Malware problem - rewriting of clientscript/vbulletin_global.js and vbulletin_menu.js

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • richpal
    Senior Member
    • Aug 2006
    • 164
    • 3.6.x
    #1

    Malware problem - rewriting of clientscript/vbulletin_global.js and vbulletin_menu.js

    A few weeks ago one of my forums was hit by malware and Google flagged it which decimated traffic to the site.

    A little later Google Webmaster tools provided me with information on which files had been compromised, namely clientscript/vbulletin_menu.js (I think).

    Yesterday the site was hit again with the file clientscript/vbulletin_global.js compromised, and once again Google flagged the site with a Malware alert which wiped out traffic numbers to the forum.

    I'm kind of scratching my head over how these files are being changed and although I've done a search on here for the same problem I've not located the same issue.

    It's one thing to keep uploading clean files, but to have to keep cleaning up the damage is very annoying

    One question that comes to mind is how can the files be altered without the need for the username or password to the server or forum? I also set-up an additional layer of protection for the admin files via the cPanel but apparently there is still a vulnerability.

    BTW, I seem to have misplaced the link provided by Wayne Luke some months ago regarding protecting forums from hacking/malware issues for which I implemented many of the recommendations made.
    Tags: None
    • Lynne
      Former vBulletin Support
      • Oct 2004
      • 26255
      #2
      Originally posted by richpal
      One question that comes to mind is how can the files be altered without the need for the username or password to the server or forum?
      They can't. Someone needs access to the server in order to alter the files. I'd suggest you talk to your host about this so you may go through your server access logs.
      Please don't PM or VM me for support - I only help out in the threads.
      vBulletin Manual & vBulletin 4.0 Code Documentation (API)
      Want help modifying your vbulletin forum? Head on over to vbulletin.org
      If I post CSS and you don't know where it goes, throw it into the additional.css template.
      W3Schools <- awesome site for html/css help

        Comment

        • richpal
          Senior Member
          • Aug 2006
          • 164
          • 3.6.x
          #3
          Originally posted by Lynne
          They can't. Someone needs access to the server in order to alter the files. I'd suggest you talk to your host about this so you may go through your server access logs.
          Hi Lynne and thank you for your quick reply, have changed all the passwords so await to see what happens next. I asked my host about the server logs and they assured me that no one had used ftp to access the files apart from my IP address.

          Don't suppose anyone could provide me with the link containing recommendations for protecting the forum and/or server from hacking and malware issues. Am sure it was a post or blog by Wayne Luke.

          UPDATE: Found the link, it was a blog by Wayne Luke: https://www.vbulletin.com/forum/blog.php/868
          Last edited by richpal; Tue 21 Aug '12, 1:22pm. Reason: Found post by Wayne Luke for protecting the forum and/or server from hacking and malware issues

            Comment

            • z0diac
              Senior Member
              • Oct 2006
              • 444
              #4
              Are you running Plesk? If so I can almost GAURENTEE (sp?) you they're getting in that way. I was running Plesk on my old server and an exploit in it allowed them to put files directly on to my server. Specifically the blackhole malicious exploit stuff.

              Hire the guys at Total Server Solutions (tell them the owner of icedogfans sent you) and they can patch Plesk for you. Plesk has been hit BAD as of late, by malicious code intrusions.

              I switched servers and made sure to switch my control panel to cPanel.

              Also... you might want to check your ajax.php script as mine (for version vb 3.6.8) had a hole in it that allowed them to directly put files with a GET command right onto my server. I now run ajax.php for vB 4.0.2 on my 3.6.8 forum and the hole is no longer there.

                Comment

                • richpal
                  Senior Member
                  • Aug 2006
                  • 164
                  • 3.6.x
                  #5
                  Originally posted by z0diac
                  Are you running Plesk? If so I can almost GAURENTEE (sp?) you they're getting in that way. I was running Plesk on my old server and an exploit in it allowed them to put files directly on to my server. Specifically the blackhole malicious exploit stuff.

                  Hire the guys at Total Server Solutions (tell them the owner of icedogfans sent you) and they can patch Plesk for you. Plesk has been hit BAD as of late, by malicious code intrusions.

                  I switched servers and made sure to switch my control panel to cPanel.

                  Also... you might want to check your ajax.php script as mine (for version vb 3.6.8) had a hole in it that allowed them to directly put files with a GET command right onto my server. I now run ajax.php for vB 4.0.2 on my 3.6.8 forum and the hole is no longer there.
                  Thanks for the info, thankfully I'm using cPanel rather than Plesk but that is more luck than judgement. After I contacted my hosting company they updated the php on the server to the latest version - I can only assume that this was why the site was originally compromised. The forum software is 3.8.7 patch 3 so I presume the ajax.php should be OK.

                    Comment

                    Previous template Next
                    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                    Working...