Alarming bug

[gulf22]

Hi everybody

Lately, I have been noticing that in my IE history, I see a site named
hxxp:img.plasticsuite.tl/n19 [nonactive]?. Interestingly, It gets loaded transparently, with every page I view using SMF (and of course, I don't see its content).

If I try to go back (using the left bar on the top of the Internet explorer) I see the name of that site, it between the current page I'm viewing right now and the previous page

I tried to go to the site by typing the link... hxxp:img.plasticsuite.tl/ [nonactive]

I get a a whole blank page with " Welcome to nginx!"

Does anybody, have any idea, what is this all about.


Modes (along with version number ) that I have uploaded are:

1. Images On Board 1.1
2. Remove SMF Logo 1.1
3. View Any Topic Permission Mod 1.9
4. Topic Ratings 1.03   
5. Date_Registerd on post 1.0   
6. Disable Right click 2.1   
7. FontandSizeDropdown_1.2 1.3   
8. Custom Tab 1.11   
9. Group Post Color 0.8   
10. Registered Images 2.3   
11. Contact Page 1.1   
12. Highslide Image Viewer 1.0 RC5 

I'm runing SMF 1.1.6

and this is the link to my board

hxxp:www.aldawoood.com/vb/index.php [nonactive]


Appreciate your comment and feed back

[ThorstenE]

I have checked the HTML-Source from your website.. nothing in the Source is related to plasticsuite.tl... Have you tested this with another browser (Firefox, Opera)..

Maybe it's a spyware on your local computer?

[NetWatchman]

Hi everybody

Lately, I have been noticing that in my IE history, I see a site named
hxxp:img.plasticsuite.tl/n19 [nonactive]?. Interestingly, It gets loaded transparently, with every page I view using SMF (and of course, I don't see its content).

That URL injects malware to anyone who surfs to it and is vulnerable to certain exploits.

This means your website was compromised and script code injected that ultimately makes reference to above...I say *ultimatley* as there is several levels of javascript so you won't find simply by searing your web content for that hostname.

Would like to discuss with you in more detail...please email me as per my profile.

[gulf22]

Thank you everybody

I was able to clean it up few days ago.

what it did, it added a script to all of my files.

I have cleaned all my files, and adjusted permission to 750

Is this OK, and what else do you recommend

I have attached the file for review

cheers

[greyknight17]

Are you running SMF from this computer that was infected? If not, just make sure that you haven't uploaded any infected files to your webhost.

[gulf22]

Are you running SMF from this computer that was infected? If not, just make sure that you haven't uploaded any infected files to your webhost.

The viruse infected my files on the host, and not on my machine.
My PC is very well protected. with McAfee.

I think, and I might be wrong, The virus I got is from one of the Modes

[greyknight17]

If it's one of the mods at SMF (that is in the mod section), I suggest reporting it immediately so the author can look into he problem. If you are using an outdated version of a mod, that could be the problem also.

There is no sure way to be certain that the files are clean unless you look at each file (either the contents inside or just the modified date even would help). If you are still worried, either restore a backup of the files (if you have a recent backup of them) or upload a new set of SMF files to replace them.