Webmasters,

*** give widest distribution***

Check all index.html's, index.php, and login.php files of your site(s). Malicious code was found appended to all these files on my website. I removed, and 'chmod'ed, all files listed to read access only. *These files were clean when uploaded*

The code appended to these files cause a "your registry has error's click here to fix", and other simular pop-up's to appear depending on reloads of your site (A hotjobs.com one was also generated when I purposely executed the jave code in a contolled enviroment to see) in another window, tab, or even a pop-up if enabled, to vistors of your site when IE interprets the html file.

As my site has not been made public yet, the only ip's found were my own, one belonging to google and yahoo, and one 80.xxx.xxx.xxx (a .ru i/p) which I suspect is a bot that tries to write this code to files that are not set to 0444. Note, a "Frontpage extension" file was also found on my site with the same code.

Also note, this has nothing to do with vBulletin, I checked my archive I recently downloaded, and they are clean :)

All vBulletin files by default are "READ ONLY" Chmod by default after you install it. So I don't understand why you say you had to chmod them to read only later?

You should'nt have had any "html's, index.php" file otherwise

EDIT:

Missed this part

Also note, this has nothing to do with vBulletin, I checked my archive I recently downloaded, and they are clean

Guess your talking about something else

Your post implies you are a vBulletin customer, please confirm this by going to the members area and set yourself up for priority support. And yes, the vBulletin .zip files our customers download from our members area are clean as always.

I am a licensed owner of vBulletin (two licenses actually, and the Blog ;) ). A support ticket is not required as this was just meant to alert webmasters to check their files, reguardless if they own vBulletin or not, every once in a while to protect visitors (or if they redirect members via a cms or other file to a forum, their members) from potential malicious code.

MRGTB:

FYI: all my files are uploaded with 0644 (read/write access), therefore the recommendation for webmasters to set files to 0444 (read only).

Actually 0644 means the owner (and super users) can read and write to the files. Group members can read them and World members can read them. Most webservers will not be able to use the files if they are CHMOD 0444. Many can't even handle 0644.

If your files are being written to and you're not the one that is doing it, then the server is compromised and someone is doing it with a superuser account or rootkit.

Thats what I thought. I far as I knew only people with access to the server can write to files that are 0644. But World people can't. I thought they had to be 666 or 777 for that to happen

Think you made a typo error above Wayne

are CHMOD 0444. Many can't even handle 0644.

Thanks Wayne, I thought it odd that the files could be written to set with 0644. I'll contact the host. Hopefully members of this forum will still take the time to check their sites.

Think you made a typo error above Wayne

No typo. I have had experiences with quite a few hosts that wouldn't process files if they weren't at least 0755.

Thanks Wayne, I thought it odd that the files could be written to set with 0644. I'll contact the host. Hopefully members of this forum will still take the time to check their sites.
Thank you for the follow up, however, I can only assume otherwise if you don't want to set yourself up for showing as a licensed customer. So please for me, send me a private message with your license number or set yourself up. I hope you understand. Thank you.