Announcement

Collapse
No announcement yet.

Upgraded and got hucked in 2 hours!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Upgraded and got hucked in 2 hours!

    Yesterday I upgraded to 4.0.4 PL1 and everything went smoothly. In about 2 hours I noticed that the forum's page is blank. i checked the code and in the very end found an alien code linking to a js file hosted on http://pantscow.ru:8080/. I deleted all files (except my images) and uploaded original files on my server. Everything works again. But several members posted that when they go to the forum homepage they get an anti virus alarm that page is infected. I had Norton and it couldn't detect anything. I installed Avast and it does indeed shows alarm (only on the home page). "Malware blocked. http://www.oregonfishingforum.com/index.php|>{gzip}. Infection: HTML:Script-inf".

    As I understand the infection is not in the code of the page. What is that GZIP thing? Where is it? How to disinfect it? Please help!
    Oregon Fishing Forum

  • #2
    I set to "NO" GZIP HTML output in the options. Didn't help. Still get the message, except this time it's "Malware blocked. http://www.oregonfishingforum.com/index.php. Infection: HTML:Script-inf". instead of http://www.oregonfishingforum.com/index.php|>{gzip}. SO it's in one of files index.php includes? But I re-uploaded all "clean" files. HELP!
    Oregon Fishing Forum

    Comment


    • #3
      Who says you didn't get hacked on your older board already and because it did not error, you haven't noticed.

      Comment


      • #4
        Do you allow users to post HTML into any part of your site? If so... then its in the database, not the files.

        Comment


        • #5
          Originally posted by Floris View Post
          Who says you didn't get hacked on your older board already and because it did not error, you haven't noticed.
          2 hrs after it was up and running?
          Doubtful but not impossible.
          I would assume at this point there is a shell present?
          Hope you back up often as you should. If not it could take a while to find this problem.
          Sorry to hear you got hacked mate. Makes me worry more and more to be honest.
          FTW Forum <- Home of the damned!

          Comment


          • #6
            If it was the software, it would be a mass issue...

            Comment


            • #7
              Originally posted by anthonyparsons View Post
              If it was the software, it would be a mass issue...
              Yep thats a fair point. Perhaps a mod that become vulnerable in the 4.04 release or something?
              FTW Forum <- Home of the damned!

              Comment


              • #8
                It doesn't even need to be that... it can be a poorly written mod, it can be that they activated HTML and allowed members to insert HTML into posts, blogs, cms, etc... which then allows for nasty injection to occur, it could be none of the above and simply a low grade server shared hosting environment where someone else on the server is doing something above / running some poorly built software, the hacker gets in via that sites software, then they have access to all sites on the server to run a script or such to get anyone hosted on that specific server.

                It can't be stated enough about having a decent, secure host. You really do get what you pay for. Pay $3 a month, you get $1 a month in value and more than likely hacked at some point.

                Comment


                • #9
                  Also note that you run a out dated version of vb which has some known security issues. It would be best if you upgraded your forum to the latest version.

                  Comment


                  • #10
                    Originally posted by borbole View Post
                    Also note that you run a out dated version of vb which has some known security issues. It would be best if you upgraded your forum to the latest version.
                    4.0.4 PL1 is outdated?

                    Originally posted by Floris View Post
                    Who says you didn't get hacked on your older board already and because it did not error, you haven't noticed.
                    Common sense. Bunch of mu members posted the same day. If it happen earlier they would post earlier.

                    Originally posted by anthonyparsons View Post
                    Do you allow users to post HTML into any part of your site? If so... then its in the database, not the files.
                    No, HTML is not allowed.

                    Originally posted by anthonyparsons View Post
                    It can't be stated enough about having a decent, secure host. You really do get what you pay for. Pay $3 a month, you get $1 a month in value and more than likely hacked at some point.
                    The forum is on dedicated server.

                    I just wonder why did you guys post? Just to show off? I asked for help. Do anyone who posted above really believes there's help/useful advice in his/her post?
                    Oregon Fishing Forum

                    Comment


                    • #11
                      The question was not how did it happen. The question was how can I fix it. And yes, I don't have a recent db backup.
                      Oregon Fishing Forum

                      Comment


                      • #12
                        from the index.php I deleted 'require('forum.php');' Uploaded on the server and tested - the page is blank & there is no malware notification! It's kinda good.
                        Oregon Fishing Forum

                        Comment


                        • #13
                          in forum.php found this includes: './global.php', '/includes/functions_bigthree.php', '/includes/functions_forumlist.php', '/includes/class_block.php'.
                          When I delete require_once(DIR . '/includes/class_block.php'); the virus alert is still there. when I delete one of the rest - virus alarm gone. It looks like the prob is getting brought by global.php, functions_bigthree.php, or functions_forumlist.php or some/all of them. Uploaded original files - didn't help.
                          Oregon Fishing Forum

                          Comment


                          • #14
                            In global.php deleted require('./includes/class_bootstrap.php'); alert is gone (the page is blank)
                            Oregon Fishing Forum

                            Comment


                            • #15
                              I disabled a plugin that I wrote and the virus alert is gone. Strange, but well, it looks like I solved the problem.
                              Oregon Fishing Forum

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X