More Fun and Games to be Certain I Never Get Bored

[eshrink]

I logged onto my homepage (a vBulletin 4.15PL1 CMS), and Microsoft Security Essentials warned that MY site had infected me with:

Trojan:JS/Iframeinject.M

It infects me (and anyone else) who goes to the site at http://www.mywebsite.com.

If you go to http://www.mywebsite.com/forums/index.php, this does not occur nor does it for the blog etc.

I looked at .htaccess but there is nothing pointing.

The name of the trojan sounds as though it has injected its nastiness via iFrame.

Anyone have suggestions as to finding how this is being done. I have not used M$ Security Essentials prior to today after removing Norton's Internet Security. Thus, Norton's may have missed it (unlikely) or it was introduced between deleting Norton's and adding Security Essentials.

[Spyike]

The antivirus is most likely not a "false-positive" if its an iframe injectable...

Does MS Security essentials show you the link/script that you are being directed to?

You are going to need to find the link in one of your templates / raw files and get rid of it. If its in a raw file, your FTP/cPanel details are most likely compromised. A template/style edit would mean an administrator account is/was compromised.

[eshrink]

It appears on any computer running M$ Internet Security Essentials. I understand the concept of false positive, and it is hard to conceive that Microsoft A/V would detect something that an updated Norton's does not (I do not have NOD32 installed so cannot check).

I had not posted my site since I did not want any member here going to it and becoming infected.

Those who with to try (forewarned) can try these two links...one activates the trojan and the second does not.

http://www.psychological.com

http://www.psychological.com/forums/index.php

Again, please have Microsoft Security Essentials installed if you want to look at it.

[setishock]

If you only see it with M$ junk then it's a false positive. I would believe you actually have a problem if NOD picks up on it and can be verified by some one else running a different AV.
But if you have to install that M$ garbage to get infected, it's either using that for the trigger or it's a false positive.

[eshrink]

SpyIke

No, it does not provide details as to what is being executed, just the name of the Trojan which a Google search indicates has change its name as it propagates across the internet.

This came on the heels of a very rear attack of the site which was being used to spam others. It took input from this forum and some aggressive work by the webhost to get rid of it.

However, it appears that immediately this new Trojan emerged,

If it is injected into iFrame, I do not know how to remove it.

[eshrink]

I wanted to update those who had an interest in the trojan reported on my vBulletin installation only by Microsoft Security Essentials.

NOD32 did not see it nor did Norton's.

There was speculation that it was a false positive.

However, my web hosting company found a malicious script injected in *many* indel.html files on my site and malicious scripts injected into vBulletin files.

Even after removing them, a final (we hope) one more emerged where we had not previously looked.

We found a date of occurrence which made the search a little easier.

The code inserted was lenthy.

I would suspect that this is a unique situation where security essentials found a problem that others could not. Interestingly, the only reason I loaded Security Essentials was annoyance with how Norton's was slowing my system. It was pure coincidence that the trojan was found.

Thank you for the input and perhaps this will be a heads up for others.