vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Malware Issue (https://vborg.vbsupport.ru/showthread.php?t=306083)

aspen1018 12-20-2013 01:01 AM
Malware Issue
 
Chrome is giving a warning that my site is infected with malware. Anybody have any experience with cleaning this up?

ForceHSS 12-20-2013 01:02 AM
Link to site

aspen1018 12-20-2013 01:14 AM
<a href="http://www.vspotlounge.com/forums/forum.php" target="_blank">www.vspotlounge.com/forums/forum.php</a>

Max Taxable 12-20-2013 01:22 AM
Here's what Google says about it:
Quote:
Safe Browsing
Diagnostic page for vspotlounge.com/forums

What is the current listing status for vspotlounge.com/forums?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 3 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 107 pages we tested on the site over the past 90 days, 99 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-11-20, and the last time suspicious content was found on this site was on 2013-11-04.

Malicious software is hosted on 1 domain(s), including llamaralac1975.tk/.

This site was hosted on 1 network(s) including AS26496 (26496-GO-DADDY-COM-LLC).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, vspotlounge.com/forums appeared to function as an intermediary for the infection of 6 site(s) including bullrunrally.com/, thepicsorbs.com/, uberbets.com/.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Firefox alerted on it as well.

Here's what all your home page is loading:

http://www.webpagetest.org/result/131220_7B_2Z0/

Items 37 and 38 aren't familiar to me, are they to you? Item #4 is a XML application, looks suspicious but renders a 404.

ForceHSS 12-20-2013 01:38 AM
<a href="http://sitecheck.sucuri.net/results/www.vspotlounge.com/forums/forum.php" target="_blank">http://sitecheck.sucuri.net/results/...rums/forum.php</a>

aspen1018 12-20-2013 02:29 PM
Quote:
Originally Posted by ForceHSS (Post 2469626)

Thank you.

I check those specific pages and couldn't find the code in there

--------------- Added [DATE]1387553465[/DATE] at [TIME]1387553465[/TIME] ---------------

Quote:
Originally Posted by Max Taxable (Post 2469620)
Items 37 and 38 aren't familiar to me, are they to you? Item #4 is a XML application, looks suspicious but renders a 404.

No they are not. Have no idea how to clean that up though

Max Taxable 12-20-2013 02:35 PM
Quote:
Originally Posted by aspen1018 (Post 2469691)
No they are not. Have no idea how to clean that up though
Those ARE the malware, as a closer look at the request reveals:
Quote:
GET /tmp/api.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.vspotlounge.com/forums/forum.php
Accept-Language: en-US
X-Download-Initiator: html="doc 0C40 win AAA0; html frame appendChild"
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) PTST/153
Accept-Encoding: gzip, deflate
Host: finansecity.pl
DNT: 1
Connection: Keep-Alive
And appear to be in /tmp/api.php

The second one is in a different location:
Quote:
GET /tmp/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.vspotlounge.com/forums/forum.php
Accept-Language: en-US
X-Download-Initiator: html="doc 0C40 win AAA0; html frame appendChild"
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) PTST/153
Accept-Encoding: gzip, deflate
Host: finansecity.pl
DNT: 1
Connection: Keep-Alive
These files are not part of vBulletin. I think your board has been hacked and you should follow all the protocols for cleaning it.

tbworld 12-20-2013 02:59 PM
This is known malware, I have seen it several times before and it is in my library of exploits. Use the standard vBulletin recommendations for eliminating an intrusion. It will work if you follow each step carefully.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5
http://www.vbulletin.com/forum/forum...d-all-versions


All times are GMT. The time now is 07:07 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01000 seconds
  • Memory Usage 1,736KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete