Exploit utility kb-scan

glennk · May 26, 2009, 04:40:40 PM

Doesnt seem to work for me at all ?? Could someone take a quick look please

http://www.whitbyseaanglers.co.uk/forum/kb_scan.php

babjusi · May 26, 2009, 04:41:55 PM

Quote from: glennk on May 26, 2009, 04:40:40 PM
Doesnt seem to work for me at all ?? Could someone take a quick look please

http://www.whitbyseaanglers.co.uk/forum/kb_scan.php

Have you actually uploaded the folder in the forum folder?

glennk · May 26, 2009, 04:47:30 PM

Sorry about that. I put it in the wrong place.

The good news is it says Im clear. The bad news is I know I have problems as all my forum members keep telling me so. Looks like Ill just have to overwrite the files.

babjusi · May 26, 2009, 04:48:33 PM

Quote from: glennk on May 26, 2009, 04:47:30 PM
Sorry about that. I put it in the wrong place.

The good news is it says Im clear. The bad news is I know I have problems as all my forum members keep telling me so. Looks like Ill just have to overwrite the files.

That would be the best thing to do, to upgrade your forum to 2.0 rc1-1 as that security issue is resolved in that version.

H · May 26, 2009, 04:51:55 PM

You should certainly update, even if only for the bugfixes in RC1!

What problems are your members experiencing?

glennk · May 26, 2009, 05:12:09 PM

Hi H,

Thanks for asking. My members are reporting that their antivirus software is alerting them to virus within my forum - namely :

exploit javascript obfuscation type(501)

http://www.whitbyseaanglers.co.uk/forum/index.php?topic=9978.0

I read a post on here about the exploits and the member Krisbarteo. I found that I had a member called Krisbarteo so I banned him. I put 2 and 2 together and thought this was why I was getting the virus warnings.

I have run the tool but it comes up all green.

When I look for Krisbarteo in the ban list he isnt there. I never deleted his account. So where has he gone ?

Im really confused as to what to do for the best. I think my wordpress installations (In seperate folders within the same domain) may have been comprimised too. At the moment Im trying to build up some information on the best course of action.

H · May 27, 2009, 09:34:23 AM

Currently your site is giving me a 500 error, so I can't look at the code in more detail

. While the exploit used by krisbarteo could be used to add malicious javascript code, I haven't seen it happen before.

It is also possible that you or someone else on the server has the gumblar virus.

glennk · May 27, 2009, 11:00:34 AM

Hi H,

Yes I think we have the gumblar virus. That rings a bell as one of the forum members mentioned that very name. Have you any advice for cleaning it up ?? Our site should be back online soon for you to take a look. I messed up the upgrade so im doing a reinstall then upgrade again.

H · May 27, 2009, 02:05:29 PM

The gumblar virus gets FTP details from YOUR (or another site admin) computer and then uses these details to infect the site. Therefore, I'd first scan your computer for viruses and change your FTP password.

I suggest that you then delete all files except for settings.php and the attachments folder. Then re-upload clean files from a 2.0 RC1-1 upgrade archive and run upgrade.php

glennk · May 27, 2009, 02:22:02 PM

Thanks H. I have done just that. I will let you know how it works out. Do you know if its possible for this virus to get back in from other parts of the site. I have a few wordpress installations and a coppermine installation making up the site.

If the forum is clean, can this thing jump back in from the gallery if its living in there too.

H · May 27, 2009, 05:58:57 PM

While it is possible it could check the files to ensure they're infected, I've never seen a site hack that does this. I recommend you clear the infected parts as soon as possible though as Google will sometimes block pages with specific infections displaying a message about bad ware when someone visits an infected page of your site.

News:

Exploit utility kb-scan

babjusi

babjusi