possible virus spreading *possibly related to cpanel exploit*
Today I got a PM from one of my users regarding a virus notification while visiting one of my sites.
After some hunting, it seems people had used a cPanel exploit that the server was open to for only a very short time (we patched within a half hour of hte advisory going live) to inject some code into the site source code.
The virus is supposidly "VBS/PSYME", a trojan.
The code that's being injected into many sites is:
The script seems to have hit any files that get included a lot.
For one of my sites, we found it attached to the very end of the conf_global file, and littered all over the 'cache' folder.
On IPB 2 you can do a 'rebuild all skin caches' options, and this will wipe out all traces of it.
It seems the 1109226593 is a long IP form of "18.104.22.168". The server seems down right now, but even so :-)
BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
- All popular VPN methods supported
- Affordable offloaded MySQL & DDoS protection
- 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony