MyBB Community Forums
Malicious code removal - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Community Archive (https://community.mybb.com/forum-106.html)
+--- Forum: Archived Forums (https://community.mybb.com/forum-143.html)
+---- Forum: Archived Development and Support (https://community.mybb.com/forum-155.html)
+----- Forum: MyBB 1.6 (https://community.mybb.com/forum-138.html)
+------ Forum: 1.6 Security Management and Support (https://community.mybb.com/forum-153.html)
+------ Thread: Malicious code removal (/thread-144061.html)

Pages: 1 2


Malicious code removal - DarknessDown - 2013-08-14

Hello,

My forum was hacked and a malicious code was injected in most of the files (html, js, etc.). Since is only a single instance of javascript obfuscation, can someone tell me how to remove it? I understand that a search and remove code can be used but my knowledge stops at that... Considering the huge level of the infestation, manual removal is almost impossible and so is replacing the files, since that would lead to data loss.

Thanks a lot for all the help!

Best regards,

Darkness


RE: Malicious code removal - Arbaz - 2013-08-14

Download a fresh copy of MyBB from MyBB Downloads and replace all the files with the fresh downloaded files except for the config.php and settings.php files.


RE: Malicious code removal - DarknessDown - 2013-08-14

Thank you, but won't that affect the custom themes, images, etc.? Not to mention that the infestation has reached the custom theme I'm using.


RE: Malicious code removal - Arbaz - 2013-08-14

Well replacing all the files will fix the images part but when it comes to your custom theme, I would recommend you to go back to an at least a week old database backup.


RE: Malicious code removal - DarknessDown - 2013-08-14

Well, it appears to have worked. I removed the malicious code manually from the theme files, since the previous Admin failed to make any backup. I do hope I got it all out...

Thanks a lot for the help!


RE: Malicious code removal - Josh H. - 2013-08-15

Just make sure there aren't any unusual files leftover which could be backdoors for reinfection.


RE: Malicious code removal - DarknessDown - 2013-08-15

Thanks, Josh but I'm having some real issues with the "make sure" part. Any idea how I could do that, except manually verifying every single file?


RE: Malicious code removal - New2mybb - 2013-08-15

Run File Verification tool to check if any file is changed or not just check changed files if any and make sure that those are not contain backdoors
admincp > Tools & Maintenance > File Verification


RE: Malicious code removal - Arbaz - 2013-08-15

(2013-08-15, 05:33 AM)Josh H. Wrote: Just make sure there aren't any unusual files leftover which could be backdoors for reinfection.

(2013-08-15, 09:37 AM)DarknessDown Wrote: Thanks, Josh but I'm having some real issues with the "make sure" part. Any idea how I could do that, except manually verifying every single file?

I made you replace all your MyBB files so even if any malicious code was inserted, it should have been removed and all the files should have been overwritten.

Also, just take a look at all your files to see if there is any file that was not included in the default MyBB copy. If there is and you don't remember uploading it then delete the file immediately from your server. To be on the safe-side, before deleting it from your server, download it on your computer and post the contents of the file here so some can check it for you and tell you if it's malicious or not.


RE: Malicious code removal - DarknessDown - 2013-08-15

Already found that one, the other day, named yandex.php and containing both instances of the java obfuscation and recognized as malicious by AVG, sucuri.net and http://jsfiddle.net/
So far, no more errors have shown up but I'm keeping my eyes peeled Big Grin