2011-10-13, 03:18 AM
Virus in MYBB site help ASAP
|
Virus in MYBB site help ASAP
|
|
2011-10-13, 03:33 AM
Mine is also popping my members up with virus alerts. I can't find the code but it has happenned to me as well. it redirects to random sites only on certain clicks. LIke
I go to a post. Click home. it redirects. I go back to that post click home and it get home. I can't figure it out. My Site is clean according to that scanner and my computer is clean. Need some help.
2011-10-13, 03:34 AM
you have a problem much like the other users with malicious code injected into your site. You need to clean your templates. Can you post your showthread_newreply_closed template here?
Lost interest, sold my sites, will browse here once in a while. It's been fun.
2011-10-13, 03:37 AM
<a href="newreply.php?tid={$tid}"><img src="{$theme['imglangdir']}/closed.gif" alt="{$lang->thread_closed}" title="{$lang->thread_closed}" /></a>
wow, seems like a dynamic edit. what about postbit_find?
also, have you looked at http://blog.mybb.com/wp-content/uploads/...atches.txt and applied those changes?
Lost interest, sold my sites, will browse here once in a while. It's been fun.
@pavemen
From what I can tell it seems like a Mass IFrame Injection #2 type attack. I am downloading everything from FTP and I am gonna scan through it. and this is postbit_find <a href="search.php?action=finduser&uid={$post['uid']}"><img src="{$theme['imglangdir']}/postbit_find.gif" alt="{$lang->postbit_find}" title="{$lang->postbit_find}" /></a>
2011-10-13, 03:52 AM
but templates are in the database. the other issue is the original problem that in the link i posted.
Lost interest, sold my sites, will browse here once in a while. It's been fun.
Someone must have entered <iframe src=inject code here> Somewhere.
Windows 5.1.2600 Service Pack 1 Internet Explorer 6.0.2800.1106 10/13/2011 12:23:09 AM mbam-log-2011-10-13 (00-23-09).txt Scan type: Full scan (C:\|F:\|) Objects scanned: 212970 Time elapsed: 37 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: c:\documents and settings\Owner\local settings\application data\lanmouseapi\tapicfginterval.dll (Trojan.Blueinit.SGen) -> Delete on reboot. c:\documents and settings\Owner\local settings\application data\desktopapidb\winwebinterval.dll (IPH.Trojan.Blueinit) -> Not selected for removal. Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tapicfgInterval (Trojan.Blueinit.SGen) -> Value: tapicfgInterval -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinWebInterval (IPH.Trojan.Blueinit) -> Value: WinWebInterval -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\Owner\local settings\application data\lanmouseapi\tapicfginterval.dll (Trojan.Blueinit.SGen) -> Delete on reboot. c:\documents and settings\Owner\local settings\application data\desktopapidb\winwebinterval.dll (IPH.Trojan.Blueinit) -> Delete on reboot. c:\documents and settings\Owner\local settings\Temp\somoto_chrome.exe (Adware.BHO) -> Quarantined and deleted successfully.
2011-10-13, 03:58 AM
there may be an injectable location in your index.php file, if you have an older 1.6.4 version installed. please see the link I posted to see if you have the issue and to correct it if you do.
the injections are base64 encoded strings that can contain almost anything malicious.
Lost interest, sold my sites, will browse here once in a while. It's been fun.
|
|
« Next Oldest | Next Newest »
|
Users browsing this thread: 3 Guest(s)