My Site Being Attack

If they're altering the scripts themselves, you probably have either a shonky host or other insecure services/scripts running on the server.

I never said PHP scripts. I merely said scripts. There will be a damned sight more running on that server than merely your forum.

As to what, specifically, they are altering, that is for you to tell us. It's your host and we ain't psychic, hence only you know the answer to that. Are they altering the DB itself? Are they altering the flatfiles? What is in your server logs? There are no known exploits in Flux, so you would most likely be better off discussing this matter directly with your host and seeing what they say.

Last edited by MattF (2009-06-02 10:45:44)

Again, which part of your site, exactly, is being altered?

Last edited by MattF (2009-06-02 12:02:08)

Are you on a shared host?

How do you know the "virus" was only on your site? My assumption on a shared host would be that it was part of a mass defacement of index files (plenty of backdoor scripts have that functionality)

If you're convinced the problem was FluxBB, look for files that shouldn't be there (especially PHP files). If the problem is with FluxBB, you'll find a backdoor script somewhere that allowed someone to do this.

Well, that page suggests that the issue is a virus on your computer which is using the passwords you save and modifying your website. So, if that's the case, the solution is to change your passwords and remove the virus from your computer.

However, defacement of only index files suggests that it was not a virus, which would instead target any files it could. It's much more likely to be something with your host. You still haven't told me how you know that no other sites on your shared server were compromised.

Some things the BlueHost post didn't mention:

(1) Don't use Adobe Acrobat as your default program to read PDF's - use something less common like Foxit Reader instead.
(2) If you must use Adobe Acrobat, go into the options and ensure Javascript within PDF's is disabled.
(3) Use another default browser - eg Opera or Firefox to browse the web.
(4) Change the passwords you use on the server for FTP access to your site immediately if you think you are under attack, and do so regularly (eg once per month) in future.
(5) Check to see if any new and unauthorised users have been created within your account that may have access to FTP for example, and delete them.
(6) Do not - repeat do not - store your passwords for FTP, SSH etc on your computer anywhere.
(7) If you can do so (depends on your host) only allow access to FTP, SSH, or your web-based site control panel etc from IP address ranges that match yours (eg the IP range of your ISP).

etc etc.

Just out of curiosity. Are you actually infected with the Trojan mentioned in that link you posted?