Join Date: Oct 2005
step57 hack was the problem
thanks for the suggestions.
All my cpanel administered hosted sites were attacked by the step57 malicious script. More (but not complete) info on step57 can be found at http://ebiz-iq.com/moodle/mod/forum/discuss.php?d=110 or just google step57.
Apparently step57 is a cpanel hack that then allows any writeable file (777, 666) to have iframes inserted and saved. They will then attempt to redirect the user to the step57 site from where other malware can attack the users computer.
To remove step57 from esyndicat I did the following;
1) download a complete backup of all the website files to your local machine.
2) use a program that can search all files - i use bbedit - and search for 'step57'
3) note the file names and paths
4) go back to your server and edit the files removing the iframes
5) the files will have had permissions such as 666 or 777 - change to 644 or 755 (**NOTE** see below)
Apparently there is little that can be done to prevent reinfection until cpanel change there code - HOWEVER ...
In my instance there were 4 infected files
All these files had permissions of 777
I have changed to 755
I think that the 777 permissions were set like this out of the box?
I have not tested esyndicat yet to see if it operates correctly with them set to 755?
Anyway - perhaps the esyndicat dev team could examine the req permissions and advise or patch?
Any files in any scripted solution that have to have 777 or 666 will be vunerable to step57 until cpanel fix their problem.