Announcement

**Wayne Luke** · Tue 13 Dec '11, 1:33pm

Look, there are several ways that a website can be infected or hacked.

1) Improper Security. Things like using Pop3, CPanel and FTP with out encyryption or SSL are examples of improper security.

2) Server Root Kits. The primary infection is on the server. This infection looks for specific files and passes the infection on.

3) Software faults.

Within each of these there are different ways to pass infection. Once someone gets access to a site, they can implement backdoors and other mechanisms to regaind control, even if you fix the original source of infection. So we need to determine which one it is and where the infection is coming from and how to inoculate from it. Otherwise you will be back here week after week with a reoccurring issue.

Read:
https://www.vbulletin.com/forum/show...ms-More-Secure
https://www.vbulletin.com/docs/html/securing_vbulletin

**Steve038** · Tue 13 Dec '11, 2:05pm

Originally posted by Wayne Luke View Post

https://members.vbulletin.com/

Thanks Wayne, my customer number info is on my other pc, which is having its virus removed. I hope someone else on here can set up a support ticket so this hacker can be stopped?

**HeLLRZR** · Tue 13 Dec '11, 2:30pm

Can someone please explain this to me...

Why is a user running avast seeing this virus/maleware alert and another running another anti-virus not seeing it?

As explained above I am running Microsoft security essentials and dont see any alerts on my site nor everyone else that is reporting these alerts?

Can this be simply something associated with AVAST?

**Wayne Luke** · Tue 13 Dec '11, 2:37pm

Originally posted by HeLLRZR View Post

Can someone please explain this to me...

Why is a user running avast seeing this virus/maleware alert and another running another anti-virus not seeing it?

As explained above I am running Microsoft security essentials and dont see any alerts on my site nor everyone else that is reporting these alerts?

Can this be simply something associated with AVAST?

Could be a false positive with AVAST. Doesn't explain popups unless AVAST is including that in its alert.

**HeLLRZR** · Tue 13 Dec '11, 2:40pm

I opened a support ticket, btw I my website doesn't get pop-ups, thus far only AVAST users are reporting this alert.

**Steve038** · Tue 13 Dec '11, 2:42pm

I was running AVG when this started happening, and the kokosina name was appearing as my site was opening on each page. It was only after my pc was struck with a virus I switched to Avast, as I'd heard good things about this system.

**Maurd** · Tue 13 Dec '11, 2:45pm

Well the Kokosina.in domain appears to be hosted with BurstNET.

If anyone has the proper documentation (logs, etc) it would probably be wise to contact their abuse department: http://burst.net/contact.shtml + http://whois.domaintools.com/46.37.184.227 so that the main contender can be taken down for a while. Even though this particular IP resolves to the UK, BurstNET is headquartered in the US.

**J3rico** · Tue 13 Dec '11, 10:05pm

Originally posted by HeLLRZR View Post

Can someone please explain this to me...

Why is a user running avast seeing this virus/maleware alert and another running another anti-virus not seeing it?

As explained above I am running Microsoft security essentials and dont see any alerts on my site nor everyone else that is reporting these alerts?

Can this be simply something associated with AVAST?

Hi HeLLRZR, in my forum the problem was detected by three anti-virus, in chronological order :
- AVG
- Kapersky
- Avast
I don't think is a false positive, but an injection.

What browser you use and what version? Yesterday me and another admin of my forum have updated FF to version 8.0.1 and the problem disappeared, maybe it was deleted a cookie. I don't think the problem is the browser.

Ps : Happy Birthday Wayne Luke !!

**Colchesterhunter** · Wed 14 Dec '11, 2:21am

Hi Guys,

I reported this problem to my hosting company and they sent a reply that is not true. I did a test with my forum users around the globe.

Guy in Chicago using Avast gets warning on main PC, using his laptop with Norton no warning
Guys in California get no warning using Kapersky but others in Canada using exactly version of Kapersky do.

My Hosting company Fastnet with support in Asia get the warning

Yesterday I overwrote connection-min.js with a fresh one I downloaded and the pop ups they were getting have disappeared. I have changed all my FTP passwords, admin passwords etc to really secure ones.

Try my site and see if you get any pop ups on it now

http://www.colchestertreasurehunting.co.uk/detecting/

**Colchesterhunter** · Wed 14 Dec '11, 6:45am

Interersting, guys are not getting up the first pop up but now reporting a new one.

Norton blocked a Web attack this morning from Exploit Kit Variant II.

Web Attack: Exploit Kit Variant 2
Severity: HighThis attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.DescriptionThis signature detect attempts to download exploits from a malicious toolkit which may compromise a computer through various vendor vulnerabilities.Additional InformationMalicious toolkits contain various exploits bundled into a single package.Victim on visiting the malicious server hosting exploit toolkit is attacked with several different exploits exploiting different vulnerabilities one by one.Exploits may include MDAC,PDF,HCP etc. AffectedVarious Browsers.
ResponseNo further action is required but you may wish to perform some of the following actions as a precautionary measure.
• Run the Norton Power Eraser. (home users)
• Run the Symantec Power Eraser. (business users)
• Update your product definitions and perform a full system scan.
• Identify suspicious files.
• Submit suspicious files to Symantec for analysis.

If you believe that the signature is reported erroneously, please read the following:
• Change the behavior of Symantec IPS signatures.
• Report a potential false positive to Symantec.Additional ReferencesCVE-2009-4324
SecurityFocus BID: 37331

**Wayne Luke** · Wed 14 Dec '11, 7:48am

See: https://www.vbulletin.com/forum/show...=1#post2243573

**Steve038** · Wed 14 Dec '11, 10:35am

Originally posted by Wayne Luke View Post

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

3) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

4) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

5) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

Query for step 4 and 5 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

6) Run this query:
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

As in 1), how do I "Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons". ?

**Wayne Luke** · Wed 14 Dec '11, 10:56am

Originally posted by Steve038 View Post

As in 1), how do I "Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons". ?

using your FTP client or whatever tool you use to manage files on your server.

If you don't have an FTP client, I recommend Filezilla. Runs on Windows, Mac and Linux and doesn't cost anything.
http://filezilla-project.org/

**Steve038** · Wed 14 Dec '11, 10:57am

Thanks Wayne.

**palmpedia** · Wed 14 Dec '11, 3:18pm

I can confirm most of everything said above.

Some users report warnings, others do not. I installed Kaspersky just to confirm the warnings, and I get none. In fact, I can get no warnings no matter what I do. But I do see a "Connecting to Kokosina.in when loading pages - including AdminCP.

And I can also confirm - someone reported the "Exploit Kit Variant II" warning this morning. I have submitted a ticket, but have yet to receive a response.

I can also add that I screen my users very carefully - extremely carefully - and I haven't even admitted any in the last two days. So this exploit is probably getting in somehow other than as a user. I wish there was more info about this.

vBulletin 4 End of Life

Announcement

Kokosina.in - Anyone Else Getting This?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics