| « Changer over to cms | Checkup for January 2nd 2009 » |
Yahoo! Counter starts' trojan that affects VBulletin and other forum software
Link: http://vbadvice.blogspot.com/2008/12/yahoo-counter-starts-trojan.html
I found this excellent advice for the removal of the Yahoo! Counter starts' trojan from your database. This was a VBulletin user.
I found a relatively simple fix for the 'Yahoo! Counter starts' trojan that affects VBulletin and other forum software. Here's what I did:
I did a backup of the SQL database in VBulletin:
I went into the Admin Panel; clicked Maintenance, database backup.
At the bottom of that page, I went to the section that says
Backup database to a file on the server. Then I did the following:
1. made new directory within the /forum/ folder called /backup
2. made new directory worldwritable
chmod 777 backup
3. entered location for backupfile in Admin panel:
./backup/forumbackup-year-month-day.sql
4. Clicked save
Then I went into site by FTP and downloaded the SQL backup file,
and deleted the file from the site, and deleted the folder.
Then I searched the backed up SQL file for 'Yahoo! Counter' and found
two sections of code that had been inserted into the database by the trojan.
I found the code by doing a backup of the entire database with vBulletin,
then searching the SQL file generated by that back up.
Both sections of code have 'Yahoo! Counter' in them.
Then I logged into my website hosting company's control panel, and used
PHPmyadmin to go into the mySQL database (I have IXwebhosting), and
I edited the affected tables (the names of the tables were found from the
previous search of the backed up SQL file).
datastore options
[datastore is the name of a table in the database,
and options is a section within that table]
and likewise with:
setting description
The section of bad code in datastore begins with:
1108:\"\" />
and then continues on to include:
Yahoo! Counter starts
and then continues on to end with:
name=\"yahoo\" content=\"count\"
and the repaired code in 'datastore options' should include:
;s:11:\"description\";s:0:\"\";s:12:\"useforumjump\";i:1
The bad code had changed
;s:0:
to
;s:1108:
and then added the malicious code after the 1108. So after deleting the bad section of code, I made sure the repaired code had the zero and not the 1108
The section of bad code in 'setting description' was easier to fix.
This good code:
INSERT INTO setting VALUES('description', 'general', '',
'This is a discussion forum powered by vBulletin. To find out about vBulletin, go to http://www.vbulletin.com/ .',
'', '20', '0', '1', 'free', 'vbulletin', '', '0');
had been replaced by a long section of code that included the text:
Yahoo! Counter starts
I replaced that long section of code with the text:
This is a discussion forum powered by vBulletin. To find out about vBulletin, go to http://www.vbulletin.com/ .
This worked for me. I don't know if it will work for anyone else.
Proceed similarly at your own risk.
Good luck!
Posted by JT at 6:08 PM
XML Feeds