+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Community Archive (https://community.mybb.com/forum-106.html)
+--- Forum: Archived Forums (https://community.mybb.com/forum-143.html)
+---- Forum: Archived Development and Support (https://community.mybb.com/forum-155.html)
+----- Forum: MyBB 1.6 (https://community.mybb.com/forum-138.html)
+------ Forum: 1.6 Security Management and Support (https://community.mybb.com/forum-153.html)
+------ Thread: Virus in MYBB site help ASAP (/thread-105770.html)
RE: Virus in MYBB site help ASAP - Ruby - 2011-10-13
(2011-10-13, 03:11 AM)hon0r Wrote: No its not clean i gaurentee it some 1 has edited the codes too lookWe scanned your website with one of the best multi virus scans for websites, they came up with CLEAN.
Which codes? Please tell me the name of the malicious file. What did your board member scan?
RE: Virus in MYBB site help ASAP - JukEboX - 2011-10-13
Mine is also popping my members up with virus alerts. I can't find the code but it has happenned to me as well. it redirects to random sites only on certain clicks. LIke
I go to a post. Click home. it redirects. I go back to that post click home and it get home.
I can't figure it out. My Site is clean according to that scanner and my computer is clean. Need some help.
RE: Virus in MYBB site help ASAP - pavemen - 2011-10-13
you have a problem much like the other users with malicious code injected into your site. You need to clean your templates. Can you post your showthread_newreply_closed template here?
RE: Virus in MYBB site help ASAP - hon0r - 2011-10-13
<a href="newreply.php?tid={$tid}"><img src="{$theme['imglangdir']}/closed.gif" alt="{$lang->thread_closed}" title="{$lang->thread_closed}" /></a>
RE: Virus in MYBB site help ASAP - pavemen - 2011-10-13
wow, seems like a dynamic edit. what about postbit_find?
also, have you looked at http://blog.mybb.com/wp-content/uploads/2011/10/mybb_1604_patches.txt and applied those changes?
RE: Virus in MYBB site help ASAP - hon0r - 2011-10-13
@pavemen
From what I can tell it seems like a Mass IFrame Injection #2 type attack. I am downloading everything from FTP and I am gonna scan through it.
and this is postbit_find
<a href="search.php?action=finduser&uid={$post['uid']}"><img src="{$theme['imglangdir']}/postbit_find.gif" alt="{$lang->postbit_find}" title="{$lang->postbit_find}" /></a>
RE: Virus in MYBB site help ASAP - pavemen - 2011-10-13
but templates are in the database. the other issue is the original problem that in the link i posted.
RE: Virus in MYBB site help ASAP - hon0r - 2011-10-13
Someone must have entered <iframe src=inject code here> Somewhere.
Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106
10/13/2011 12:23:09 AM
mbam-log-2011-10-13 (00-23-09).txt
Scan type: Full scan (C:\|F:\|)
Objects scanned: 212970
Time elapsed: 37 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\documents and settings\Owner\local settings\application data\lanmouseapi\tapicfginterval.dll (Trojan.Blueinit.SGen) -> Delete on reboot.
c:\documents and settings\Owner\local settings\application data\desktopapidb\winwebinterval.dll (IPH.Trojan.Blueinit) -> Not selected for removal.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tapicfgInterval (Trojan.Blueinit.SGen) -> Value: tapicfgInterval -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinWebInterval (IPH.Trojan.Blueinit) -> Value: WinWebInterval -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Owner\local settings\application data\lanmouseapi\tapicfginterval.dll (Trojan.Blueinit.SGen) -> Delete on reboot.
c:\documents and settings\Owner\local settings\application data\desktopapidb\winwebinterval.dll (IPH.Trojan.Blueinit) -> Delete on reboot.
c:\documents and settings\Owner\local settings\Temp\somoto_chrome.exe (Adware.BHO) -> Quarantined and deleted successfully.
RE: Virus in MYBB site help ASAP - pavemen - 2011-10-13
there may be an injectable location in your index.php file, if you have an older 1.6.4 version installed. please see the link I posted to see if you have the issue and to correct it if you do.
the injections are base64 encoded strings that can contain almost anything malicious.
RE: Virus in MYBB site help ASAP - hon0r - 2011-10-13
Oh yeah. Config file was messed up. Normally it's ok somehow it got CHMOD'ed to 444....