xoops forums

Skitzo

Just popping in
Posted on: 2008/1/15 23:29
Skitzo
Skitzo (Show more)
Just popping in
Posts: 25
Since: 2004/4/22
#1

Bloodhound Exploit and trojan webkit

This is getting annoying. So far two of my three XOOPS sites have started giving me security risks but only when view with Internet Explorer. Norton detects both "Bloodhound 109" and "trojan.webkit!html" Of the three sites I have two are 2.0.3 and the other is 2.3. The two 2.0.3 installs are the ones giving me the issues. thus far I have not been able to identify the source of the problem. I've reloaded all files excepting mainfile.php and removed all additional themes. Still the problem keeps recurring. What is really annoying is that one of the sites has no content, no posts, no news, no downloads and is a private playground so to speak rather than an active site.

The detections do not happen on every page load but do happen only when these two sites are opened. Very frustrating to say the least and while the one site can (and will tonight) be a clean load the other has enough content that I'd rather not have to redo the entire site.

Unfortuantely this is a shared server and the problem (from what I've read doing searches here so far) may not be in my installs (thus the test of reinstalling one of the "infected" sites tonight) but is still an issue that I need to resolve. Again I reiterate that it is not on all my sites. just the two using 2.0.3

Mamba

Moderator
Posted on: 2008/1/16 5:35
Mamba
Mamba (Show more)
Moderator
Posts: 10959
Since: 2004/4/23
#2

Re: Bloodhound Exploit and trojan webkit

Why are you still using 2.0.3?

You should update to the latest version of XOOPS - 2.0.18, and install Protector
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

stefan88

Community Support Member
Posted on: 2008/1/16 6:19
stefan88
stefan88 (Show more)
Community Support Member
Posts: 1085
Since: 2004/9/20
#3

Re: Bloodhound Exploit and trojan webkit

Try to clean template_c folder - delete all files in it, except index.html
..

mboyden

Moderator
Posted on: 2008/1/16 21:25
mboyden
mboyden (Show more)
Moderator
Posts: 484
Since: 2005/3/9 1
#4

Re: Bloodhound Exploit and trojan webkit

Another thing to do is to load the page and then review the returned code and look for the offending code which might hellp a little bit. Also, re-upload all your theme files from your backup.

The last one I saw used a bunch of ASCII coding for it, but I've seen standard HTML code inserts as well. Awhile back there were some exploits found, and among other things, I found that one of my themes had been hacked as well as the index page.

Updating XOOPS and installing Protector modules are absolute necessities. And look in your theme files and such (likely in the main page of the theme). It's unlikely to be in the database, but don't quote me. And, yes, empty the cache and templates folders (except for index.html).

Still broken? Post again with any additional info.
Pessimists see difficulty in opportunity; Optimists see opportunity in difficulty. --W Churchill

XOOPS: Latest | Debug | Hosting and Web Development