Spam email scripts installed

My site has been temporarily shut down by my ISP until I find the source of the spam emails that have been coming from my site.

I have identified 4 files see attached screen print:

Question is how were these scripts installed on my server? Is there a security loophole in Boonex? What can be done to prevent this as I had a similar thing before and then I changed all passwords and no one apart from me has had access to the ftp.

Perhaps you should ask your host how those got uploaded.

Normally it is through a insecure server. Which of course the host most likely will not admit to.

It's not dolphin. And do a search for some of those files. Like this one. https://www.google.com/search?q=sys09725444&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

You will find it appears others have this and many are not even aware of if.

Actually thats not quite correct.

Before pinning any blame you have to be 100% sure of 3 things.

1) You did not give the password out.

2) You are using a strong password.

3) Your own computer that you use to access your site is free of any viruses or malware. Scanned with more than one anti-malware scanner. The use of one scanner is not proof your computer is safe.

Because based on the pic. The owner of the files is the same owner as the rest of your files indicating it may have been uploaded using your account information.

Good point, I have seen the owner is the same, so may have come from my pc? But how are others getting iframe injected? is there a weakness in boonex?

http://www.boonex.com/n/Viral_site_infections

I have run a full scan and anti virus is picking up defaul.php under root, inc and flash as a trojan file. But looking at the modified date its the same as all the other system files.. I am now confused.

No there is no current vulnerabilities in dolphin.

Your are also referencing a topic that is several years old.

And did you read it? If you did you would have seen that FTP is how these things get in. The iframe is inserted the same way you would. By downloading the file via FTP and re-uploading it. That simple.

Securing FTP should be your #1 priority. You start by talking to your host. Switch from standard FTP to SFTP. Also see if you can get your host to look through the FTP logs to find out if any IP addresses other then yours has accessed FTP.  Change your passwords.

And as for what your virus scanner is picking up. If they are files that contain base64 encoded areas. Which is dolphins licensing system, many anti virus picks that up. It's a false positive. AVG and AVAST are common for picking up base64 encoding as a virus which it is not. There are at least 2 or 3 files in dolphin that have base64 encoded areas. So if that's all it's picking up, then ignore them.  You are also not to really concentrate on the dolphin files themselves. Your not understanding how your site get's infected. It is not by infecting your files on your computer and you upload those infected files. Nope, it's malware on your computer hijacking your FTP connection to infect your site directly.


However, i am not sure what you are scanning with, but your not looking for a virus. So don't use a simple virus scanner. You are looking for malware. You need more scanning tools.

So get yourself a copy of Malwarebytes anti-malware and scan your home computer with it. http://www.malwarebytes.org/products/malwarebytes_free/

You have stated you have had a similar problem before. Is this the same hosting company? Are you on a shared server?

Sorry. But i have had dolphin sites for over 6 years now and have never been hacked.

I have done some more digging around:

I have found default.php files in the root folder, default.php under inc and media including some other files under backup and administration. These were all created during the time Tim Boulley was working on my site, subsequently I had to get rid of him from working on my site as he was useless and wasted a lot of my time and messed me around! Yes I did have issues back in June then just recently my site was shut down for sending email spams. I have downloaded the whole back of my site and have scanned it with several anti virus applications and thats how I have found out about this.

Yes. Unfortunately it can happen from other peoples infected computers as well.

I try to make sure i scan mine on a regular basis to prevent that from happening. All developers should scan several times a week, but many don't.