bibzopl.com Virus

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning

bibzopl.com Virus

Postby Bushwhacked » Wed Feb 10, 2010 9:58 am

Hi, I just noticed my phpbb home page calling up a site called bibzopl.com when I try to load it. I did a source view when it did finally load, and I discovered some encrypted javascript hidden in the footer. The script is:

[removed javascipt]

I removed the script from the footer template, but of course it's been busy planting itself all through the source code, and removing it from the footer alone won't do it. My understanding is that it is a PC-specific virus that attempts to load exe files and so on - very nasty stuff for users. My forum is brand new and hosted on [removed link to infected page]. Any ideas on how to get rid of this piece of cr@p script?!! It looks like it has infiltrated the source code of every single page.

Thanks for taking a look.

Cheers, Chris
Last edited by Pit$Bull on Fri Feb 12, 2010 7:23 pm, edited 3 times in total.
Reason: Pleas don't post links to exploited pages, thanks.
Bushwhacked
Registered User
 
Posts: 15
Joined: Wed Feb 10, 2010 9:46 am

Re: bibzopl.com Virus

Postby thecoalman » Wed Feb 10, 2010 10:20 am

99.9% of the time this is because of a exploited server. Inform your host of the issue.
User avatar
thecoalman
Former Team Member
 
Posts: 2147
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: bibzopl.com Virus

Postby Bushwhacked » Thu Feb 11, 2010 2:28 am

Thanks. I did call the hosting company, but they weren't a ton of help ("and I will email you a tip sheet on avoiding malware in the future...).

However, the script WAS on the server, and discovered that it had infiltrated every php file in the template, so I went into file manager, opened every directory, then opened every php file in each of the directories and then deleted the code (which was sitting conveniently at the top of each file) one file at a time, one by one. As an attorney friend of mine says, "it was not an insubstantial amount of time......"

But at least it's gone now. Thanks for your response, and sorry for posting the link originally - that was stupid.

Cheers, Chris
Bushwhacked
Registered User
 
Posts: 15
Joined: Wed Feb 10, 2010 9:46 am

Re: bibzopl.com Virus

Postby ric323 » Thu Feb 11, 2010 2:42 am

Bushwhacked wrote:...
But at least it's gone now. Thanks for your response, and sorry for posting the link originally - that was stupid.

Chances are, it will be back soon.
Do you have any other applications running in your web space, or only phpBB?
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions
User avatar
ric323
Former Team Member
 
Posts: 22903
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric

Re: bibzopl.com Virus

Postby Lumpy Burgertushie » Thu Feb 11, 2010 5:03 am

and if your host will not do anything about it then I would seriously start looking for a new host.

There are no known vulnerabilities in phpbb3 so this most likely did not come in via phpbb. it most likely came in via either outdated server software or some other scripts that are on the server ( might not even be on your account ).


robert
User avatar
Lumpy Burgertushie
Registered User
 
Posts: 51596
Joined: Mon May 02, 2005 3:11 am

Re: bibzopl.com Virus

Postby Bushwhacked » Thu Feb 11, 2010 7:22 am

ric323 - the phpbb files are in located in a sub directory of my site (mysite/forum). The main site is just a an html blog running off of Google's free Blogger platform using one of their free templates, and I publish via FTP. I do have a custom script running on the index.html page that distributes market data from a trusted source to about ten pages at most (there are about 200 pages in total). The guys who built the script work for the data provider, and they encrypted it pretty carefully - the data is not cheap so we wanted to make sure that hackers could not tap the feed. That COULD be causing the problem - though I doubt it. The script infiltrated only the php forum subdirectory, nothing else, and looked like it was written specifically for php infiltration (it has the ?php language in the beginning).

Robert - Go Daddy hosts my account. I was on the phone with them for a good bit of the day. The first guy I spoke with had to call to his support team to understand what I was talking about. They were the ones who waved me off - they told me it was related to php, not their servers. Frankly, at that point I didn't care where it was coming from, I just wanted it gone, so I called back and spoke to a woman there named Ashley who was very helpful and patient. She helped me get rid of *most* of it, but I think I need to restore the whole forum subdirectory to get rid of all of it.

The reason is that when I cleaned up the last of the files (style.php and index.php), the whole template went wacky on me, even though all I did was delete the offending script (who are the miscreants that write this stuff anyway?!). You can't miss the malware script, a kindergartner could spot it. It's incredibly dense, half a page long and right on top, so I am certain I didn't delete any of the real php source code by mistake.

I *think* I can restore the whole subdirectory back to February 1st, which was pre-virus, and then change admin passwords, but I'm guessing I'll lose any users who signed up after that. Despite all this, I do love phpbb so I hope I can get to the bottom of it.

Thanks very much for your assistance. If I hear anything helpful from Go Daddy, I will repost it.

All the best, Chris
Bushwhacked
Registered User
 
Posts: 15
Joined: Wed Feb 10, 2010 9:46 am

Re: bibzopl.com Virus

Postby Lumpy Burgertushie » Thu Feb 11, 2010 7:35 am

nothing you do to the files will make you lose any members, posts, forums etc. that is all in the databse and that is not anywhere that you can access it via ftp.

so, if you are worried then just replace all the files with new ones from here except for the config.php file.

then, in your browser, go to:
yourdomain.com/yourphpbb/install/datagase_update.php

then delete the install folder and you are done.

it could be the blog is where they got in from. different blog software has been very vulnerable to this type of hack.
it could also be someone anywhere on the same server not necessarily from your account.

however they got in, it is doubtful that it was via phpbb. there are no known exploits for phpbb3.

yes, change your ftp and cpanel and database passwords.


robert
User avatar
Lumpy Burgertushie
Registered User
 
Posts: 51596
Joined: Mon May 02, 2005 3:11 am

Re: bibzopl.com Virus

Postby Bushwhacked » Thu Feb 11, 2010 8:27 am

OK Robert, thanks. I think what you suggested will take care of it, and strong passwords are definitely a must - letters (w/changed case) numbers and symbols. I would love not to have to replace all the files, :oops: but it's probably the safest way to go.

Cheers, Chris
Bushwhacked
Registered User
 
Posts: 15
Joined: Wed Feb 10, 2010 9:46 am

Re: bibzopl.com Virus

Postby Bushwhacked » Fri Feb 12, 2010 7:20 pm

Robert, just wanted to let you know your diagnosis was completely spot on, and I really appreciate your help. :D The crud code is all gone, hopefully for good. I have changed all my passwords, and I will consider changing hosts as well.

Cheers, Chris
Bushwhacked
Registered User
 
Posts: 15
Joined: Wed Feb 10, 2010 9:46 am


Return to 3.0.x Support Forum

Who is online

Users browsing this forum: Google [Bot] and 94 guests