IPB Trojan? Help

G'day

I would appreciate some help if someone could spare the time.

I own a site powered by IPB called www.footballforumsaustralasia.com

Recently a couple of members complained about being redirected to a Russian MP3 site whilst browsing innocently on the forum. I usually use firefox but one day, when using I.E the same problem happened to me. Even hitting the back button took me there! Not just a pop-up but the main window I was using.

Anyhow, the situation has worsened I can't use I.E on the site at all, instead it freezes up and I have to end it 'illegally'.

I'll post up a screenshot of what happens immediately if I try to enter the site through I.E:

http://img459.imageshack.us/img459/1994/1te9.jpg

There you can see the address it is communicating with. Secondly a screenshot of what loads, completely frozen:

http://img222.imageshack.us/img222/3277/2zm3.jpg

Anyway, my firefox was fine for ages despite this but last night it started developing problems of its own. Constantly asking me to download some file. Everytime I click on anything within the site, this window pops up:

http://img150.imageshack.us/img150/243/3dg7.jpg

I might add, the firefox browswer, when in my site, seems to be doing alot of communicating with proffy209.com. I tried to go to this address but only got a white page with proffy209.com written in plain text.


I've searched far and wide for a solution. From what I have gathered (and I'm not sure it is true) whatever it is, exploits a security flaw in Invision Power Board 2.1.6 and below (http://secunia.com/advisories/20772/). So yesterday I had the site upgraded to 2.1.7 which is the latest however the problem remains.

I asked the host to check if there is a bug in the site files, I got a negative reply (however I am unsure to what extent he looked). Would this problem lie within the sites files? Or just any computer that accessed the site before it was upgraded?

This problem only exists with the domain name www.footballforumsaustralia.com

I am at a loss. Sorry about the length of the post but it was necessary to explain the problem. I have put 'trojan' in the title of this thread, but even so, I am not even sure what a trojan is. Your help would be most appreciated.

Kind Regards,
Daniel

 

There is an IPB SQL injection vunerability that lets an attacker insert malicious code. Softpedia is one site that was also effected by this and had a similair effect as one of your screenshots.

I looked up the source of their pages and found the malicious code and reported it to them and they removed it. The upgrade will prevent the exploit I think but the malicious code is obviously already there.

You will need to remove the code yourself. The version of the exploit that I found on softpedias site inserted a < div > after the closing < / body > tag however yours may be different.

You should probably contact IPBs tech support to find out more information about this exploit and how to fix it. I'ver never used IPB and only know about this from what I found before.

 

Thanks for your reply mate. I'll contact IPB on the issue.