cancel
Showing results for 
Search instead for 
Did you mean: 

Badware on my forum

Midnight_Caller
Rising Star
Posts: 4,154
Thanks: 9
Fixes: 1
Registered: ‎15-04-2007

Badware on my forum

Hi All
I got a note of force9 saying that I have Badware on my forum, but the information from force9 and Google is vague the ticket number: 30631205
How do I fine the Badware and get rid of it?
18 REPLIES 18
bobpullen
Community Gaffer
Community Gaffer
Posts: 14,884
Thanks: 2,485
Fixes: 168
Registered: ‎04-04-2007

Re: Badware on my forum

Gary, have you looked at the source code of the index files at the URL's mentioned in your ticket? There's a good chance that these have been tampered with and an invisible iFrame added or something similar.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Midnight_Caller
Rising Star
Posts: 4,154
Thanks: 9
Fixes: 1
Registered: ‎15-04-2007

Re: Badware on my forum

No but I have replaced the index.php in the main forum folder.
How can I test the site to see if it is clean?  Embarrassed
[Edit]
Have replaced the index.php in the Themes

<?php
// This file is here solely to protect your Themes directory.
// Look for Settings.php....
if (file_exists(dirname(dirname(__FILE__)) . '/Settings.php'))
{
// Found it!
require(dirname(dirname(__FILE__)) . '/Settings.php');
header('Location: ' . $boardurl);
}
// Can't find it... just forget it.
else
exit;
?>
[Bad Code Modifyed To Stop From Running]

Code deleted

Is it ok for me to make the files read only?  that is the index.php files.
[Moderator's note by Jim (Oldjim)  Code deleted as the code is still picked up as a Trojan by Kaspersky even though it won't run ]
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: Badware on my forum

Hi Gary. Bob's right. Something like that's been doing the rounds recently. Perhaps remove the code from your message above, as it might trigger some antivirus software. I think it only infects index files, so if you've edited the script out of those, your site should be clean (correct me if anyone knows differently). You'll also need to disinfect your PC and change your FTP login. Good luck.
Gabe
Edit: see https://zeustracker.abuse.ch/faq.php
Strat
Moderator
Moderator
Posts: 30,334
Thanks: 3,309
Fixes: 505
Registered: ‎14-04-2007

Re: Badware on my forum

Kaspersky doesn't like the code string Gary.

Customer and Forum Moderator. Windows 10 Firefox 87.0 (64-bit)

Midnight_Caller
Rising Star
Posts: 4,154
Thanks: 9
Fixes: 1
Registered: ‎15-04-2007

Re: Badware on my forum

I hav Modifyed the code above to Stop it from Running.
Do I need to change all user Passwords on the forum?  Embarrassed
@Gabe My computer is clean, I use Sandboxed to Run my  Web Browser in.
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: Badware on my forum

Quote from: Midnight
I hav Modifyed the code above to Stop it from Running.

There's still enough of the code left to match AV definitions for Trojan-Downloader.JS.Iframe.bxs. Please delete.
Quote
Do I need to change all user Passwords on the forum?

No. Assuming this version runs to pattern, the interaction with your site is purely to inject the code to herd your users to the malware site. It's not after their forum logins, it's after their bank logins (etc, etc). They already have your ftp login and it would be prudent to assume they have other details.
Quote
My computer is clean

Seems unlikely. They would need your ftp login. Do you use your web browser for ftp? Worth checking and rechecking for infection.
Gabe
Midnight_Caller
Rising Star
Posts: 4,154
Thanks: 9
Fixes: 1
Registered: ‎15-04-2007

Re: Badware on my forum

@Gabe, The code can not run so I rather leave it so people can see the code to look for.
Quote
They already have your ftp login and it would be prudent to assume they have other details.

Not off my computer thay don't, but I will change the Password to my ftp login.
Quote
Seems unlikely. They would need your ftp login.

Well my computer is clean, I have lookd for: Variant 1, Variant 2, Variant 3 and Variant 4
Quote
Do you use your web browser for ftp?

