Thread: Site Contains Virus? Solution?
View Single Post
  #11  
Old 01-02-2012, 09:03 PM
ppgear ppgear is offline
 
Join Date: Feb 2010
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I have some of the same extra files as you:
blog_search.php
commons.php
coms.php
jquery.php

But not the HTML files you have.

I'm still having trouble though. I followed the steps suggested:

1. Suspect File Versions. Done, found those extra PHP files above and renamed them.
2. Disabled all plugins (only VBseo)
3. Exported the database, searched the SQL for the offending domain names and IP addresses. None found.
4. Searched through my files for the domain names and IP addresses. None found. (Is it possible that it's encrypted in the files somehow so a search wouldn't find it?)
5. I don't have ads running, so that's not a problem.

Just wondering, do web servers cache files? So if I make a change and refresh (delete my own browser cache first), and I still get virus issues, is it possible the change DID work, except the server has it cached temporarily?

--------------- Added [DATE]1325542075[/DATE] at [TIME]1325542075[/TIME] ---------------

By the way, I found the offending domains/IPs by using Firefox/FireBug, in the "Net" tab it shows all the files requested, and there I saw some files being requested from other domains:

URL, Status, Domain, Size, Remote IP
GET http://44444vvvvv.mefound.com/dng311...cfc3b06a/0.php, 302 Found, 44444vvvvv.mefound.com, 20 B, 95.163.89.230:80
GET http://44444vvvvv.mefound.com/dng311...c3b06a/spl.php, 302 Found, 44444vvvvv.mefound.com, 20 B, 95.163.89.230:80
GET http://kokosina.in/t/go.php?sid=5, 302 Found, kokosina.in, 20 B, 46.37.184.227:80

These are the domains/IPs I searched for in the SQL and in the files. I also spotted those PHP files as weird because they had recent "modified" dates whereas the original files were untouched.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03163 seconds
  • Memory Usage 1,766KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete