Jump to content

Users Complaining About Virus On My Site...

Blackcat

By Blackcat
in Security Discussions

 Share

Recommended Posts

Blackcat Collaborator

Blackcat

Posted
Posted

Today three strange things happened on my blog (http://blackcat.bloggy.biz)

 

1- The folder /archive/images had become public :) (the images were not supposed to be shown in a list, even hotlink was used to forbid the usage of bandwidth of my domain)

 

2- An user made a complaint about the forum (http://bloggy.biz/board) saying that "in at least three or four moments, a trojan tried to enter my pc, the so called ByteVerify that exploits java of the forum to attack a computer". According to my experience, PhpBB does not use any java, am l right? Should l think it is a problem of this user only (in her pc, maybe)? :dance:

 

3- Another user, exploring the folder abovementioned, the one suddenly become visible to public, told that "my firewall informed me that an application called m00 was attempting to access internet. I never saw this .exe before, but l noticed it was created on my desktop in the moment l opened the folder. I tried to delete it, but it was impossible. This application tried further to access l don't know which process, so l denied access to it and finally deleted m00. There has been another problem, my task manager: l used it to close the explorer page opened to see your images, not responding. Everything has disappeared, even taskbar. Even restarting the pc nothing improved, l has been obliged to reboot it loading the last known working configuration"

 

I really don't know what's happening: my Norton Internet Security and Personal Firewall did not find anything suspicious.

 

Could you maybe help me? :(

Link to comment
Share on other sites
Blackcat Collaborator

Blackcat

Posted
  • Author
Posted
Hi Blackcat,

I don´t speak italian so I don´t know if this thread is relevant to your issue, but from what I understand from reading your post, I would check it out.

 

 

Hi Thomas! How are you? :dance:

 

Well, l double checked as your linked thread suggests, but found nothing, even in the source code of index php file :(

 

Really don't know where else to look, to find any answer :)

Link to comment
Share on other sites
stevevan Grand Master

stevevan

Posted
Posted

I assumed as much, but just wanted to be sure. :dance: Hopefully one of the more knowledgable bloggers will chime in, but it sounds to me like possibly somehow your administrative password may have gotten compromised. As I don't have a blog, I cannot really say much beyond what immediately jumps out to me. (But I think that you already thought of that, too!)

Link to comment
Share on other sites
TweezerMan Veteran

TweezerMan

Posted
Posted
1- The folder /archive/images had become public  :dance: (the images were not supposed to be shown in a list, even hotlink was used to forbid the usage of bandwidth of my domain)

The directory is publicly viewable, which isn't quite the same as 'become public'. Hotlinking will not prevent someone from viewing the directory by itself. If you don't want the directory to be viewable, you need to go into the Index Manager in your CPanel and set that directory to "No Indexes".

 

2- An user made a complaint about the forum (http://bloggy.biz/board) saying that "in at least three or four moments, a trojan tried to enter my pc, the so called ByteVerify that exploits java of the forum to attack a computer". According to my experience, PhpBB does not use any java, am l right? Should l think it is a problem of this user only (in her pc, maybe)?  :(

It's not that phpBB does or doesn't use java - the user is saying that something on one or more of your forum pages is attempting to download a trojan. A link to a specific page where this occurring would be extremely helpful, as it could be verified whether or not there is mailcious code in the page.

 

3- Another user, exploring the folder abovementioned, the one suddenly become visible to public, told that "my firewall informed me that an application called m00 was attempting to access internet. I never saw this .exe before, but l noticed it was created on my desktop in the moment l opened the folder. I tried to delete it, but it was impossible. This application tried further to access l don't know which process, so l denied access to it and finally deleted m00. There has been another problem, my task manager: l used it to close the explorer page opened to see your images, not responding. Everything has disappeared, even taskbar. Even restarting the pc nothing improved, l has been obliged to reboot it loading the last known working configuration"

Your user was infected by a trojan, known as 'Trojan Moo':

* Trojan is carried inside of an infected .jpg file

* Attempts to download a file from a URL specified by the author and save it as "m00.exe"

* Executes m00.exe

Opening the folder should not have triggered this trojan - I think you'd have to actually view an infected .jpg file. It's possible that the user had already been infected and the timing of 'm00.exe' appearing on the desktop at the same time the /images folder was opened was merely coincidence.

 

I really don't know what's happening: my Norton Internet Security and Personal Firewall did not find anything suspicious.

You may not see anything on your PC - the problems (if they exist) would be with files on the server.

Link to comment
Share on other sites
Blackcat Collaborator

Blackcat

Posted
  • Author
Posted

David... no words for your great answer, except an enormous THANKYOU!!!!! :dance:

 

Well, now users complaining with forum are two. Both have problems with the home page (http://bloggy.biz/board), firewalls and antivirus get crazy, programs try to be installed on pc and so on.

 

I made a search on the php codes, but l have not been able to find anything regarding hidden links :(

Link to comment
Share on other sites
TweezerMan Veteran

TweezerMan

Posted
Posted

Looking at "View Source" of your phpBB main page, this line is the very first line of code, even before the !DOCTYPE or <html> tag:

><script language=JavaScript src=/rmpcugt.js></script>

The link to the script does not appear to be valid now. But the position of this script, ahead of all other HTML code, in an invalid place for a <script> tag, and the odd, psuedo-random name of the script leads me to suspect that this is not your code, but code that a malicious attacker may have inserted into your site.

Link to comment
Share on other sites
Blackcat Collaborator

Blackcat

Posted
  • Author
Posted
Looking at "View Source" of your phpBB main page, this line is the very first line of code, even before the !DOCTYPE or <html> tag:

><script language=JavaScript src=/rmpcugt.js></script>

The link to the script does not appear to be valid now.  But the position of this script, ahead of all other HTML code, in an invalid place for a <script> tag, and the odd, psuedo-random name of the script leads me to suspect that this is not your code, but code that a malicious attacker may have inserted into your site.

 

You're right!!! I did not put this script in my header...

And, honestly, l did not make my search in the header, but just in the page body ( :no2: ).

 

As soon as my Cpanel works again (now l think something strange is happening, l have an error code "License File Expired" ) l will delete it.

 

Thank you again :)

Link to comment
Share on other sites
Blackcat Collaborator

Blackcat

Posted
  • Author
Posted

Ok. I've tried to find where this malicious script has been inserted.

 

I could not find it :( Moreover in my first page source code (you mean html, right? :no2: ) it does not appear anymore.

 

I took a look also in my templates folder, in the include folder but nothing.

 

:)

Link to comment
Share on other sites
Blackcat Collaborator

Blackcat

Posted
  • Author
Posted
I no longer see the <script> tag either.  Maybe you or the Help Desk did something that fixed phpBB back to the way it was?  :)

 

I could not do anything until Help Desk fixed my problem with CPanel.

 

And did not even ask them to remove the script :no2:

 

I am starting to worry about safety of my site: may l have been hacked or something? :(

Link to comment
Share on other sites
Blackcat Collaborator

Blackcat

Posted
  • Author
Posted
I haven't used phpbb in awhile. But one of the first things you could do is change your admin. password.

 

Greg

 

Hi Greg :oops:

 

I did it two weeks ago, also because l was out of my town and l forgot it :)

 

Now the problem is becoming wider. It seems to affect also my jpeg folders on two different blogs...

Link to comment
Share on other sites
Blackcat Collaborator

Blackcat

Posted
  • Author
Posted

Just a question on a small doubt....

 

On all awstats of all subdomains, l found in 404 pages listed, hundreds of .js scripts.

 

How could possibly someone force readers to download a script (not present in my folders) when they read random EVERY page of the domain? :)

Link to comment
Share on other sites
Blackcat Collaborator

Blackcat

Posted
  • Author
Posted
Blackcat, in your awstats under 404 errors, is this what you are getting?

 

I am not using phpbb or any other forum or blog.

I started getting all these 404 .js errors about a week ago.

 

 

Exactly the same!!! :oops:

 

Hundreds of odd .js scripts!!!

 

And, moreover, l found in Awstats someone called "Mrbean" who appear to be logged in my site as authenticated user. More than obvious, l don't know such user :)

 

My .js scripts, anyway, started in August, about in the middle of the month.

This "Mrbean" authenticated last time on August 16th. And yesterday another authenticated user logged in. Name= ""

 

It's getting worse and worse :)

Link to comment
Share on other sites
curtis Proficient

curtis

Posted
Posted

Well I did start getting all these .js errors back in August. I don't check the stats for this site very often. I don't have any authenticated user for August or September. I went thru my site paga by page looking at the source code and could find no reference to any .js file. I have Viper guestbook installed and thought it may be the problem so I disabled it but continued to receive the errors. I am about at a loss of what to do next.

Link to comment
Share on other sites
curtis Proficient

curtis

Posted
Posted

Blackcat,

Did you find a fix or the source of the .js error problem?

Yesterday I tried changing some code on my index.html page to see if that would have any effect. I then tried to validate the page but the validator said I had a javascript before the DOC TYPE. I looked at the page source but didn't see any javascript. Again I tried to validate and the page validated with no problem.

If you or anyone has suggestions I'm open to trying most anything.