Yes
Quote
Worth checking and rechecking for infection.

I did check and recheck for infections, and as I said I use Sandboxed so I can not get a infection.
jelv
Community Veteran
Posts: 26,786
Thanks: 990
Fixes: 10
Registered: ‎10-04-2007

Re: Badware on my forum

Quote from: Midnight
@Gabe, The code can not run so I rather leave it so people can see the code to look for.

Your choice. Because of the code that is there my browser blocks the site - I assume it will do the same for many others. Leave it like that if you are happy to loose visitors!
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
Midnight_Caller
Rising Star
Posts: 4,154
Thanks: 9
Fixes: 1
Registered: ‎15-04-2007

Re: Badware on my forum

@jelv, I was referring to the snipit of code above, if it is causing warnings I will remove it!
I have removed it from my forum already, so the forum should be clean now!
jelv
Community Veteran
Posts: 26,786
Thanks: 990
Fixes: 10
Registered: ‎10-04-2007

Re: Badware on my forum

Just check again and it is now showing the forums - just before I posted last night it blocked it.
Rather than it being someone getting hold of a password I suspect it was done by an SQL injection. I notice that you haven't updated to 1.1.10 - that could be why your forums were attacked.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: Badware on my forum

Quote from: jelv
I suspect it was done by an SQL injection.

Possible, but it would be more typical of other malware. Zeus-type attacks have tended to go for ftp. It might show up in the logs.
Quote from: Midnight
if it is causing warnings I will remove it!

It is (not on load in my case, but on cache). I don't think the erroneous warnings are that much of a problem, of themselves, but some AV systems are set to report ostensibly infected sites and I'm slightly concerned that this forum could wrongly end up on an infected-sites list if it displays malware code.
Quote from: Midnight
Not off my computer thay don't

Malware can run within a sandbox. If you browse then ftp without emptying the sandbox in between, something like an MITB script could harvest your details. Safer to use different clients for trusted and distrusted activities.
Quote
I use Sandboxed so I can not get a infection.

I'd think in terms of risk reduction rather than elimination. I hope you're right, and if you can't find any of the usual suspects then that's encouraging.
Gabe
Midnight_Caller
Rising Star
Posts: 4,154
Thanks: 9
Fixes: 1
Registered: ‎15-04-2007

Re: Badware on my forum

Quote from: jelv
[snip] I notice that you haven't updated to 1.1.10 - that could be why your forums were attacked.

For me to get the forum updated to 1.1.10, I would need to put the forum back to default installation.  mined you it may just be worth it, I will have a think on that one!
Quote from: Gabe
[snip] It might show up in the logs.

Do you mean the forum logs?
Quote
Malware can run within a sandbox.

not wen it has been Deleted.  Smiley
Quote
If you browse then ftp without emptying the sandbox in between

I don't.  Smiley
Quote
Safer to use different clients for trusted and distrusted activities.

I will fink on that one, it is just that I am so used to using Internet Explorer for ftping, but I do have FileZilla Client.
Quote
[snip] if you can't find any of the usual suspects then that's encouraging.

No I can not find any of the usual suspects on my computer.  Smiley
Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

Re: Badware on my forum

Quote from: Midnight
Do you mean the forum logs?

Yes. If they got in by SQL injection, it could show up in the access logs, and if they got in by ftp, it could show up in the xfer logs. Hope for the former (the latter would conform to type, but I am a devout, practising pessimist  :)). If they left a time bomb and the actual hack happened ages ago, it may not show in either.
Gabe
Midnight_Caller
Rising Star
Posts: 4,154
Thanks: 9
Fixes: 1
Registered: ‎15-04-2007

Re: Badware on my forum

@Gabe, I went through all the Forum Error Logs and all I got was this sort of thing:
Password incorrect
Your email address needs to be validated before you can login.
Sorry Guest, you are banned from using this forum! Spammer
Sorry, the name you tried to use, ******, contains words which have been censored. Please try another name.
Number of Forum Error Log pages 300
15 to a page
Total number: 4500 - All now deleted.