http://crazy-mail.com


Has that danged stelaartois.ru on it



Ran it throught Jutaky's dectector - not sure why it shows so many times on the same level? New to this stuff

It's been removed, again.

I wish I knew how to keep the darned thing out!

I've been told to look for files in images that don't belong, I've been through every file over and over and cannot find the trigger.

Thanks!

You might want to contact your host. I think they should be able to help you.

Make sure you scan your own PC for a keylogger and change the site password and have each site have a different password.

It shows three times on the same level because the hacker placed three individual iframes onto the site, this seems to be common with the latest sites getting hit.

I agree that your host should help you, they may have things they can check and try to keep the hacker out. There may be something in the cpanel and you might want to check to make sure you don't have any 777 permissions set.

They aren't logging into the cpanel to put it in I don't believe, it shows the last login ip and it's never anything but mine or Em's. We've both checked all our pc's for viruses (that's what the host told us to do) and are clean. That's not to say one of us couldn't have had something in the past that allowed the trigger to be set. I just cannot find the darned thing....does anyone know is it ever in your scripts folder or cgi or any other odd places? Or in anything other than pages or images, I have been through them both and theres nothing out of place. Of 6 sites this is the only one I remove it from at least once a week, on others I've always found the trigger. It's showing up on header (up in the html) and on the bottom of index, footer, login, invalid_login, and ptp main for anyone else who's getting it check all those places. Anyone's help on file names to look for would be appriciated!!

What are the name of the scan programs you use? I sometimes some programs pick up what others missed.

might be like that other virus been going around norton-netsky something like that;
had to block IP and delete all instances it placed its self in most pages usually the
php and index if have forum it will go there too if it is like the other which is a good
suspect. I had to do that for a traffic exchange site that I designed and do other
work for.

It installs itself usually via an ad popup or an ad being run in ptp. then attaches.
I guess could hunt on Norton site get more info on the other this one might be listed
or not lol but if other is would be considered same result I think

yes the permissions but be set tight as can without disrupting the others.
It usually says something like </Iframe and its name and about running </Iframe> it has its name in everyone and sits with in the php or html code. My friend who owns the TE his
hosting didn't and wouldn't do squat...cause of that I got rid of most with some help from
another TE owner...then noticed it finally got into the c/panel but it was in the area in which
we could not reach! so it has to be gotten a hold of fast. You need to down load all the ones
you find and fix them by editing out then upload all at once via ftp of course.

It's back