vBulletin 4.1.9 infected with malware

To check a site for compromises follow these steps:

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7

5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

If you a plugin that you can't read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.

7) Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

It checks the templates for compromising code. You will need to review the results from this. If you can't read it or the code is obfuscated then you should revert the template in the Admin CP.

8) Check .htaccess to make sure there are no redirects there.

9) Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.

I can't seem to find anything using the above methods. I'm pretty sure it has to be in the database somewhere since none of the website files contain the error (and I wrote over all existing files with 4.1.9 patch 4 to make sure none were modified).

I don't suppose there is any clever way to loop through each database table and search each string column for the offending domain?

A chance would be trying this modification: http://www.vbulletin.org/forum/showthread.php?t=265866

Please keep in mind that we officially don't support modifications, so you would have to post questions concerning this mod in the specific thread on vbulletin.org or get in touch with the author directly.

Do you have VBSEO?

Then the infection would be in the database itself and the latest stable version of vBSEO should be installed.

We had a similar thing which Google flaged up, which was an injection to the datastore thorugh the mysql with VBSEO

Thanks for the advice, trying the hack product now. I don't have VBSEO installed.

Whats your url Mick

Use the full database search in phpmyadmin to search the infected database for: base64

If you find it anywhere in the database record where it is if it is anywhere in the templates table it's probably the exploit you are looking for. If it a plugin it is likely the problem but there are a couple of legit plugins that use base64 encoding, but only 2 I can think of out of the hundreds I've ever seen. One is the plugin that scans for base64 and the other is by digitalpoint, he encoded a small graphic rather than include it as a separate file for performance reasons I suppose.