MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Malware link is injected into all ACP pages
Full Version: Malware link is injected into all ACP pages
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

newprouser

2011-10-02, 02:20 PM
Hi,

Recently when i logged into my site's ACP, Avast blocked a URL with malicious link. On further inspection of the ACP page source, I found that a malware site's link is injected and this happens for all ACP pages.

- All the user (front) end pages are not affected by this issue.
- I checked the MyBB feature of checking changed files. 2 Files were changed (/inc/functions.php & /install/resources/upgrade20.php). The former only had edits i had made for a plug-in and the 2nd did not have anything suspicious.
- Finally, I checked the files with changed last modified date (not foolproof i guess but still...), and came up empty.

Some screenshots for reference :

[attachment=24300]

[attachment=24299]


URL : www.indiachatforum.net
Could anyone suggest how I can find out the source of the malware infection ?

Thanks !

Rukbat

2011-10-02, 07:01 PM
I'd suggest that one "source" is that you didn't remove the /install directory after you finished installing. And where did you get your download? Here or somewhere else?

newprouser

2011-10-03, 07:26 PM
I downloaded the MyBB setup from this site only. As for the install directory, I removed it but the problem still persists Sad

Jason L.

2011-10-03, 07:28 PM
Try replacing the admin directory with a brand new one from a fresh download from the homepage. If that doesn't work...I'm not sure what's gone wrong.

Matt

2011-10-04, 07:45 PM
Check the file system for totally new files, somehow there may be a new file doing it.

webstrome

2011-10-04, 08:05 PM
that antivirus thinks all most all file is virus,lol.

newprouser

2011-10-18, 03:14 PM
Sorry to wake up this old thread , just wanted to say that I got the solution finally after a lot of manual searching !

The malicious code was in the language file for recount page of thank you / like plugin. Nothing wrong with the plug-in as such, that file was infected when it was on my previous host and somehow survived the later clean up. Since I had not enabled until recently, I never faced this issue previously.

Now, I really wish there was some plugin to see if all plug-in files are not modified ! Big Grin

Thanks to all the members who gave their valuable suggestions in this thread.
(2011-10-04, 08:05 PM)webstrome Wrote: [ -> ]that antivirus thinks all most all file is virus,lol.

Well, I have to say - the web shield and network shield have saved me quite a few times.

Rukbat

2011-10-19, 03:35 AM
(2011-10-18, 03:14 PM)newprouser Wrote: [ -> ]Now, I really wish there was some plugin to see if all plug-in files are not modified ! Big Grin

That's not actually doable. There's no 'mark' left on a file when it's modified - the only way to tell is to compare it to an unmodified backup, and no plugin could keep a backup of all plugins ever written (and to be written) to verify them against. Keeping the plugins you download on your own computer, and reuploading them if you need to, is about the best you can do.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 General Support > Malware link is injected into all ACP pages