MyBB Community Forums

I update earlier this week, and needed to revert some templates.

But since than I get a message from mallwarebytes (anti-mallware) that they have denied acces to a possible bad website (my forum!).

I think this has something to do with the fact I reverted 2 templates, it was the footer_languageselect template (I wrapped everything in the div class 'language so it's still a single row instead of 2 rows).

But the one I think has got some errors in it is the showthread template. What are version attributes in the .js lines? I see there is a double one in my case!

<html>
<head>
<title>{$thread['subject']}</title>
{$headerinclude}
<script type="text/javascript">
<!--
	var quickdelete_confirm = "{$lang->quickdelete_confirm}";
// -->
<script type="text/javascript" src="jscripts/thread.js?ver=1400"></script>
<script type="text/javascript" src="jscripts/fitonpage.js?ver=230"></script>
<script type="text/javascript">
<!--
	var fitonpage_on = "{$mybb->settings['g33k_fitonpage_enabled']}";
	var fitonpage_resize = "{$mybb->settings['g33k_fitonpage_resize']}";
	var fitonpage_fluid = "{$mybb->settings['g33k_fitonpage_fluid']}";
	var fitonpage_topbar_resized = "{$lang->fitonpage_topbar_resized}";
	var fitonpage_topbar_full = "{$lang->fitonpage_topbar_full}";
	var fitonpage_topbar_text_class = "{$mybb->settings['g33k_fitonpage_topbar_text_class']}";
	var fitonpage_topbar_bground = "{$mybb->settings['g33k_fitonpage_topbar_bground']}";
	var fitonpage_topbar_icon = "{$mybb->settings['g33k_fitonpage_topbar_icon']}";
	var fitonpage_location = "showthread";
-->
</script>
</script>
<script type="text/javascript" src="jscripts/thread.js?ver=1603"></script>
<script type="text/javascript" src="{$mybb->settings['bburl']}/jscripts/itsmybirthday.js?ver=220"></script>
<script type="text/javascript">
<!--
	var imb_wishesEnabled = "{$mybb->settings['g33k_itsmybirthday_wishes_enabled']}";
	var imb_wishesRemovable = "{$mybb->settings['g33k_itsmybirthday_wishes_removable']}";
-->
</script>
</head>

The thread.js isn't ok right?

I think there is something wrong here right? Could this also be the reason I'm still having some problems with security? (mallwarebytes didn't gave me this alert before I updated the software)

I hope you can help me, I've been digging into the codes for a few days now and can't seem to find the problem

PS: The theme I'm using is Apart Calm, I don't know if this is of any importance?

What's your actual URL?? The versions on the .js lines are largely irrelevant; not sure why you have it there twice but it shouldn't cause any problems like this. And what actually is mallwarebytes, something on your computer, in your browser, or...??

My URL is http://www.hetslangenforum.com/

Mallwarebytes is an anti-malware, anti-virus and spyware removal program on my computer. I've started using it when we had the security issues in the previous software version, as an extra protection besides my virus scanner. It only gives me alerts of this kind at websites which have malicious content, websites which you already suspect to have bad stuff on it. But like I said, it started giving me alerts on my forum now as well!

Since some of my members are also telling me they still have problems with their virus scanners when they open the forum I presume something is still wrong for me.

Thanks for the help!

Delete all the files in ./jscripts/, upload them again from a fresh download, and then reupload any javascript files for any plugins you've added. Some of them have what seems to be malicious code in them.

So that's where the problems are coming from you think?

I thought the 'file verification' tool in the ACP also checked the javascript files. I ran it a few times to check but it said everything was Ok. I also used Firebug to see what scripts and stuff got activated but didn't see anything strange so I didn't check the actual javascript files.

Thanks a lot!

Seems that it's only non-default files that are affected. floatbox.js, whiletyping.realtime.js, whiletyping.js, fitonpage.js and itsmybirthday.js are affected but all the default files seem to be OK. Which is rather odd. But that's why the file verification didn't pick it up, the MyBB files are all OK. But yeah, the code doesn't look friendly and when encoded javascript is in files like this, especially at the end of a lot of files, it's usually bad news.

That's strange, only the non-default files ?! Kind of scary as well ...

Thanks again, you've got no idea how much sleep this has cost me already! I really appreciate it!

Happy to help.

Few more things can do; if you haven't already deleted and reuploaded these files, see what the CHMODs are on them; they should be 644 but may be 666 if they've been edited. You may also want to go through your server access logs (ask your host if you're unsure where to get these) and there may be some clues as to how the code got there in the first place; you can email the access logs to me at [email protected] and I'll have a look over them. You should also check the contents of these files over the next few days to see if this code gets added back.

I've checked all the CHMOD settings from the altered files. They were still 644. I replaced all of them with freshly downloaded javascript files.

The logs should be in your inbox

I think I'm having the exact same problem again ... it's unbelievable but true

I don't know where it's coming from at this point ... Again I've reuploaded all the scripts but my users are still getting alerts from their virusscanners.

I'm working on a Mac myself at the moment, so I can't check it myself. Matt, may I ask how you saw the corrupt files the previous time?

Strange thing is ... I checked everything last night, and it was all fine