Badware on my forum

Midnight_Caller · ‎15-04-2007

Hi All
I got a note of force9 saying that I have Badware on my forum, but the information from force9 and Google is vague the ticket number: 30631205
How do I fine the Badware and get rid of it?

bobpullen · ‎04-04-2007

Gary, have you looked at the source code of the index files at the URL's mentioned in your ticket? There's a good chance that these have been tampered with and an invisible iFrame added or something similar.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Midnight_Caller · ‎15-04-2007

No but I have replaced the index.php in the main forum folder.
How can I test the site to see if it is clean?

[Edit]
Have replaced the index.php in the Themes


<?php
// This file is here solely to protect your Themes directory.
// Look for Settings.php....
if (file_exists(dirname(dirname(__FILE__)) . '/Settings.php'))
{
	// Found it!
	require(dirname(dirname(__FILE__)) . '/Settings.php');
	header('Location: ' . $boardurl);
}
// Can't find it... just forget it.
else
	exit;
?>
[Bad Code Modifyed To Stop From Running]

Code deleted

Is it ok for me to make the files read only? that is the index.php files.
[Moderator's note by Jim (Oldjim) Code deleted as the code is still picked up as a Trojan by Kaspersky even though it won't run ]

Gabe · ‎29-10-2008

Hi Gary. Bob's right. Something like that's been doing the rounds recently. Perhaps remove the code from your message above, as it might trigger some antivirus software. I think it only infects index files, so if you've edited the script out of those, your site should be clean (correct me if anyone knows differently). You'll also need to disinfect your PC and change your FTP login. Good luck.
Gabe
Edit: see https://zeustracker.abuse.ch/faq.php

Strat · ‎14-04-2007

Kaspersky doesn't like the code string Gary.

Windows 10 Firefox 109.0 (64-bit)
To argue with someone who has renounced the use of reason is like administering medicine to the dead - Thomas Paine

Midnight_Caller · ‎15-04-2007

I hav Modifyed the code above to Stop it from Running.
Do I need to change all user Passwords on the forum?

@Gabe My computer is clean, I use Sandboxed to Run my Web Browser in.

Gabe · ‎29-10-2008

Quote from: Midnight
I hav Modifyed the code above to Stop it from Running.

There's still enough of the code left to match AV definitions for Trojan-Downloader.JS.Iframe.bxs. Please delete.

Quote
Do I need to change all user Passwords on the forum?

No. Assuming this version runs to pattern, the interaction with your site is purely to inject the code to herd your users to the malware site. It's not after their forum logins, it's after their bank logins (etc, etc). They already have your ftp login and it would be prudent to assume they have other details.

Quote
My computer is clean

Seems unlikely. They would need your ftp login. Do you use your web browser for ftp? Worth checking and rechecking for infection.
Gabe

Midnight_Caller · ‎15-04-2007

@Gabe, The code can not run so I rather leave it so people can see the code to look for.

Quote
They already have your ftp login and it would be prudent to assume they have other details.

Not off my computer thay don't, but I will change the Password to my ftp login.

Quote
Seems unlikely. They would need your ftp login.

Well my computer is clean, I have lookd for: Variant 1, Variant 2, Variant 3 and Variant 4

Quote
Do you use your web browser for ftp?

Yes

Quote
Worth checking and rechecking for infection.

I did check and recheck for infections, and as I said I use Sandboxed so I can not get a infection.

jelv · ‎10-04-2007

Quote from: Midnight
@Gabe, The code can not run so I rather leave it so people can see the code to look for.

Your choice. Because of the code that is there my browser blocks the site - I assume it will do the same for many others. Leave it like that if you are happy to loose visitors!

jelv (a.k.a Spoon Whittler)
Why I have left Plusnet (warning: long post!)
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)

Midnight_Caller · ‎15-04-2007

@jelv, I was referring to the snipit of code above, if it is causing warnings I will remove it!
I have removed it from my forum already, so the forum should be clean now!

jelv · ‎10-04-2007

Just check again and it is now showing the forums - just before I posted last night it blocked it.
Rather than it being someone getting hold of a password I suspect it was done by an SQL injection. I notice that you haven't updated to 1.1.10 - that could be why your forums were attacked.

jelv (a.k.a Spoon Whittler)
Why I have left Plusnet (warning: long post!)
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)

Gabe · ‎29-10-2008

Quote from: jelv
I suspect it was done by an SQL injection.

Possible, but it would be more typical of other malware. Zeus-type attacks have tended to go for ftp. It might show up in the logs.

Quote from: Midnight
if it is causing warnings I will remove it!

It is (not on load in my case, but on cache). I don't think the erroneous warnings are that much of a problem, of themselves, but some AV systems are set to report ostensibly infected sites and I'm slightly concerned that this forum could wrongly end up on an infected-sites list if it displays malware code.

Quote from: Midnight
Not off my computer thay don't

Malware can run within a sandbox. If you browse then ftp without emptying the sandbox in between, something like an MITB script could harvest your details. Safer to use different clients for trusted and distrusted activities.

Quote
I use Sandboxed so I can not get a infection.

I'd think in terms of risk reduction rather than elimination. I hope you're right, and if you can't find any of the usual suspects then that's encouraging.
Gabe

Midnight_Caller · ‎15-04-2007

Quote from: jelv
[snip] I notice that you haven't updated to 1.1.10 - that could be why your forums were attacked.

For me to get the forum updated to 1.1.10, I would need to put the forum back to default installation. mined you it may just be worth it, I will have a think on that one!

Quote from: Gabe
[snip] It might show up in the logs.

Do you mean the forum logs?

Quote
Malware can run within a sandbox.

not wen it has been Deleted.

Quote
If you browse then ftp without emptying the sandbox in between

I don't.

Quote
Safer to use different clients for trusted and distrusted activities.

I will fink on that one, it is just that I am so used to using Internet Explorer for ftping, but I do have FileZilla Client.

Quote
[snip] if you can't find any of the usual suspects then that's encouraging.

No I can not find any of the usual suspects on my computer.

Gabe · ‎29-10-2008

Quote from: Midnight
Do you mean the forum logs?

Yes. If they got in by SQL injection, it could show up in the access logs, and if they got in by ftp, it could show up in the xfer logs. Hope for the former (the latter would conform to type, but I am a devout, practising pessimist :)). If they left a time bomb and the actual hack happened ages ago, it may not show in either.
Gabe

Midnight_Caller · ‎15-04-2007

@Gabe, I went through all the Forum Error Logs and all I got was this sort of thing:
Password incorrect
Your email address needs to be validated before you can login.
Sorry Guest, you are banned from using this forum! Spammer
Sorry, the name you tried to use, ******, contains words which have been censored. Please try another name.
Number of Forum Error Log pages 300
15 to a page
Total number: 4500 - All now deleted.

Badware on my forum

Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum

Re: Badware on my forum