Jump to content
Why become a member? ×

BC keeps triggering my AntiVirus

obbm

By obbm,
in Site News

 Share

Recommended Posts

obbm Mentor

obbm

Posted
Posted

Every time I refresh BC my antivirus warns and denys access to http://secfbicheker.com/?1 .

It is apparently listed in the database of suspicious URLs.

Google says it's a malicious link.

Where has this link come from?

Link to comment
Share on other sites
obbm Mentor

obbm

Posted
  • Author
Posted

[quote name='Hamster' timestamp='1353395257' post='1874506']
Hi Dave. Someone hacked the front page of the site a few days ago but it's all been cleaned up. I expect the 'delete cache & cookies' routine should help as this is the only report of an anti-virus being triggered that we have.
[/quote]

Doesn't seem to have any effect Colin. Still there.

Link to comment
Share on other sites
99ster Proficient

99ster

Posted
Posted

I'm getting it as well - on every page...

And, to be frank, that casual throw away response of "[i]Someone hacked the front page of the site a few days ago but it's all been cleaned up.[/i]" is a little worrying as that means someone has gained access to either the FTP login details for the entire site or the CMS control panel. WTF?

Link to comment
Share on other sites
ped Grand Master

ped

Posted
Posted

Last time this happened it was because the site was effectively added to a list when it was hacked, but once it was fixed the name remained on the list until we requested it to be cleared.

I also remember it being the case that it's very unlikely that any data on users or accounts was accessed as they are behind a lot of security. The 'hack' merely accesses some basic front end software.

ped

Link to comment
Share on other sites
LukeFRC Grand Master

LukeFRC

Posted
Posted

[quote name='99ster' timestamp='1353400712' post='1874526']
I'm getting it as well - on every page...

And, to be frank, that casual throw away response of "[i]Someone hacked the front page of the site a few days ago but it's all been cleaned up.[/i]" is a little worrying as that means someone has gained access to either the FTP login details for the entire site or the CMS control panel. WTF?
[/quote] just got the same thing as other folk - for every page - that link OBBM posted (not going to click it) and additionally Safari doesn't like it and wants we to leave.
It was ok at 12:00 last night.

Link to comment
Share on other sites
fealey Newbie

fealey

Posted
Posted

Hi Guys,

Someone will have taken advantage of a vulnerability in IP.Board and injected some code into the site. This is how to fix if you're running a flavour of Linux as the host:

[CODE]
find . -name "*.php" -type f -exec sed -i '/eval(base64_decode(/d' {} \;
[/CODE]

Make sure you perform a backup first!

What's happened is that an encrypted string of code will probably be added to the header of each PHP file that runs the site. e.g.

base64_decode([i]then a load of [/i][i]nonsense[/i]);

This is then read by the client which puts that iframe mentioned above into the site and tries to infect visiting computers.

My code above goes through the files and strips it out - but please don't hold me responsible if it breaks something!!!!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...