Greenguy's Board - View Single Post

onroad · 2006-12-09, 12:02 PM

Sadly FTP won't solve problem. I just wasted days trying to get that same string off a domain I had. I had changed my Password 5 times and it kept coming back. For some reason when the domain was set up, "public write" was enabled. A few months back a bot must have seen this and added a file to a few folders. It had a sneaky name" backup.pl " at a glance I assumed it was something my host was using for backup reasons. But I see the ".pl" extenstion is a Linux Shell Executable Binary http://filext.com/alphalist.php?extstart=%5EP

It runs right off the server once installed. I noticed it was changing all the "default" pages.. ie index, main.htm etc. There was also a php that cloned the name of the folder it was placed in. I open both of these in notepad and they were nothing I installed. They are long coding which I'm to stupid to understand. But if somebody wants me to paste it into a response I can do that.

Anyway. All I can sugget is. contact host ensure "public write" and any other weakness is not on server. Then look in all your folders for those php & pl file extensions.. I hope this helps... BTW, it clones the "real player" update skin correct? I think it's on http://www.internext-expo.com/ also.. I get the same popup there.

OH, not to stomp on cd34.. He's the shit! But mine could have been diff from that guys in a way.. but changing my ftp didn't help in my case. I was actually thinking about asking sparky for some help until I noticed the problem...

2006-12-09, 12:02 PM	#4
onroad Internet! Is that thing still around? Join Date: Dec 2006 Posts: 1	Sadly FTP won't solve problem. I just wasted days trying to get that same string off a domain I had. I had changed my Password 5 times and it kept coming back. For some reason when the domain was set up, "public write" was enabled. A few months back a bot must have seen this and added a file to a few folders. It had a sneaky name" backup.pl " at a glance I assumed it was something my host was using for backup reasons. But I see the ".pl" extenstion is a Linux Shell Executable Binary http://filext.com/alphalist.php?extstart=%5EP It runs right off the server once installed. I noticed it was changing all the "default" pages.. ie index, main.htm etc. There was also a php that cloned the name of the folder it was placed in. I open both of these in notepad and they were nothing I installed. They are long coding which I'm to stupid to understand. But if somebody wants me to paste it into a response I can do that. Anyway. All I can sugget is. contact host ensure "public write" and any other weakness is not on server. Then look in all your folders for those php & pl file extensions.. I hope this helps... BTW, it clones the "real player" update skin correct? I think it's on http://www.internext-expo.com/ also.. I get the same popup there. OH, not to stomp on cd34.. He's the shit! But mine could have been diff from that guys in a way.. but changing my ftp didn't help in my case. I was actually thinking about asking sparky for some help until I noticed the problem... Last edited by onroad; 2006-12-09 at 12:07 PM..