jforjustice.co.uk/banksters - Hacked

**rootnik** · Sat 24 Mar '12, 11:38am

Originally posted by pgowder

I just got hit. I had vBSEO installed but not turned on.

I've turn off plugins, but still can't get into the site?

Any ideas?

Even if VBSEO is turned off the php files are still on your server.

Do you have any other admins that can change your password for you?

**asimj** · Tue 27 Mar '12, 6:16am

I've been following this thread after some posts in our forum were hijacked and a simple Javascript reditect was setup to forward members attempting to view thread to the jforjustice website. We updated our forum to v3.8.7 PL2 and the latest version of VBSEO, which is the only plugin we use. I checked for any new plugins and none exist. Problem is that I couldn't find any reference to the javascript code anywhere so I downloaded all files to my PC and Microsoft Security Essentials picked up the following 2 suspicious files, which were identified as backdoor scripts:

<vb root>/images/avatars/b.php
<vb root>/images/avatars/_error.php

I'm now going to scan all files and see if I can find the Javascript code embedded somewhere.

vB has been a nightmare of late, with 3 of our sites falling victim to uploaded phising site attacks and now the justice league. Pain in the butt!

Regards,
Asim

**asimj** · Tue 27 Mar '12, 6:47am

Found the following in pagetext_html field of the postparsed table:

<SCRIPT language="JavaScript">window.location="http://jforjustice.co.uk/banksters";</SCRIPT>

How can I prevent this happening again?

**Wayne Luke** · Tue 27 Mar '12, 7:11am

Need to remove the primary point of infection. If it is the vBulletin software or one of your addons, the steps previously posted will expose it. Until you find that point of infection, you will see this over and over and over again. Removing that line just removes the result of the infection, not the infection itself.

Going from other comments, the primary point seems to be insecure addons so you should either remove your addons or verify that they are free from exploitable issues.

**asimj** · Tue 27 Mar '12, 7:25am

Thanks for the advice, but we couldn't find any primary point of infection, but believe it may have been in the outdated version of VBSEO. All files are patched now so it's a matter of wait and see.

**Wayne Luke** · Tue 27 Mar '12, 7:34am

See: http://www.vbseo.com/f5/faqs-rogue-p...release-52862/

**asimj** · Tue 27 Mar '12, 8:13am

Originally posted by Wayne Luke

See: http://www.vbseo.com/f5/faqs-rogue-p...release-52862/

I have run the vBSEO check utility and it reports everything is OK. The thread highlights all the issues with vBSEO and they have also kindly provided a suspicious activity tracking plugin, which I have installed. I guess the next thing is to password protect the admincp directory using .htaccess

Thanks again for your advice, it's been very useful...

**Wayne Luke** · Tue 27 Mar '12, 8:20am

Originally posted by asimj

I guess the next thing is to password protect the admincp directory using .htaccess

I suggest this for the first thing after a new installation. Renaming it helps a bit as well but isn't as important.

**Tim Mousel** · Tue 27 Mar '12, 8:26pm

Originally posted by Wayne Luke

See: http://www.vbseo.com/f5/faqs-rogue-p...release-52862/

Informative link. Thank you!

**Wayne Luke** · Tue 27 Mar '12, 9:43pm

Make sure to patch your vBulletin tonight with the new patch release. It will help secure things.

**dlangshaw** · Wed 28 Mar '12, 11:12am

Our vb site fishsniffer.com was hacked as well by the same install...and redirect. It is proving to be a real cluster to try and repair all the damage done. We are now on day three of attempting to repair and restore. None of these tweaks and tricks are making headway. Suspect is the hack installed with the vBSEO upgrade. Many very unhappy campers! :-(

**BirdOPrey5** · Sun 1 Apr '12, 5:44am

Turn off JavaScript in your browser, then view your site. With JavaScript off you won't be forwarded to the hacker's site.

Then view HTML Source of your page and find instances of jforjustice.co.uk that will give you some clue where they are. I cleaned up a site last week the code was in the "Forum Name" setting in Admin CP -> Settings -> Options -> Site Name / URL / Contact Details AND in the setting for the mod VB Ad Management.

**motoxer311** · Mon 2 Apr '12, 3:32am

I was hit again, this is getting old now..

**rootnik** · Mon 2 Apr '12, 7:32am

Originally posted by motoxer311

I was hit again, this is getting old now..

Did you password protect the admincp directory?

Also, if any admin accounts have been compromised you need them to reset their password, and make sure their email address is correct. When you password protect the admincp directory, only give the login details to your admins via a contact method where you can be sure you are talking to them. Posting the details in a private message or usergroup specific forum is going to allow the hackers to see the login details.

You'll also want to password protect any phpmyadmin installations, look in your customavatar dir for any php files (there should be NONE, delete if there are any).

You can set usergroups up to require a password change every X amount of days, this is probably a good practice too.

**motoxer311** · Wed 4 Apr '12, 4:56am

How can you pw protect a directory?

vBulletin 4 End of Life

jforjustice.co.uk/banksters - Hacked

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment