Question: |
Try to scan http://ezokatalog.ru/ai-bolit.php?p=qwertyop1Выдает504 Gateway Time-out |
| Answer: |
scan the folder, the script runs long. or we can run scrpit for You, and then you read the report |
| Question: |
ezokatalog.gidrovell antivirus in normal mode, all normalno expert mode, the script simply saviorthey the folder ctools (this is a standard module) ctools_old renamed and copied back with another in my hosting.passwords changed. |
| Question: |
Then run the script.. Where to read the report? |
| Answer: |
what antivirus did you check? on other sites the same modules? |
| Question: |
Checked those you gave me http://www.revisium.com/ai/У me on your hosting different scripts are. But on other hosting, I have the same scripts (Drupal 7). |
| Answer: |
t..K was infected by one site - check all sites account |
| Question: |
How to check? If the antivirus which you recommended to me caught nothing?As you suggested, check for yourself now, and send me the report. |
| Answer: |
we launched the test, you will only have provesti reports. you EN all sites passwords changed? |
| Answer: |
/home/zemius/ADD_DOMEN/ezokatalog.ru/AI-BOLIT-REPORT-03-01-2015_11-20-409593.html /home/zemius/ADD_DOMEN/magicyoga.ru/AI-BOLIT-REPORT-03-01-2015_11-26-836247.html` /home/zemius/ADD_DOMEN/stomenov.ru/AI-BOLIT-REPORT-03-01-2015_11-26-227913.html /home/zemius/ADD_DOMEN/tobereg.ru/AI-BOLIT-REPORT-03-01-2015_11-27-192621.html /home/zemius/public_html/AI-BOLIT-REPORT-03-01-2015_11-28-124699.html |
| Question: |
Not one report |
| Answer: |
These reports are located in folders. As you watched? |
| Question: |
What folders? I looked on the indicated paths, there`s nothing there. |
| Answer: |
sun Etam is how you looked? ]# ls-all /home/zemius/ADD_DOMEN/magicyoga.ru/
total 956K
drwxr-x--- 10 zemius zemius 4.0 K Feb 3 10:35 .
drwxr-xr-x 7 zemius zemius 4.0 K Feb 3 10:37 ..
-rw-r--r-- 1 zemius zemius 720 Dec 3 10:35 AI-BOLIT-DOUBLECHECK.php
-rw-r--r-- 1 zemius zemius 235K Oct 15 22:43 ai-bolit.php
-rw-r--r-- 1 zemius zemius 177K Jan 3 10:35 AI-BOLIT-REPORT-03-01-2015_11-26-836247.html |
| Question: |
Now they appeared!!!Before that checked several times nothing happened. Forgot I added rights to these files? |
| Question: |
Completely replaced the names of all files and folders which the antivirus swears (added suffix _kill them), then downloaded a fresh version from the official website.But now I`ve stopped running in the browser the website http://ezokatalog.ru/ (message You don`t have permission to access / on this server.)That is, if now will you just Bang the renamed files..you Can run the antivirus and see will he find that in the latest files |
| Answer: |
Hello. antivirus running |
| Answer: |
nothing found |
| Question: |
I still do not run in the browser the website http://ezokatalog.ru/ (message You don`t have permission to access / on this server.) |
| Answer: |
please Check now.
|
| Question: |
Yes works.The site is now accessible to all or only from my IP? |
| Answer: |
the Website is accessible to all. |
