nothing much, just a quick note
several weeks ago, the automated crawler from google found something malicious in one of the pages in an invision power board. however only those who use firefox would see the warning page, while the others would see nothing.

in the safe browsing information, three domains have been identified as the host of malicious software; which are sum4count.net, yeehaa.ru, ceqypawkht.com

after searching for those particular addresses in page source, none could be found… so i did google around for the alternate solutions. some suggest to find “iframe” in the source… well, there’s no iframe. several advices suggest deleting everything and re-install from scratch… that should be the last option where all hope is lost.

luckily while the hope is fading, i found this topic telling me how to sort out the malicious code in the forum itself.

stats=String.fromCharCode(121,101,101,104,97,97,46,114,117);

the script was inserted into two tables ibf_skin_templates_cache and ibf_skin_templates with a bunch of numbers which would be turned into url text then call the evil javascript from the converted domain. and it looks like that some condition must be met, not everyone who visited the page would suffer the infection.

after the lines of script was removed, the warning page is now gone. everything’s back to normal once again. lastly, it is strongly recommended to force change password of everyone who has the administrative rights on the forum immediately.

2008.07.18