Gumblar Virus in my Templates

auto_freak · May 12th, 2009, 01:05 PM

Hello,

I cleaned up all the php files still some users are complaining that some virus detection problems are still rising through their browser and virus scanners. Basically, I found out the malicious code that is inserted into the templates of my site. Those codes dont appear in the forum however, but does appear in the classifieds and gallery sections. The templates are being pulled from vbulletin so I belive a simple template edit might fix it. But I am not sure where I can find this code, I searched the header template, forumhome, footer and many other templates, nowhere could be found.

Any guess where this code is from? Please let me know, its troubling and getting rid off my web visitors. My templates are heavily edited and a new template installation might just scare people away.

Code:

Content visible to verified customers only.

auto_freak · May 12th, 2009, 01:07 PM

the code in bold is the actual virus code...

Chuck S · May 12th, 2009, 01:11 PM

I would suggest possibly checking your altered files.

My support response would be to upload clean php and templates

You can check pp-inc.php for the code noted in here but that is where the ajaxcode is in the printheader function.

Chuck S · May 12th, 2009, 01:13 PM

Most hacks are a result of improper file permissions and or modifications to default base code that allow people access.

auto_freak · May 12th, 2009, 01:14 PM

I uploaded fresh new files of php and tmpl, basically uploaded fresh files from photopost gallery and photopost classifieds, vbulletin forum as well. This has to be in the styles/templates in my site....since the style has not been replaced. The styles are heavily edited so you think a fresh upload is necessary or can you see and dig out wherever this code is actually in?

Chuck S · May 12th, 2009, 01:22 PM

So your saying this is in your vbulletin templates?

If you turn off your vbulletin integration boxes under admin edit integration does it appear in your page source anymore?

If you upload clean photopost stuff then the code should not exist in photopost and then you know its pulling it from vb which means you need to sanitize and remove the code from vb templates etc

Places to look in vb would be the header or header-inc templates

Chuck S · May 12th, 2009, 01:25 PM

Or possibly in one of your vb plugins like the UKBL ~Menu Styles

auto_freak · May 12th, 2009, 02:21 PM

As I found out, this is not even in the templates, the viruses are probably still there in the server...I installed a completely new style, still the same problems. Where in the server can these codes be found?

Chuck S · May 12th, 2009, 02:34 PM

I do not beleive these would be on the server they have to be in files.

What happened when you turned off the vb3 integration under edit integration?

auto_freak · May 12th, 2009, 02:37 PM

I turned off the vb3 integration and the code remained there even then. The stylesheets were obviously all white, but that malicious code was still found in the source code.

Chuck S · May 12th, 2009, 02:47 PM

You host might need to assist you there. I cant tell you anything more than to upload clean files. It is being placed right before your body tag of the page.

Chuck S · May 12th, 2009, 03:15 PM

We call anything for our head close and body tag in two places.

One in pp-inc.php for a non vb integrated page.

Code:

Content visible to verified customers only.

and for vb integrated in header-inc.php

Code:

Content visible to verified customers only.

If there is no code inserted between there in any of our files then I would have no idea where its being executed from.

This I assume is what your trying to remove

Code:

Content visible to verified customers only.

Chuck S · May 12th, 2009, 03:19 PM

Also something else to consider

Gumblar .cn Exploit - 12 Facts About This Injected Script | Unmask Parasites. Blog.

auto_freak · May 12th, 2009, 04:25 PM

Chuck, thanks for all the help. owe you one, a fresh upload of clean photopost gallery and classifieds files was enough to fix this issue. give me some tips on how to maintain server security.

Chuck S · May 12th, 2009, 04:40 PM

Well I would make sure that all files etc are maintained with permissions as noted here

PhotoPost PHP Photo Sharing Photo Gallery Installation Guide

One word of caution though. While there are no reported ways to break the photopost script tieing it to vbulletin that has hacks/mods can open up exploits. I always suggest running stock sites and not using code posted by others.

Like there was one reported post where users found .php files throughout the data folder of photopost and Michael himself at one time was a victum of this and it came down to a flashchat for vb Michael has installed. Once your ftp or some other file is compromised users can easily alter any file that is writable on the server or any directory.

skidpics · May 12th, 2009, 11:56 PM

can you reupload the new file, then apply read only cmod to it?

Chuck S · May 12th, 2009, 11:57 PM

yes all files except those noted should be 644 which is the server default so uploading it should default to that.

Lewzor · May 21st, 2009, 09:27 AM

content for verified customers only !?

Chuck S · May 21st, 2009, 10:32 AM

Yes this is a support site! You need to be a verified customer to obtain support.