Tweet
We recently came under attack where somewhere somehow our site was being reported as containing a malicious script.
I had recently converted the entire site from straight HTML (with VB forum) to VB Publishing Suite 4.1.8 so that was the only script running. I was having an issue with some table overflow placing my navbits where they were not supposed to be after upgrading to version 4.1.10 and was politely informed by BirdOPrey5 here that he was getting an alert from Google that my site was infected with malware. He provided a link to the Google Webmaster Tools site which was most appreciated! At the same time users started contacting me due to warnings from Norton and other Anti-virus software and when I checked we were actually blacklisted.
My first reaction was to do all the stuff that the Google Tools recommended (changing passwords, etc). I also reported it to my host (Servint), had a firewall installed, and then tried to find it it! The techs at Servint ran some searches but nothing could be found at the server level. Couldn't find a thing so the next step was to check the VB script or database.
Since I had just upgraded I was pretty much running native except for the color scheme and whatnot....and as a last ditch effort before shutting down the site I thought I would look through the templates. Imagine my surprise when I found that the footer template was showing red (modified) when I had not modified ANY templates after the upgrade. And that's where it was....some way....some how....a URL pointing to feedyourbrain.com (don't go there) had been inserted into my footer so was then distributing malware from EVERY page on my site. I tried to revert it only to have it show up the next day and then I just deleted it outright and that cleared the site enough to have Google review it and clear it from the blacklist.
I've been keeping an eye on that template daily and had it show up again just a few days ago. I found it before Google did and did not get blacklisted again fortunately. After reviewing the admin log, it appeared that somehow this hacker had used an email re-direct to get one of my admins password using the retrieval function and then was inserting his crap into the the template. That is at least how it appeared...now I'm not so sure....and here's why:
To resolve my navbit issue, it was recommended that I create a brand new style with parent just to start over as it appears that my old styles were not compatible with the new 4.1.10 version. Okay....so I did that and the navbit issue did go away....this of course meant that I needed to re-skin the entire site! LOL Okay...time to re-skin the thing and with having to go through practically all of the stylevars in order to maintain our site's theme, it's really important that I go screen by screen to verify exactly what changes when I change each font, background, color, and border to my needs. This is how I found the real root cause of the issue. I had gone through the major sections (Forum, Blog, Home/News, etc) and was going through the sub sections (Private Messages, Calendar, etc) when I clicked on the FAQ and what did I get? And FAQ? No....an actual GUI interface into my entire site!
This includes navigation into databases, user accounts, files and everything!! I've attached a screen shot so you can see it but will only give out the actual link to a VB admin if he wants to send me a PM.
At first I thought it was just the faq.php file so I uploaded a clean version from the VB 4.1.10 zip file but that didn't work. I then re-uploaded ALL of the files excluding the Install folder and config file and that didn't work either! My only assumption now is that it is in the database somewhere and now whenever "forums/faq.PHP" is called, it pulls in that site index list instead of the actual FAQ. I mean really.....how often does somebody ever click on their own FAQ? ....smart....but still...what an a-hole!
I know that I just wrote a book, but I wanted to make sure that this was well documented and that I was very clear on what steps were taken, etc. in case others find themselves in the same boat. I've seen a couple of other threads about malware attacks so I'm thinking that this may be spreading to other VB instances.
I have renamed the faq.php file in order to take that crap offilne but what I need to know now is.....just how do I recover/restore/rebuild whatever...that FAQ section of the database? I'm not that technical but can follow directions. It was obviously there before the 4.1.10 upgrade so the upgrade doesn't take care of it and my back up would also be screwed. I cannot lose the existing thread and user data so I really just need to replace the one table with a clean version somehow.
I can open a ticket if need be but like I said..I want to make sure others know about this and and solutions. Thanks much!!
Site URL: www.warofthering.net
Admin access: PM me if you need it.
I had recently converted the entire site from straight HTML (with VB forum) to VB Publishing Suite 4.1.8 so that was the only script running. I was having an issue with some table overflow placing my navbits where they were not supposed to be after upgrading to version 4.1.10 and was politely informed by BirdOPrey5 here that he was getting an alert from Google that my site was infected with malware. He provided a link to the Google Webmaster Tools site which was most appreciated! At the same time users started contacting me due to warnings from Norton and other Anti-virus software and when I checked we were actually blacklisted.
My first reaction was to do all the stuff that the Google Tools recommended (changing passwords, etc). I also reported it to my host (Servint), had a firewall installed, and then tried to find it it! The techs at Servint ran some searches but nothing could be found at the server level. Couldn't find a thing so the next step was to check the VB script or database.
Since I had just upgraded I was pretty much running native except for the color scheme and whatnot....and as a last ditch effort before shutting down the site I thought I would look through the templates. Imagine my surprise when I found that the footer template was showing red (modified) when I had not modified ANY templates after the upgrade. And that's where it was....some way....some how....a URL pointing to feedyourbrain.com (don't go there) had been inserted into my footer so was then distributing malware from EVERY page on my site. I tried to revert it only to have it show up the next day and then I just deleted it outright and that cleared the site enough to have Google review it and clear it from the blacklist.
I've been keeping an eye on that template daily and had it show up again just a few days ago. I found it before Google did and did not get blacklisted again fortunately. After reviewing the admin log, it appeared that somehow this hacker had used an email re-direct to get one of my admins password using the retrieval function and then was inserting his crap into the the template. That is at least how it appeared...now I'm not so sure....and here's why:
To resolve my navbit issue, it was recommended that I create a brand new style with parent just to start over as it appears that my old styles were not compatible with the new 4.1.10 version. Okay....so I did that and the navbit issue did go away....this of course meant that I needed to re-skin the entire site! LOL Okay...time to re-skin the thing and with having to go through practically all of the stylevars in order to maintain our site's theme, it's really important that I go screen by screen to verify exactly what changes when I change each font, background, color, and border to my needs. This is how I found the real root cause of the issue. I had gone through the major sections (Forum, Blog, Home/News, etc) and was going through the sub sections (Private Messages, Calendar, etc) when I clicked on the FAQ and what did I get? And FAQ? No....an actual GUI interface into my entire site!
This includes navigation into databases, user accounts, files and everything!! I've attached a screen shot so you can see it but will only give out the actual link to a VB admin if he wants to send me a PM.
At first I thought it was just the faq.php file so I uploaded a clean version from the VB 4.1.10 zip file but that didn't work. I then re-uploaded ALL of the files excluding the Install folder and config file and that didn't work either! My only assumption now is that it is in the database somewhere and now whenever "forums/faq.PHP" is called, it pulls in that site index list instead of the actual FAQ. I mean really.....how often does somebody ever click on their own FAQ? ....smart....but still...what an a-hole!
I know that I just wrote a book, but I wanted to make sure that this was well documented and that I was very clear on what steps were taken, etc. in case others find themselves in the same boat. I've seen a couple of other threads about malware attacks so I'm thinking that this may be spreading to other VB instances.
I have renamed the faq.php file in order to take that crap offilne but what I need to know now is.....just how do I recover/restore/rebuild whatever...that FAQ section of the database? I'm not that technical but can follow directions. It was obviously there before the 4.1.10 upgrade so the upgrade doesn't take care of it and my back up would also be screwed. I cannot lose the existing thread and user data so I really just need to replace the one table with a clean version somehow.
I can open a ticket if need be but like I said..I want to make sure others know about this and and solutions. Thanks much!!
Site URL: www.warofthering.net
Admin access: PM me if you need it.
Comment