(2011-10-13, 03:11 AM)hon0r Wrote: [ -> ]No its not clean i gaurentee it some 1 has edited the codes too look
We scanned your website with one of the best multi virus scans for websites, they came up with CLEAN.
Which codes? Please tell me the name of the malicious file. What did your board member scan?
Mine is also popping my members up with virus alerts. I can't find the code but it has happenned to me as well. it redirects to random sites only on certain clicks. LIke
I go to a post. Click home. it redirects. I go back to that post click home and it get home.
I can't figure it out. My Site is clean according to that scanner and my computer is clean. Need some help.
you have a problem much like the other users with malicious code injected into your site. You need to clean your templates. Can you post your showthread_newreply_closed template here?
<a href="newreply.php?tid={$tid}"><img src="{$theme['imglangdir']}/closed.gif" alt="{$lang->thread_closed}" title="{$lang->thread_closed}" /></a>
@pavemen
From what I can tell it seems like a Mass IFrame Injection #2 type attack. I am downloading everything from FTP and I am gonna scan through it.
and this is postbit_find
<a href="search.php?action=finduser&uid={$post['uid']}"><img src="{$theme['imglangdir']}/postbit_find.gif" alt="{$lang->postbit_find}" title="{$lang->postbit_find}" /></a>
but templates are in the database. the other issue is the original problem that in the link i posted.
Someone must have entered <iframe src=inject code here> Somewhere.
Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106
10/13/2011 12:23:09 AM
mbam-log-2011-10-13 (00-23-09).txt
Scan type: Full scan (C:\|F:\|)
Objects scanned: 212970
Time elapsed: 37 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\documents and settings\Owner\local settings\application data\lanmouseapi\tapicfginterval.dll (Trojan.Blueinit.SGen) -> Delete on reboot.
c:\documents and settings\Owner\local settings\application data\desktopapidb\winwebinterval.dll (IPH.Trojan.Blueinit) -> Not selected for removal.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tapicfgInterval (Trojan.Blueinit.SGen) -> Value: tapicfgInterval -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinWebInterval (IPH.Trojan.Blueinit) -> Value: WinWebInterval -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Owner\local settings\application data\lanmouseapi\tapicfginterval.dll (Trojan.Blueinit.SGen) -> Delete on reboot.
c:\documents and settings\Owner\local settings\application data\desktopapidb\winwebinterval.dll (IPH.Trojan.Blueinit) -> Delete on reboot.
c:\documents and settings\Owner\local settings\Temp\somoto_chrome.exe (Adware.BHO) -> Quarantined and deleted successfully.
there may be an injectable location in your index.php file, if you have an older 1.6.4 version installed. please see the link I posted to see if you have the issue and to correct it if you do.
the injections are base64 encoded strings that can contain almost anything malicious.
Oh yeah. Config file was messed up. Normally it's ok somehow it got CHMOD'ed to 444....