Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 20 Dec 2013, 02:01
aspen1018 aspen1018 is offline
 
Join Date: May 2007
Malware Issue

Chrome is giving a warning that my site is infected with malware. Anybody have any experience with cleaning this up?
Reply With Quote
  #2  
Old 20 Dec 2013, 02:02
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Link to site
Reply With Quote
  #3  
Old 20 Dec 2013, 02:14
aspen1018 aspen1018 is offline
 
Join Date: May 2007
www.vspotlounge.com/forums/forum.php
Reply With Quote
  #4  
Old 20 Dec 2013, 02:22
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Here's what Google says about it:
Safe Browsing
Diagnostic page for vspotlounge.com/forums

What is the current listing status for vspotlounge.com/forums?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 3 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 107 pages we tested on the site over the past 90 days, 99 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-11-20, and the last time suspicious content was found on this site was on 2013-11-04.

Malicious software is hosted on 1 domain(s), including llamaralac1975.tk/.

This site was hosted on 1 network(s) including AS26496 (26496-GO-DADDY-COM-LLC).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, vspotlounge.com/forums appeared to function as an intermediary for the infection of 6 site(s) including bullrunrally.com/, thepicsorbs.com/, uberbets.com/.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Firefox alerted on it as well.

Here's what all your home page is loading:

http://www.webpagetest.org/result/131220_7B_2Z0/

Items 37 and 38 aren't familiar to me, are they to you? Item #4 is a XML application, looks suspicious but renders a 404.
Reply With Quote
  #5  
Old 20 Dec 2013, 02:38
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
http://sitecheck.sucuri.net/results/...rums/forum.php
Reply With Quote
  #6  
Old 20 Dec 2013, 15:29
aspen1018 aspen1018 is offline
 
Join Date: May 2007

Thank you.

I check those specific pages and couldn't find the code in there

--------------- Added 20 Dec 2013 at 15:31 ---------------

Originally Posted by Max Taxable View Post
Items 37 and 38 aren't familiar to me, are they to you? Item #4 is a XML application, looks suspicious but renders a 404.

No they are not. Have no idea how to clean that up though
Reply With Quote
  #7  
Old 20 Dec 2013, 15:35
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Originally Posted by aspen1018 View Post
No they are not. Have no idea how to clean that up though
Those ARE the malware, as a closer look at the request reveals:
GET /tmp/api.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.vspotlounge.com/forums/forum.php
Accept-Language: en-US
X-Download-Initiator: html="doc 0C40 win AAA0; html frame appendChild"
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) PTST/153
Accept-Encoding: gzip, deflate
Host: finansecity.pl
DNT: 1
Connection: Keep-Alive
And appear to be in /tmp/api.php

The second one is in a different location:
GET /tmp/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.vspotlounge.com/forums/forum.php
Accept-Language: en-US
X-Download-Initiator: html="doc 0C40 win AAA0; html frame appendChild"
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) PTST/153
Accept-Encoding: gzip, deflate
Host: finansecity.pl
DNT: 1
Connection: Keep-Alive
These files are not part of vBulletin. I think your board has been hacked and you should follow all the protocols for cleaning it.

Last edited by Max Taxable; 20 Dec 2013 at 15:46.
Reply With Quote
  #8  
Old 20 Dec 2013, 15:59
tbworld tbworld is offline
 
Join Date: Oct 2008
This is known malware, I have seen it several times before and it is in my library of exploits. Use the standard vBulletin recommendations for eliminating an intrusion. It will work if you follow each step carefully.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5
http://www.vbulletin.com/forum/forum...d-all-versions
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 21:51.

Layout Options | Width: Wide Color: