moneymic313

When I check the properties of the dhh.swf file.. it says the below.. ftp://dhh@ftp.detroithiphop.com/httpdocs/images/mainpage/dhh.swf Does this mean that it is automatically uploading thru FTP?? So to me that would mean that it isnt taking place physically on the server..

Glad you find humor in this BM... But it is actually quite serious.. It recreated the file and replaced my blank file... The redirect is back again.. BM do you have a solution that might help me fix this?????????????????????????????

For now I just edited the dhh.swf and blanked it out and put it back in its place and it is not redirecting anymore.. Hopefully the code will see that the file is in place and not update or replace it. This will have to work until I find the source of the issue..

FYI... Even after I delete dhh.swf some sort of code is recreating the same file in the same place...

And again.. Thank you to all who took the time to assist me with this.. I know it got off the php subject for a minute but thanks again for your help...

I just found it... It was hidden as a protected operating system file.. So I have deleted the back door php file from the server.. deleted the dhh.swf file from the server and I am going to change my passwords right now.. I guess we can see if this all works.. If not there has got to be some sore of script recreating this file...

Yes but it is not physically there anymore.. I have looked 10 times thinking I am over looking it but it is not there... There is no dhh.swf file viewable in the images/mainpage/  hmm.. I have already removed it once but the first time I saw it plain as day.. Now it is not visible.. I would never post the contents.. but do you think the backdoor file might have been how they were getting in??? I intend to change all passwords...

I searched thru every folder and I did find a file called r57.php and when I copied it down to examine it my pc removed a virus called the PHP.RSTBackdoor. Here is Symantec's description of the threat.. "Opens a back door that allows the attacker to have unauthorized remote access to the compromised computer" but I still havent found the file that is redirecting them back to that damn site...

Actually I move it up directly thru windows Explorer.... and log into the ftp like that..

yes it is back.. But there is no file that I see similar to the dhh.swf that was created before... I am still looking but I dont see any .swf file that is new... So I just redirected the intro page to point to a different page until I figure this out...

Thank you everyone who helped with this... Honestly that was a fabricated .swf file that I did not even create or use.. So is this just changing and making my login info different and harder to figure out or is it more than that..?? Unfortunately though there is another issue on my side.. All of the links in my links section have been changed to the same url www.churchofsatan.com.. This is obviously a little different issue that I am sure is not quite as easy to fix... If anyone has any suggestions on that as well please let me know.. Once again thank you all..

how do I view .swf in hex view???

i replaced the aindex.php with a blank file and nothing happened.. No redirect.. So it is in the aindex.php I assume???

fyi I actually renamed an old aindex.php file from a few months ago to the main aindex.php and replaced it and it still redirected me.. I did a search on the entire aindex.php file for satan and churchofsatan and www.churchofsatan.com and nothing showed up..

That is the problem ... not sure where this is coming from.. it is nowhere to be found on my aindex.php file.. Please advise.. MM