The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
01-21-2010, 12:45 AM
|
|||
|
|||
trojan on my site, only sometimes happened (or random)
dear all,
i have weird experience with my site... sometimes the page shown ads page which i dunno where is coming from... and sometimes also contain trojan or something else... if i'm using Mozilla, the page contain ads or trojan can not appear, just appear blank page only with view source like below, but if using Internet Explorer or Opera, the trojan sometimes can shown ads pages which contain virus or asking to download something. and this is the source code appear in Mozilla when the page is blank. Code:
<script type="text/javascript" language="javascript"> var csrtw=new Date( ); csrtw.setTime(csrtw.getTime( )+12*60*60*1000); document.cookie="n\x5fses\x73_id\x3d53d\x312540afaf174fd0466f84\x316\x35af\x65e3 "+"; path=/\x3b ex\x70\151\x72es="+csrtw.toGMTString( ); </script> <script>document.write(String.fromCharCode(59+1,100,105,118,32,115,116,121,108,1 01,61,39,100,105,115,112,108,97,121,58,110,111,110,101,39,62))</script><h1><a href="http://keygenguru.com">serial</a> </h1><a href="http://keygenguru.com">keygen</a> <h1><a href="http://keygenguru.com">crack download</a> </h1>108.162.106.51 <h1><a href="http://www.getcoolmovies.com/movies/countries/usa/avatar/">Avatar movie</a> </h1><h1><a href="http://www.getcoolmovies.com/movies/countries/usa/avatar/">Download Avatar movie</a> </h1>84.126.249.228 <a href="http://keygenguru.com/movies.php">download movies</a> <a href="http://keygenguru.com/movies.php">online movies</a> 24.18.237.19 <h1><a href="http://supersoftwarestore.com">cheap oem software</a> </h1> etc etc etc..... (skipped) h1><a href="http://digg.com/health/Buy_Generic_Viagra_0_89">Buy Generic Viagra no prescription</a> </h1><h1><a href="http://digg.com/health/Buy_Generic_Zithromax_2_06_3">Buy Generic Zithromax no prescription</a> </h1><a href="http://digg.com/health/Buy_Cialis_8_09_3">Buy Cialis online</a> 205.251.177.45 -end of line- the source page shown above is not always like this, sometimes it can be diffrent, thats make me crazy. i've already try to take a look the code (php code) which it seems normal, and nothing to modified where should i check the script or style or whatever container suspicious coding like above? note: this script can load on every page, but not often, just sometimes (maybe random or something else) please help me thanks, topan. 
|
|
#3
01-28-2010, 02:23 AM
|
||||
|
||||
|
check your header and footer templates if its happening on every page
|
|
#4
01-28-2010, 02:37 AM
|
|||
|
|||
|
the problem is not happening in every site (random)
but not always shown the trojan, i've already check the cronjob etc, but still not found where is the script hidden any suggestion maybe? fyi, i've already check code in header and footer, but seems to be normal, thanks for your advice  top.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 12:36 AM.