I have been having a problem with someone exploiting a security hole in MT to upload trojan horse files to my MT blog folder. I've deleted the offending file, but my site's been tagged as an "attack site" by Firefox, and I need to know how to stop this.
I'm using MT 4.21-en. Is there some configuration setting I can change to keep this from happening?
Reported on Movable Type 4.2
Hi jsharf,
Not good. I would do the following:
Get a backup of all entries, comments and templates in your blog. Be sure not to include any of the stuff uploaded by that hacker.
Second, delete everything and reset your server for security (new install, passwords, etc.)
Start with a new install of MT 4.261 (or whatever is the newest version) for security.
Import the backup of your templates and entries and comments.
Now about the "attack site" warning: do you get this warning by the Google Safe Browsing feature of firefox? Is your website listed as harmful/malware site if you search for your site on google?
Then you should contact stopbadware.org to get your site delisted from being flagged a malware site.
If your site is flagged by a anti-virus suite and not by Google Safe Browsing, you should contact the company behind that anti-virus suite to get delisted as an attack site.
Sorry, it surely sounds like a lot of work but I deem this is the only true safe way to bring up your site as a safe site for your users again. :-(
Chris
It would be useful if you have additional information on how this attack was done. Do you know the attack vector? Maybe raise it as a bug if you don't want to give the info out here.
I only know what the results were.
In the main folder for the blog - not the mt folder, but the root folder for each specific blog - there were new or edited css files. The correct css files is styles.css; the new ones are styles-site.css, and styles-site-default.css.
I have downloaded the entire blog archives, and don't see any .htaccess files that have been updated recently, so I don't think that's the problem.