Link to comment
Share on other sites
Blackcat Collaborator

Blackcat

Posted
  • Author
Posted

I have the same problem, Curtis. Moreover complaints are becoming constant and increasing ;)

 

I think the script is not put on a specific page, because if so, who put the script must have access to ftp or cpanel, as l have .js problems on weblogs (running Movable Type) on board (running Phpbb) and on my home page made with Front Page. Nor we should not have so many 404 .js pages.

 

I'm getting crazy, working till late night from home to find out a possible solution, but nothing helps. Guys at TCH are working on a ticket l opened, but they also did not find any malicious file.

 

Anyway, whoever did changes, did not hack or crack any site.

 

This is a very annoying "joke", made just to disturb users and readers. (If l found him/her l strangle him/her :blink: )

 

There is apparently no code inserted, no script, no iframe. Nothing.

 

But the problem still persists.... :(

Link to comment
Share on other sites
OldTimer Community Regular

OldTimer

Posted
Posted

I see at http://blackcat.bloggy.biz/ there is now a gvspmjf.js at the top of the page.

But it comes up 404. I'm not getting any warnings from Norton.

 

I'm using Firefox. Have you asked the users what browser they are using?

And just maybe that code is being added to your database. Have you taken a look there?

 

Just ideas, I'm by far no expert on this stuff. :blink:

 

Greg

Link to comment
Share on other sites
Blackcat Collaborator

Blackcat

Posted
  • Author
Posted
I see at http://blackcat.bloggy.biz/ there is now a gvspmjf.js at the top of the page.

But it comes up 404. I'm not getting any warnings from Norton.

 

I'm using Firefox. Have you asked the users what browser they are using?

And just maybe that code is being added to your database. Have you taken a look there?

 

Just ideas, I'm by far no expert on this stuff.  :(

 

Greg

 

 

Yes! Of course it shows, but randomly! ;)

And, l swear, there is no script in the source code of the page!

 

All files are 404, and this is why some Firewalls (including mine) did not even inform user of this download attempt.

 

I don't think it is a problem of browser or OS: already asked forum users and there are almost all cases and sortings :blink:

 

Even for the DB: weblogs have a database, board has another different database, home page doesn't have any. But all three have the same problem.

 

Thank you for your ideas, Greg :)

 

The more we are, the faster we beat .js!!! :D

Link to comment
Share on other sites
curtis Proficient

curtis

Posted
Posted

I'm about the same as Blackcat. 2 databases, 1 for a guestbook and 1 for site search.

150 pages that use no db- all getting the .js errors.

I am far from being an expert on db's but I did look thru both and found nothing that looked suspicious.

The site is on server 60.

Link to comment
Share on other sites
OldTimer Community Regular

OldTimer

Posted
Posted (edited)

That's odd I'm also on server 60 But I don't have a site up at the moment just a html page. I'll go take a look. The random part does seem odd.

 

Greg

 

ok just checked and I've got it too.

 

><script language=JavaScript src=/kslljmr.js></script>                                                                                                                                                                                                                                          
<html>
<head>
<title>ontalkradio.com</title>

</head>

<body>

ontalkradio.com 


 




</body>
</html>

Edited by OldTimer
Link to comment
Share on other sites
curtis Proficient

curtis

Posted
Posted

Maybe I should clarify my last post a little. When I said I get the .js error on every page it has shown up for evey page but not every page on every visit. When someone visits the site, according to the error log, I have 1 .js error regardless of how many pages the visitor views.

I hope this doesn't sound as confusing to you as it does to me.

Link to comment
Share on other sites
abinidi Veteran

abinidi

Posted
Posted (edited)

Have you tried opening a help desk ticket, and pointing them at this thread? I wonder if the admins are aware thatthere is a problem, and that server 60 seems to be the one affected....

 

EDIT: I realize that you opened a help desk ticket before, but they might think that the problem you opened the ticket about is already resolved. It seems that there might be a larger issue here, and pointing them to this thread might be helpful. Just my 2cents worth!! :tchrocks:

Edited by abinidi
Link to comment
Share on other sites
mitten Explorer

mitten

Posted
Posted (edited)
I think Paul is on to something here. Perhaps this is larger than just a few accounts.

 

 

Yup. I've been having this same trouble - for the last 4 or so weeks, loads and loads of 404 reports for randomly named scripts with names like abcdef.js and now I'm getting reports from users whos are crashing or getting virus alerts when they visit the site.

 

I haven't been able to figure out what's going on either. I thought maybe it was something with an old installation of punBB that we don't use anymore, but that doesn't seem to be it.

 

Are you all opening tickets on this? Is that the best course of action at this point? It sure does look more like someone has put malicious code on the server, not on our sites per se.

 

(The site in question is http://martinirepublic.com)

Edited by mitten
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...