PunBB Resource

Your ultimate PunBB resource!

Keywords:

    (Extended)

You are not logged in.

#1 2008-03-28 21:55:49

sleeve
Member
Registered: 2006-05-25
Posts: 72

Virus Alert...

So i was backing up my website the other day... Forum and all... and one of the files i was downloading gave me a virus alert, a relativly new one as well.. released in febuary... it was in the login.php in the FKCEditor...  FCKeditor/editor/plugins/findreplace/lang/login.php

The virus is called: PHP/C99Shell.C

I am not exactly sure what it does, or if there is a way to get rid of it without losing any section of my forum... i cant find any significant information.. but if anyone knows anything about this one.. please let me know

Offline

 

#2 2008-03-28 22:38:33

elbekko
Moderator
From: Leuven, Belgium
Registered: 2006-01-31
Posts: 1353

Re: Virus Alert...

Probably a PHP fill that uses a system() call.


FluxBB
dictionary.com on programming: The most fun you can have with your clothes on (although clothes are not mandatory).

Offline

 

#3 2008-03-28 23:03:32

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

so its not actually a virus then? Just mistaken for one?

Offline

 

#4 2008-03-28 23:29:48

elbekko
Moderator
From: Leuven, Belgium
Registered: 2006-01-31
Posts: 1353

Re: Virus Alert...

I don't see how there could be a virus in a PHP file... just read through it, and if you see anything suspicious, post it here and we can take a look.


FluxBB
dictionary.com on programming: The most fun you can have with your clothes on (although clothes are not mandatory).

Offline

 

#5 2008-03-29 13:10:52

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

its not strictly a virus, its a trojen aparantly... like a keylogger or password stealer or osmething like that...

as for anything suspicious... If i knew what to look for i wouldn't be here asking for help hehe

Offline

 

#6 2008-03-29 14:37:51

elbekko
Moderator
From: Leuven, Belgium
Registered: 2006-01-31
Posts: 1353

Re: Virus Alert...

Just post the source of the file here. I seriously doubt it's anything, especially not a trojan hmm


FluxBB
dictionary.com on programming: The most fun you can have with your clothes on (although clothes are not mandatory).

Offline

 

#7 2008-04-01 11:38:37

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

I try and post it but keep getting SERVICE temporarily unavailable...

do you have an email addy or anything i could send it to you in a text file?

Last edited by sleeve (2008-04-01 11:39:52)

Offline

 

#8 2008-04-01 12:02:06

Smartys
Member
Registered: 2005-03-18
Posts: 314
Website

Re: Virus Alert...

It's not a virus. If it really is what you say it is, it's a backdoor script that gives an attacker some access to your server. What modification was that file from?


Free PunBB Hosting - lots of mods, easy to customize

Offline

 

#9 2008-04-01 13:29:40

elbekko
Moderator
From: Leuven, Belgium
Registered: 2006-01-31
Posts: 1353

Re: Virus Alert...

Try putting it on pastebin.ca wink

You can also mail it to elbekko [at] gmail [dot] com.


FluxBB
dictionary.com on programming: The most fun you can have with your clothes on (although clothes are not mandatory).

Offline

 

#10 2008-04-02 07:49:25

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

Smartys wrote:

It's not a virus. If it really is what you say it is, it's a backdoor script that gives an attacker some access to your server. What modification was that file from?

I havent installed any mods since i first installed pun frontpage 1.2 (i think) about 2 years ago (possibley a touch less)

Offline

 

#11 2008-04-02 11:44:34

Smartys
Member
Registered: 2005-03-18
Posts: 314
Website

Re: Virus Alert...

Well, I downloaded the most recent version of pun frontpage and it doesn't have any such file, so I think we're safe smile


Free PunBB Hosting - lots of mods, easy to customize

Offline

 

#12 2008-04-02 13:41:21

MattF
Member
From: South Yorkshire, England
Registered: 2007-03-16
Posts: 415

Re: Virus Alert...

Have you scanned the file with a second AV scanner, just to make sure it's not a false positive?

Offline

 

#13 2008-04-02 15:14:31

elbekko
Moderator
From: Leuven, Belgium
Registered: 2006-01-31
Posts: 1353

Re: Virus Alert...

That's no virus or anything, it's a PHP script that allows you to execute shell commands.

Silly A/V scanners.


FluxBB
dictionary.com on programming: The most fun you can have with your clothes on (although clothes are not mandatory).

Offline

 

#14 2008-04-04 01:01:19

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

Cool, the Trojen  it says it was came out in febuary.. so maybe this new virus/trojun/malware has some similar commands...

Thanks for taking a look at it mate!!

Offline

 

#15 2008-04-07 22:45:51

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

THIS IS DEFINITLY A TROJEN/VIRUS!!!!!!!!!!!!

