Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 08-05-2011, 05:57 PM
eshrink eshrink is offline
 
Join Date: Aug 2006
Posts: 36
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default More Fun and Games to be Certain I Never Get Bored

I logged onto my homepage (a vBulletin 4.15PL1 CMS), and Microsoft Security Essentials warned that MY site had infected me with:

Trojan:JS/Iframeinject.M

It infects me (and anyone else) who goes to the site at http://www.mywebsite.com.

If you go to http://www.mywebsite.com/forums/index.php, this does not occur nor does it for the blog etc.

I looked at .htaccess but there is nothing pointing.

The name of the trojan sounds as though it has injected its nastiness via iFrame.

Anyone have suggestions as to finding how this is being done. I have not used M$ Security Essentials prior to today after removing Norton's Internet Security. Thus, Norton's may have missed it (unlikely) or it was introduced between deleting Norton's and adding Security Essentials.
Reply With Quote
  #2  
Old 08-05-2011, 08:04 PM
Spyike Spyike is offline
 
Join Date: Nov 2010
Posts: 82
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The antivirus is most likely not a "false-positive" if its an iframe injectable...

Does MS Security essentials show you the link/script that you are being directed to?

You are going to need to find the link in one of your templates / raw files and get rid of it. If its in a raw file, your FTP/cPanel details are most likely compromised. A template/style edit would mean an administrator account is/was compromised.
Reply With Quote
  #3  
Old 08-05-2011, 08:30 PM
eshrink eshrink is offline
 
Join Date: Aug 2006
Posts: 36
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It appears on any computer running M$ Internet Security Essentials. I understand the concept of false positive, and it is hard to conceive that Microsoft A/V would detect something that an updated Norton's does not (I do not have NOD32 installed so cannot check).

I had not posted my site since I did not want any member here going to it and becoming infected.

Those who with to try (forewarned) can try these two links...one activates the trojan and the second does not.

http://www.psychological.com

http://www.psychological.com/forums/index.php

Again, please have Microsoft Security Essentials installed if you want to look at it.
Reply With Quote
  #4  
Old 08-05-2011, 11:25 PM
setishock setishock is offline
 
Join Date: Feb 2008
Location: Houma, La.
Posts: 1,177
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If you only see it with M$ junk then it's a false positive. I would believe you actually have a problem if NOD picks up on it and can be verified by some one else running a different AV.
But if you have to install that M$ garbage to get infected, it's either using that for the trigger or it's a false positive.
Reply With Quote
  #5  
Old 08-05-2011, 11:38 PM
eshrink eshrink is offline
 
Join Date: Aug 2006
Posts: 36
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

SpyIke

No, it does not provide details as to what is being executed, just the name of the Trojan which a Google search indicates has change its name as it propagates across the internet.

This came on the heels of a very rear attack of the site which was being used to spam others. It took input from this forum and some aggressive work by the webhost to get rid of it.

However, it appears that immediately this new Trojan emerged,

If it is injected into iFrame, I do not know how to remove it.
Reply With Quote
  #6  
Old 08-08-2011, 08:38 PM
eshrink eshrink is offline
 
Join Date: Aug 2006
Posts: 36
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I wanted to update those who had an interest in the trojan reported on my vBulletin installation only by Microsoft Security Essentials.

NOD32 did not see it nor did Norton's.

There was speculation that it was a false positive.

However, my web hosting company found a malicious script injected in *many* indel.html files on my site and malicious scripts injected into vBulletin files.

Even after removing them, a final (we hope) one more emerged where we had not previously looked.

We found a date of occurrence which made the search a little easier.

The code inserted was lenthy.

I would suspect that this is a unique situation where security essentials found a problem that others could not. Interestingly, the only reason I loaded Security Essentials was annoyance with how Norton's was slowing my system. It was pure coincidence that the trojan was found.

Thank you for the input and perhaps this will be a heads up for others.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:05 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04043 seconds
  • Memory Usage 2,205KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete