1
ewaeyusa
A virus on my xoops.!!!! Help please!
  • 2007/7/2 22:39

  • ewaeyusa

  • Just popping in

  • Posts: 1

  • Since: 2007/3/11


Hello

I keep getting this virus on my xoops. It makes a yellow bar appear on my screen everytime I go to my XOOPS site.
How do I take this thing out please??? My back ups are already infected with this.
Thanks
EwaeyUsa.
http://community.ewaey.com

2
nekro
Re: A virus on my xoops.!!!! Help please!
  • 2007/7/3 2:37

  • nekro

  • Quite a regular

  • Posts: 213

  • Since: 2005/11/9


have you checked from another pc??? beacause i dont see anything wrong in your site... maybe your PC... is infected... and not hacked your site.

3
ewonline
Re: A virus on my xoops.!!!! Help please!
  • 2007/7/3 2:43

  • ewonline

  • Not too shy to talk

  • Posts: 198

  • Since: 2004/11/17


Are you using IE7? (Could it be your browser showing that).

What does the bar say? I too don't see it on your site.
Resized Image

4
Bassman
Re: A virus on my xoops.!!!! Help please!
  • 2007/7/3 4:51

  • Bassman

  • Friend of XOOPS

  • Posts: 1272

  • Since: 2003/5/23


I notice there's a dodgy-looking Iframe at the bottom of your theme.html if you view the source...

5
weefz
Re: A virus on my xoops.!!!! Help please!
  • 2007/7/3 13:13

  • weefz

  • Just popping in

  • Posts: 1

  • Since: 2007/7/3 1


Quote:

nekro wrote:
have you checked from another pc??? beacause i dont see anything wrong in your site... maybe your PC... is infected... and not hacked your site.


It does appear to be a virus. Or at least, I visited the page and when I closed the (crappy IE6) browser window I got a virus alert from AVG.

Can't help fix it, sorry. Total newbie here.

6
davidl2
Re: A virus on my xoops.!!!! Help please!
  • 2007/7/3 13:21

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Sounds suspiciously like a spyware browser hijack.

I would recommend getting a decent virus killer - and perhaps looking at a spyware finder / killer... I use Spybot S&D myself - but other people may have their own ideas.

7
seventhseal
Re: A virus on my xoops.!!!! Help please!

I'll have to make a couple of assumptions here -

1. I assume you are using templates. When you generated the templates, did you do some from an IE browser? If so, does that browser have a bunch of tools hooked to it - like goole search, etc?

2. Did you design the theme for your site? Look at this validation for your site. You will see a number of errors that should be corrected.

3. I noticed, and have seen this before, look at line 156 - outside of your
</body>
block - there is a hidden iFrame pointing to an IP address. Unless you actually have that in your theme - where is that going?

According to IP lookup - the IP
81.95.145.240
belongs to the RIPE network - which I like to blacklist on a regular basis...anyway, the
index.php
that it points your users to is probably the culprit.

So, what to do...first, make sure your IE or Firefox is clean. Next, delete your templates and regenerate. If the problem persists, you need to do some deep scanning of your personal system.

Hope this evaluation helps!
John Horne - a.k.a. - VelocityWebDev, Seventhseal, CreepingDeath
**********************************
VelocityWebDev Tech BLOG
VelocityWebHost Hosting and Design

8
Tobias
Re: A virus on my xoops.!!!! Help please!
  • 2007/7/3 15:40

  • Tobias

  • Not too shy to talk

  • Posts: 172

  • Since: 2005/9/13


Yeah, that's shady. The iframe loads another iframe which is here: 81.95.145.240/go.php?sid=1. I don't know what's that, it comes back empty when I try to fetch it. It's not in your theme.html, and it also doesn't seem to be coming with your modules. So, you may want to empty all your cache and templates_c folder (drop an empty index.html into them once they're empty, just in case), and also make sure your index.php in the root directory hasn't been altered.

*edit: New info*

Yes, it's definitely the iframe, and it's definitely nasty stuff being triggered there. Read here:

http://isc.sans.org/diary.html?storyid=2923
I find it probable that someone has hacked your index.php at your XOOPS root. You should try to get your webhost to grep your entire directory structure for the string "iframe" and see whether all of them are accountable for. Or perhaps the malicious IP will do for a search string. Perhaps you have shell access and can do it yourself.

Furthermore, I think it's likely that someone has hacked your server, and not your XOOPS installation. You may want to alert the server admin.
www.affvu.org

Login

Who's Online

193 user(s) are online (122 user(s) are browsing Support Forums)


Members: 0


Guests: 193


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits