Announcement

Collapse
No announcement yet.

Virus or Maleware URL?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [CMS] Virus or Maleware URL?

    Several user are reporting that there anti-virus is reporting the following virus or malware when accessing our website, any ideas?

    URL: http://kokosina.in/t/go.php?sid
    processus: file://C:\Program Files (x86)\Internet E...
    infection: al

    When I access the website, my anti-virus doesn't report a problem, confused...

    Thanks,

  • #2
    you have been hacked, my limited knowledge has found a couple .js scripts in the clientscripts directory which allow a hacker remote access to my webserver. renamed my home directory, downloaded latest version and unzipped to a new clean home directory, ran the upgrade script and restored my smilies and .gif's and all seems to be clean now.

    not sure what vulnerability theiry using that allows them to drop the .js scripts but the ones i found were a connection.js and a yui.1.30.js or something to that effect

    Starting to get really annoyed at getting hacked all the time, I've updated to the latest Vbulletin version 3 times in the last three months (always the most current) just to remove active hacks from my forum home directory

    Steve

    Comment


    • #3
      We don't know how to fix the issue or what the attack vector is at this time. I keep asking people to open a support ticket so we can investigate. Until someone does, we can't tell you how your forum was infected. Until then try these methods here to clear it:

      1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

      2) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

      3) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

      4) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

      5) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

      Query for step 4 and 5 -
      SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

      6) Run this query:
      SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment


      • #4
        Originally posted by stevieg View Post
        you have been hacked, my limited knowledge has found a couple .js scripts in the clientscripts directory which allow a hacker remote access to my webserver. renamed my home directory, downloaded latest version and unzipped to a new clean home directory, ran the upgrade script and restored my smilies and .gif's and all seems to be clean now.

        not sure what vulnerability theiry using that allows them to drop the .js scripts but the ones i found were a connection.js and a yui.1.30.js or something to that effect

        Starting to get really annoyed at getting hacked all the time, I've updated to the latest Vbulletin version 3 times in the last three months (always the most current) just to remove active hacks from my forum home directory

        Steve
        Depends on which of your sites is being exploited. One is woefully out of date. For the other, load the YUI files off either Google's or Yahoo's servers. Settings -> Options -> Server Settings & Optimization Options -> Use Remote YUI. Though if you're on the latest version, there is probably another vector and they just use those files for their compromises.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment


        • #5
          It was the dorikaze.net domain that got hit, the end result was an infection with privacy.exe malware.

          I'm not sure how they're getting in yet or even how to make sure it's gone (temporarily or permanently) because I only get the message on one of 6 computers, all the others are not showing the symptom. I did notice that java was starting in the tray icon so they're definitely using java to push the malware attack

          Not sure how they're dropping the initial .js code into the clientscripts directory in the first place tho

          Comment


          • #6
            I've been hit as well. Will be sending a ticket.

            Comment


            • #7
              Seems to be some sort of exploit that is writing to the connection-min.js file within the clientscript/yui/connection folder. vBulletin doesn't have any native functions that write to this directory.

              You should replace this file and contact your hosting provider to see if you can CHMOD your files to 0644. If you can, you should update the permissions on all your .js, php, html and xml files to this permission setting. You can also set the system to load the YUI files from a Remote Server under Settings -> Options -> Server Settings and Optimization Options.

              You will also need to verify that you don't have any strange plugins that allow system access. This is covered in my list above under steps 4 and 5.

              Also see: https://www.vbulletin.com/forum/show...ms-More-Secure
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment


              • #8
                Originally posted by HeLLRZR View Post
                Several user are reporting that there anti-virus is reporting the following virus or malware when accessing our website, any ideas?
                I am getting this exact attack right now.

                Originally posted by Wayne Luke View Post
                Seems to be some sort of exploit that is writing to the connection-min.js file within the clientscript/yui/connection folder. vBulletin doesn't have any native functions that write to this directory.

                You should replace this file and contact your hosting provider to see if you can CHMOD your files to 0644. If you can, you should update the permissions on all your .js, php, html and xml files to this permission setting. You can also set the system to load the YUI files from a Remote Server under Settings -> Options -> Server Settings and Optimization Options.

                You will also need to verify that you don't have any strange plugins that allow system access. This is covered in my list above under steps 4 and 5.

                Also see: https://www.vbulletin.com/forum/show...ms-More-Secure
                Okay, I replaced that file and as far as I can tell, all my files are already at 644 CHMOD. I am no longer getting that attack from the forums themselves...but when I log into the admincp I still get it.

                Comment


                • #9
                  Originally posted by IceFanatic View Post
                  Okay, I replaced that file and as far as I can tell, all my files are already at 644 CHMOD. I am no longer getting that attack from the forums themselves...but when I log into the admincp I still get it.
                  Same problem. In the forums I'm fine but in admincp I'm still getting it.

                  Comment


                  • #10
                    Same here - I used the suggested Remote YUI setting and it appears as if the warnings have ceased for users, but I see the connection to kokosina.in is still being attempted when I access the AdminCP --- Not a very comforting feeling.

                    Comment


                    • #11
                      Re-upload all the vbulletin files to your forum directory

                      Comment


                      • #12
                        I've been hit as well.

                        Someone accessed the control panel using the Administrator user name 6 times in Oct and 1 time in Nov, each time updating, uploading, etc different plug ins (that aren't there anymore...not sure where/why).

                        Oh, and the Administrator password has been changed
                        New Mexico Offroad

                        Comment


                        • #13
                          How do you know if you've been hit? And what hosts are you guys using?
                          Jason Craig – Partner
                          Wet Coast Sports LTD
                          Fishing Reviews TVBC Fishing ReportsFly Fish BCFly Tying Bug

                          Comment


                          • #14
                            Originally posted by abqtj View Post
                            I've been hit as well.

                            Someone accessed the control panel using the Administrator user name 6 times in Oct and 1 time in Nov, each time updating, uploading, etc different plug ins (that aren't there anymore...not sure where/why).

                            Oh, and the Administrator password has been changed
                            Then you most likely have a backdoor installed somewhere. If the steps above don't point out the issue and let you solve it then you need to open your own thread or open a support ticket.
                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud demonstration site.
                            vBulletin 5 API

                            Comment


                            • #15
                              I opened a support ticket, mentioned the admin password part, and it wasn't addressed.
                              New Mexico Offroad

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X