Topsite Server Exploit

  • July 26, 2009 by Mark Artyniuk
UPDATE: August 6 - The topsite server has once again suffered an attack.  Same as last time, malicious script has been added to the end of several files.  Namely index and wrapper, but other skin files may also be affected.  Please check your sites and remove any injected code.


It has come to our attention that several files on the topsite server have been appended with malicious code.  It is VERY important that you take a moment and review your index.php and index.html files immediately.  At the end of the file you might see a long line of script that needs to be deleted manually.  It is also possible that the entire contents of your index file has been duplicated, causing the page to appear to load twice, or give you a PHP error message.

It is also worth looking at any files that have to do with admin, login, and join process.

For Aardvark Topsite installations these files seem to be targetted:
-index.* (all index files index.htm, index.html,index.php)
-skins/yourskin/*.html

For all other types of scripts check all files, or restore a backup.

IF firefox / Google are reporting your site as a possible "Attack Site" you need to immediately remove any injected code and contact google asking for a site review.  They are VERY fast to block your site and we can only hope they are just as eager to re-check. You can request a re-check of your website here: http://www.google.com/webmasters/tools/

The security team is still looking for the source of this exploit to ensure this does not happen again.  If you have any questions, or need any help do not hesitate to open a support ticket.