Since bringing up this matter to you, my password was changed on my server, i talked to the tech support people and they said it mighta been an error and reset it. I changed my password just incase...

thursday or friday there were randomly 25 GUESTS on my nexus radio forums...

Today the webpage isn't loading in IE 7 (though looks fine in previous versions or a mozilla browser) in IE 7 it says do you want to download something... and wont load the page unless you do.

I thought this is funny.. and opened the index.html file on my server... sure enough its changed a bit.. and this link has been added: htp://124.217.252.62/~admin/count.php?o=2 - IP traces back to ASIA, though that could mean anything.

I also Noticed some NEW PHP files uploaded to the server... one of which seems to conenct to my db and take something.. and one of which ALSO has this PHP/C99Shell.C

The forum doesn't look to have been touched.. other than the origional file going up there.. but who knows what they have done.

Offline

 

#16 2008-04-07 23:03:23

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

can anyone also tell me what FCKeditor/editor/plugins/findreplace/lang/login.php - is for? I changed it to login2.php expecting when i did stuff on the forum it not to work.. and it does... so what the hell is it? hehe

Offline

 

#17 2008-04-07 23:23:11

elbekko
Moderator
From: Leuven, Belgium
Registered: 2006-01-31
Posts: 1353

Re: Virus Alert...

It's still what it is. The problem is just that you haven't protected it properly. Giving shell access to everyone isn't very smart.


FluxBB
dictionary.com on programming: The most fun you can have with your clothes on (although clothes are not mandatory).

Offline

 

#18 2008-04-07 23:26:06

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

Well first your going to have to explain what shell access is before you can tell me i am not very smart for giving it to people...

I installed punBB about 2 years ago i think. I found punres installed PunFrontpage.  - I dont know what I am doing with this stuff so i follow instructions given and things work... now 2 years later... I have somehow given everyone shell access?

Offline

 

#19 2008-04-07 23:38:58

Smartys
Member
Registered: 2005-03-18
Posts: 314
Website

Re: Virus Alert...

sleeve: Delete that file from your server. It's a backdoor. It probably did not get on there from the modification but from your site being compromised in some other way.


Free PunBB Hosting - lots of mods, easy to customize

Offline

 

#20 2008-04-07 23:40:27

elbekko
Moderator
From: Leuven, Belgium
Registered: 2006-01-31
Posts: 1353

Re: Virus Alert...

It's a script that provides shell access. It isn't a virus or whatnot in any way, unless someone uses it like that.
If you didn't install it and don't need it, then you can delete it. And you should find out how it was uploaded.


FluxBB
dictionary.com on programming: The most fun you can have with your clothes on (although clothes are not mandatory).

Offline

 

#21 2008-04-07 23:47:57

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

I think i also found the main problem... out of the forum in my public folder.. somehow some one uploaded an HTML/Xerox virus...

Offline

 

#22 2008-04-07 23:52:57

elbekko
Moderator
From: Leuven, Belgium
Registered: 2006-01-31
Posts: 1353

Re: Virus Alert...

Yeah, sorry for missing the malicious bits when glancing over the script. Looked like a normal PHP shell script, but apparently not.

But there's still some opening that you need to track down, as you can't just upload things without any sort of access.


FluxBB
dictionary.com on programming: The most fun you can have with your clothes on (although clothes are not mandatory).

Offline

 

#23 2008-04-07 23:59:56

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

and loads of other files too.. I am trying to clean house...

I found loads of files in my main directory... so somehow from the FORUM they got into the main part of my site, uploaded a load of crap then started to change stuff..

I have found SHITLOADS of stuff they have changed...

deleting it all but how much will that really help in the long run if they can just get back in and change it back?

Last edited by sleeve (2008-04-08 00:01:06)

Offline

 

#24 2008-04-08 00:02:52

elbekko
Moderator
From: Leuven, Belgium
Registered: 2006-01-31
Posts: 1353

Re: Virus Alert...

That's why you need to find the root of the problem. Do you have any upload scripts on any of your websites, is your FTP/SSH password easily guessable, ...?


FluxBB
dictionary.com on programming: The most fun you can have with your clothes on (although clothes are not mandatory).

Offline

 

#25 2008-04-08 00:11:01

sleeve
Member
Registered: 2006-05-25
Posts: 72

Re: Virus Alert...

no my passwords are usually a combination of languages and numbers...

When i first set up punBB with pun frontpage a couple of years ago some stuff was not working... I was told to change the chmod to 777 - I have changed it back to 755 now...

I do have an upload image script in punBB FP but thats the only one there is...

A question about the FCKeditor... is that the BB text editor options thing? It came with Pun FP I think...

Last edited by sleeve (2008-04-08 00:21:55)

Offline

 

Board footer

Based on PunBB
© Copyright 2002–2005 Rickard Andersson

© Copyright 2004–2006 Kristoffer Jansson

User contributed files are property of their respective owners.