Posts: 5
Threads: 1
Joined: Aug 2013
Reputation:
0
Hello,
My forum was hacked and a malicious code was injected in most of the files (html, js, etc.). Since is only a single instance of javascript obfuscation, can someone tell me how to remove it? I understand that a search and remove code can be used but my knowledge stops at that... Considering the huge level of the infestation, manual removal is almost impossible and so is replacing the files, since that would lead to data loss.
Thanks a lot for all the help!
Best regards,
Darkness
Posts: 1,579
Threads: 62
Joined: Jul 2013
Reputation:
124
Download a fresh copy of MyBB from MyBB Downloads and replace all the files with the fresh downloaded files except for the config.php and settings.php files.
Posts: 5
Threads: 1
Joined: Aug 2013
Reputation:
0
Thank you, but won't that affect the custom themes, images, etc.? Not to mention that the infestation has reached the custom theme I'm using.
Posts: 1,579
Threads: 62
Joined: Jul 2013
Reputation:
124
Well replacing all the files will fix the images part but when it comes to your custom theme, I would recommend you to go back to an at least a week old database backup.
Posts: 5
Threads: 1
Joined: Aug 2013
Reputation:
0
Well, it appears to have worked. I removed the malicious code manually from the theme files, since the previous Admin failed to make any backup. I do hope I got it all out...
Thanks a lot for the help!
Posts: 3,791
Threads: 80
Joined: May 2011
Reputation:
94
Just make sure there aren't any unusual files leftover which could be backdoors for reinfection.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
Posts: 5
Threads: 1
Joined: Aug 2013
Reputation:
0
Thanks, Josh but I'm having some real issues with the "make sure" part. Any idea how I could do that, except manually verifying every single file?
Posts: 180
Threads: 2
Joined: Jul 2013
Reputation:
14
Run File Verification tool to check if any file is changed or not just check changed files if any and make sure that those are not contain backdoors
admincp > Tools & Maintenance > File Verification
Posts: 1,579
Threads: 62
Joined: Jul 2013
Reputation:
124
(2013-08-15, 05:33 AM)Josh H. Wrote: Just make sure there aren't any unusual files leftover which could be backdoors for reinfection.
(2013-08-15, 09:37 AM)DarknessDown Wrote: Thanks, Josh but I'm having some real issues with the "make sure" part. Any idea how I could do that, except manually verifying every single file?
I made you replace all your MyBB files so even if any malicious code was inserted, it should have been removed and all the files should have been overwritten.
Also, just take a look at all your files to see if there is any file that was not included in the default MyBB copy. If there is and you don't remember uploading it then delete the file immediately from your server. To be on the safe-side, before deleting it from your server, download it on your computer and post the contents of the file here so some can check it for you and tell you if it's malicious or not.
Posts: 5
Threads: 1
Joined: Aug 2013
Reputation:
0
Already found that one, the other day, named yandex.php and containing both instances of the java obfuscation and recognized as malicious by AVG, sucuri.net and http://jsfiddle.net/
So far, no more errors have shown up but I'm keeping my eyes peeled 
|
