Infected? Redirect on submit to 'known attack page'

woolly bugger · May 21, 2010, 09:00:46 AM

I'm running 2.0 RC 1.2 (yeah yeah, update update update)

Recently a vBulliten forum was compromised with a similar problem, we share members and interest (fly fishing).

I've not noticed any issues with my forum until I was in the admin page and tried to add a new board.

that screen isn't formatted correctly and when i hit the submit button I got redirected and a NORTON warning about the attack page.

What steps should I take to fix this?

I've got a bunch of mods installed...

including:

1.    Ad Managment     2.3.5      [ Uninstall ] [ List Files ] [ Delete ]
2.    SMF Gallery Lite    2.0.5    [ Uninstall ] [ List Files ] [ Delete ]
3.    Users Online Today    1.5.4    [ Uninstall ] [ List Files ] [ Delete ]
4.    Age on post    1.0    [ Uninstall ] [ List Files ] [ Delete ]
5.    YouTube BBCode    2.5.1    [ Uninstall ] [ List Files ] [ Delete ]
6.    Report BBCode    1.0    [ Uninstall ] [ List Files ] [ Delete ]
7.    Board Sort Methods    2.0.1    [ Uninstall ] [ List Files ] [ Delete ]
8.    AjaxChat Integration    3.2    [ Uninstall ] [ List Files ] [ Delete ]
9.    Sitemap    2.0.0    [ Uninstall ] [ List Files ] [ Delete ]
10.    Social Bookmarks    2.0    [ Uninstall ] [ List Files ] [ Delete ]
11.    Aeva ~ Auto-Embed Video & Audio    6.9.99    [ Apply Mod ] [ List Files ] [ Delete ]
12.    Hide Images From Guest    1.0    [ Uninstall ] [ List Files ] [ Delete ]
13.    Display Location on posts    1.0    [ Uninstall ] [ List Files ] [ Delete ]
14.    Board Sort Methods    2.0.0    [ List Files ] [ Delete ]
15.    SMF 1.0.18 / 1.1.10 / 2.0 RC1-2 Update    1.1    [ Uninstall ] [ List Files ] [ Delete ]
16.    Custom Board Sort    1.0    [ Apply Mod ] [ List Files ] [ Delete ]
17.    Attachments In Message    1.3.0

woolly bugger · May 21, 2010, 01:41:28 PM

Okay, i went ahead and upgraded to rc 3 and it DID NOT solve the problem...

still when i go to admin and try to add a new board, i get an unformatted page and the submit button takes me to pills.ind.in/in.cgi?4&parameter=0510 (DO NOT GO TO THAT SITE!
It is a KNOW ATTACK SITE

Here is what I did so far..

1. uninstall all mods
2. delete all sources and templates and smilies (empties all folders0
3. uploaded all new files
4 ran update successfully

woolly bugger · May 21, 2010, 02:54:19 PM

fyi my host found an infected .htacess

it was the problem..

carry on...

kat · May 21, 2010, 03:07:36 PM

Wow...

Thanks for letting us know, Woolly.

live627 · May 21, 2010, 03:22:08 PM

So now your forum is back to normal?

woolly bugger · May 21, 2010, 03:32:11 PM

that is correct, the site is back to normal! this file caused other problems with shtml files on the site also.

all is good now!

live627 · May 21, 2010, 03:35:34 PM

Marking as solved

kat · May 21, 2010, 03:37:27 PM

I've passed the info on to the support team, Woolly, in case something similar happens to others.

I'm really grateful, to you, for letting us know about this.

If you can let us have any more information about this, we'd be even more grateful.

tumbleweed · May 21, 2010, 03:41:41 PM

I would also suggest that you look for other htaccess files that were placed in other folders. themes avaters ect.
Attackers are known to place more then just one file.

News:

Infected? Redirect on submit to 'known attack page'

woolly bugger

woolly bugger

woolly bugger

kat

live627

woolly bugger

live627

kat

tumbleweed