Page Index Toggle Pages: 1 [2] 
Topic Tools
Hot Topic (More than 10 Replies) Admin Center A/V warning (Read 3,883 times)
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,932
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Admin Center A/V warning
Reply #15 - Dec 28th, 2012 at 4:18pm
Post Tools
There was yet another fragment of that code that found its way into a php file also in 'update'. However, although it was detectable in the source (so an AV progam could see the apparent link), because of the way it was appended, it was never actionable.

I have now gone through (visual inspection) all the .htaccess, PHP, and Javascript on Yabbforum.com, and tested the site with multiple threat scanners.

Earlier - Also From the Support & Moderators Board:

Quote:
I guess I need to again reassure everyone

- there was never any code on YOUR servers

- its a server re-direction virus, not the payloads

- there was NEVER any danger to your users or ours as the exploit:

A. On YaBBforum.com, it broke everything, so nothing was delivered, we are 100% reliant on a complicated piece of .htaccess in the web root; thus everything errored out. That is why this forum was broken (that was the first sign).

B. The second instance was put in 'update' which is ONLY linked to the Admin Center, its a private feed. It has no external links, so ONLY YaBB administrators going into the Admin Center ever saw the URL (and they saw it in their browsers).  Your SERVER never, ever saw that URL, because it had no part in delivering it.  That is what an inline frame does, it lets a browser deliver a URL embedded in another page. 

- What the AV programs were complaining about was a 'URL Pattern'. If you go look in the quarantine, I'm pretty sure you will find that what is there is not a complete HTML page, rather a URL link file. If I am wrong let me know.

I think in order to reassure yourselves you should scan your machines. Again - NOTHING was ever on your servers.


Good Luck
Wink
  

I find your lack of faith disturbing.
Back to top
IP Logged
 
Elrick.
Forum Moderator
Beta Testers
*****
Offline



Posts: 163
Location: Edge of the Abyss

YaBB 2.6.1
Re: Admin Center A/V warning
Reply #16 - Dec 28th, 2012 at 4:25pm
Post Tools
WestwegoMan wrote on Dec 28th, 2012 at 3:51pm:
I think that will be on my list to do. I visit Yabbforum enough to know when there are updates.


That was precisely my rational to remove those 'inserts' (2 of them) as the Admin panel used to get hung in there waiting for other servers to repond just when I needed to act quickly on the Admin panel! Angry

No longer!!! Cheesy

  

<div class=
Back to top
 
IP Logged
 
westwegoman
Ex Member
**




YaBB 2.5.2
Re: Admin Center A/V warning
Reply #17 - Dec 28th, 2012 at 4:26pm
Post Tools
Just finished running another scan of my system. I am clean Smiley

Although at one point I was concerned, I was quite confident that I was ok on my end. Just wanted to bring to your attention that something may still be lurking, hence my bringing this subject back up.

At this time, all seems fine. Smiley

Thanks for your time, JonB.

Edited:
iFrames removed from my admin ctr. Thanks for that idea, Elrick.
« Last Edit: Dec 28th, 2012 at 4:33pm by WestwegoMan »  
Back to top
 
IP Logged
 
JonB
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline



Posts: 3,932
Location: Land of the Blazing Sun!

YaBB 2.6.1
Re: Admin Center A/V warning
Reply #18 - Dec 28th, 2012 at 5:08pm
Post Tools
Many thanks to all -

Depablo found another site scanner I did not know of:

http://sitecheck.sucuri.net/scanner/

Cool
« Last Edit: Dec 28th, 2012 at 5:09pm by JonB »  

I find your lack of faith disturbing.
Back to top
IP Logged
 
depablo
YaBB Moderators
YaBB Next Team
Beta Testers
***
Offline



Posts: 577
Location: UK

None
Re: Admin Center A/V warning
Reply #19 - Dec 28th, 2012 at 5:28pm
Post Tools
It looks like you have to watch out for the web site status, now changed from a few minutes ago to this:
*Cached results from the last 24 hrs.

Gives you a lot of info on infection  Smiley
  

Taking a peek behind the mask Wink
Back to top
 
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,685
Location: Los Angeles

YaBB 2.5
Now solved. Re: Admin Center A/V warning
Reply #20 - Dec 28th, 2012 at 6:09pm
Post Tools
JonB wrote on Dec 28th, 2012 at 5:08pm:
Depablo found another site scanner I did not know of:

http://sitecheck.sucuri.net/scanner/

Thanks to John of course, but thanks to you as well JonB. The link you provided is much appreciated.

Thankfully, I didn't have the malware problems that others have reported, but I ran scans on the websites on our server just in case, and all of the sites came up clean.

Thanks, also, for getting onto this in such a timely manner. Great job! Smiley

  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
Page Index Toggle Pages: 1 [2] 
Topic Tools
 
  « Board Index ‹ Board  ^Top