Malware on this forum

General General Questions
21

I just got it again via a Google search, 1.23pm GMT.

22

[quote name='CS-Cart Support team' timestamp='1357386917' post='152221']

Thank you all for reporting this problem and letting us know all the details. It seems that the problem was caused by a vulnerability in the Google Search addon installed in our forum software. We have disabled it until a fix is available.



If anyone still sees these strange images, please inform us in this thread.



Thank you and we apologize for the inconvenience.





Pavel Zyukin

CS-Cart Support team

[/quote]



I see this problem when i refresh the homepage… so i don't think it is google addon issue.

23

[quote name='StellarBytes' timestamp='1357392214' post='152225']

I just got it again via a Google search, 1.23pm GMT.

[/quote]

We are sorry to hear the problem is still there.



Unfortunately, nobody from our staff was able to see these strange pictures (result of the malware) “in action”, so it is a bit difficult to understand where this code loads from.



Can anyone save the full source code of the HTML page when they see the picture in question next time and PM me the file? We will appreciate any assistance.



Thank you in advance.

24

Attached is the source. You will be interested in what is at the bottom. It looks like script that was injected in your LightBox or something.



This doesn't load everytime for me. After you posted this message, I tried to get it to come up and I couldn't. Then after doing a bunch of other stuff, I got on and did a search through Google and it came up again. Now it is just a lightbox image that has different things like a fail thing and a chick masturbating.



I hope it helps.



Brandon

forum.html

25

Its the last line of the page load. Looks like an injection to me.


Cybergoth Girls
The Worst Time To Fail Like That
Wedding Fails
The Flintstones Are Going Adult!
Funny Masturbation Demotivational Posters
What She Did With Her Face?
26

A minute ago I have followed link below


[quote name='StellarBytes' timestamp='1357305952' post='152177']

I'm now getting this every time I click any result after clicking “More results from forum.cs-cart.com” on a Google search.



It seems to be loading from creativesolutions . nard . ca

[/quote]



and got very same image as posted miracles

27

Experienced it myself for the first time today.

28

Visited Forum today from google search, URL looks all ok but this lightbox popup below appeared (screenshot):-



[sharedmedia=core:attachments:6316]





Unfortunately I did capture the code, will do next time. It only seems to appear after not visiting the forum after a period of time, so may be browser cached file reloading (could be infected JavaScript file).

cs-forum-sc1.jpg

29

Source to image Adrian8 posted above.

newsblocks_source.html

30

At least I got some pretty hot women when I saw it for the first time yesterday.

31

I got some weird advertisement and its trying to load a nasty rootkit / troyan infection that makes use of a java exploit.

This is particularly worrisome as such infections may infect your ftp program and then spread to your websites.

This happened to me. (possibly caused by this issue) Google and all browsers blocked all access to my websites, throwing Attack Website warnings to all users including my customers.

This is very bad negative publicity. Some of my websites are doing very well.

I have resolved it though by cleaning up my pc with several on demand scanners, changing all passwords and reuploading my files.



But beware about this issue.

32

I have this too today, and it is also something I once had on my own forum - and it is ripe in forums such as Invision Board.



Essentially a script is added into your code (usually via injection or sorts) and that scripts checks your referrer. For the advert to show up 'normally' you have to have come from a Google search page AND it is your first visit of the day. Typically after your first search, if you try again, you will not be able to replicate it.



For the record, I got this on your forum just minutes before I posted this (I have attached a screen).

Untitled-1.jpg

33

Oh… just to add. From my experience with this on Invision Power Board, Google does pic up on the Malware and your forum results in Google will begin to show a Malware warning before users click the link. Effectively putting people off coming to the forum.

34

Ah… another useful tip, just incase it is the same form of injection, the code they added to our board was added in an ecrypted formated to make it more difficult to find in the source file.



Ours was encrypted with the base64 string, so a search for the base64 in our code always found it as we did not use that in other coding. No soon as you delete it they get it back on the same page within a few weeks… so you will have to find the vulnerability to prevent it coming back sharpish!

35

Thank you all for the assistance and feedback regarding the fake [color=#282828][font=arial, verdana, tahoma, sans-serif]banners displayed on the Forums. Unfortunately, our forum software had a couple of vulnerabilities about which the software creators did not inform us on time, so our Forums were infected with malware JavaScript code. No user emails or personal data were leaked.[/font][/color]



[color=#282828][font=arial, verdana, tahoma, sans-serif]We have patched our forum software and deleted the infected files. Now everything should be fine.[/font][/color]



[color=#282828][font=arial, verdana, tahoma, sans-serif]We sincerely [/font][/color][color=#282828][font=arial, verdana, tahoma, sans-serif]apologize for the inconvenience and thank you for your patience.[/font][/color]

36

Yes, IPS released a patch on december 27th: http://community.inv…e/#entry2349475

If you did not receive the email alert about it, then check your IPS account settings. You can find these in your client area here:

https://www.invisionpower.com/clients/index.php?app=core&module=usercp&tab=core&area=email