theJuckett

If I clear all of my temporary internet files and go to my website, IE pops up a bar saying "The website wants to run the following add-on: 'Remote Data Services Data Control' from 'Microsoft Corporation'." And if I view the source, it shows that a ".js" file has been included after the "<body>" tag. The file name is made of random letters different each time and is only temporarily created. I've also checked that it occurs from multiple computers so it is not a problem with my local machine.

Has anyone seen this before? When I search online, I find acounts of it happening to other websites, but I can't find any information on the cause or a fix. My site that is getting the error is running Xoops 2.0 if that helps track down the cause. If anyone has any ideas about how to get thing under control, it would be appreciated.

schupp

I'll guess it is the init_basic.php exploit. My sites are getting hit 24/7 for it for several days now. I'm not vulnerable but they keep looking. Your site has been compromised and the crackers might now have shell access and can walk all over other people's sites (like mine).

You'll probably find all kinds of root kits, phishing scam files, etc. Suggest you shut down the site right away and hunt down all the problems you now have. If you have xoopsgallery then you should move or rename the directory right away as that is how they can get in.

You now have a lot of cleanup to do.

__________________
Pass16
Pass39

Mike

please contact our abuse team about this
https://desk.surpasshosting.com/inde...kets&_a=submit

__________________
Mike
Surpass Special Operations

theJuckett

I saw a bunch of logs trying to access a xoopsgallery module, but as far as I can tell I don't have that module installed. I'll report the abuse to surpass as suggested. Thanks.