Popup injection? (vB 4.2.2 Patch Level 4)

**Paul M** · Tue 25 Apr '17, 10:05am

Originally posted by Ianno

Is it safe to remove all that code and leave just this?
if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {
exit;
}

No.

As Trevor says, delete the entire plugin, its not part of vbulletin, someone has installed that to hack your server.

**dc3dreamer** · Thu 27 Apr '17, 2:13am

It got me too. I was on an old version, upgraded to 4.2.4, and it got me again yesterday. However, thanks to this thread (specifically Ianno & Trevor Hannant)

I found the "vBulletin" init_startup plugin that could have been there for a long time. I have my fingers crossed!. I had discovered the connection-min.js myself with the Google Chrime debugger. Miraculous actually since I know literally nothing about PHP and the giant codebase for this application. I believe the init_startup plugin utilized and maybe created a couple of files subscriptionsxxx.php. I got rid of them too and nothing bad has happened so far.

My modified connection-min.js had the same date/time modified date as all of the other files. Somehow it was modified then touched back to the exact same time as the original. How did you guys spot the modified file(s)?

**Wayne Luke** · Thu 27 Apr '17, 8:27am

Originally posted by dc3dreamer

How did you guys spot the modified file(s)?

The Suspect File Versions tool in the AdminCP will catch many of them. It is under Maintenance -> Diagnostics.

Usually we just recommend uploading a completely new set of files to make sure nothing is compromised.

**Ianno** · Thu 27 Apr '17, 11:53am

dc3dreamer where did you find the subscriptionsxxx.php files that you got rid of?

I just found that init_startup plugin backdoor by paying a specialist to check the server.

It's very strange though that several vBulletin forums are now hacked the same way. It must be a flow somewhere. Or it's our fault, as it seems we all initially had older vBulletin versions.

**Wayne Luke** · Thu 27 Apr '17, 11:57am

Originally posted by Ianno

dc3dreamer where did you find the subscriptionsxxx.php files that you got rid of?

I just found that init_startup plugin backdoor by paying a specialist to check the server.

It's very strange though that several vBulletin forums are now hacked the same way. It must be a flow somewhere. Or it's our fault, as it seems we all initially had older vBulletin versions.

There was a flaw a couple of years ago. We released security patches and informed people to look for these exploits. Your site could have been exploited for years.

**Ianno** · Thu 27 Apr '17, 12:16pm

Well, nothing was strange before March-April this year. I guess some hackers found the flaws. Argh, now I regret for not upgrading to the latest version all the time (I'm always afraid that some core plugins for my community won't work with the new version, so that's why I'm always hesitating to upgrade right away).

**dc3dreamer** · Fri 28 Apr '17, 7:45am

I had it happen on 4.2.4. The problem may have been a plugin "vBulletin" init_startup. I removed it. We'll see how long my 4.2.4 survives again. I think there are some posts missing in this discussion by the way, including most recent. It's stopping at April 17, yety I got a notice that ianno posted this morning!! Plus I posted several that aren't showing either. WEIRD!

[edit] On a whim, I changed the Filter from "All Time" to "Last Week" and voila! the recent posts (including this one) are now visible.

**dc3dreamer** · Fri 28 Apr '17, 7:53am

There was a flaw a couple of years ago. We released security patches and informed people to look for these exploits. Your site could have been exploited for years.

Probably. Well the init_startup plugin was a nasty one. You're right my problems may go back years!

**Ianno** · Fri 28 Apr '17, 8:46pm

dc3dreamer where did you find the subscriptionsxxx.php files that you got rid of? Were they on the forum root or in what folders?

**BirdOPrey5** · Sun 30 Apr '17, 2:20am

If one VB file is known to be infected it's easy enough to replace them all with fresh copies downloaded from the Member's Area than try to edit them one by one.

**Home Alone** · Tue 2 May '17, 6:18am

I started experiencing this issue around the end of March and resolved it yesterday. For me it was the Litespeed caching plugin. When it's enabled a line like this appears in the header near the login code:
http://d1mob6w0cdx3a7.cloudfront.net/?wbomd=655065 It's a link to the javascript code that causes the redirect. I had to disable the Litespeed plugin, disable Litespeed caching and delete the Litespeed cache on the server to get rid of it.

ETA: I was up to date on all of the security patches. I looked at the Litespeed caching plugin code and didn't see anything malicious. I don't know how they were able to achieve this.

**hivitro** · Tue 2 May '17, 9:48pm

More than a month ago they hacked my vbulletin and sent the first attempt to enter the forum, to another advertising site.

The bug was in vB 4.2.2 Patch Level 4, and I was informed by google and marked as hacked vbulletin site.

Perform all the upgrade steps, a 4.2.3. Improve my host, new php, security, delete everything I could to make everything original.

A week ago, they had made me again. Currently my site is offline, while I check the database, but vbulletin has a serious problem.

**BirdOPrey5** · Wed 3 May '17, 7:09am

Originally posted by hivitro

More than a month ago they hacked my vbulletin and sent the first attempt to enter the forum, to another advertising site.

The bug was in vB 4.2.2 Patch Level 4, and I was informed by google and marked as hacked vbulletin site.

Perform all the upgrade steps, a 4.2.3. Improve my host, new php, security, delete everything I could to make everything original.

A week ago, they had made me again. Currently my site is offline, while I check the database, but vbulletin has a serious problem.

While possible it is an unknown exploit in 4.2.3, once a site has been exploited once, it is extremely difficult to guarantee it is clean. I've seen hidden php files in images, attachment, cpstyles, and other directories typically not deleted even on "clean installs" and folders not checked by the Suspect File Diagnostic.

**Paul M** · Wed 3 May '17, 10:58am

Originally posted by hivitro

but vbulletin has a serious problem.

What serious problem ?

**hivitro** · Wed 3 May '17, 3:16pm

Originally posted by Paul M

What serious problem ?

Paul, a pleasure to be able to answer you. As a user of your system in the last 8 years, I can indicate that the commercial decisions that have taken since the purchase of Jelsoft made the best system of forums known now is one more in the middle of the list, since you lost the charisma.

What is the serious problem? - That I as a client is at this moment, instead of thinking about buying the license of your product vb5, for a new project, this already testing a product of the competition, and looking at which modules + core I acquire, and to see the cost of the 6 months renovation.

Believe me that in 8 years I never had the need to write them since I could solve any situation of your product, since I dedicate myself to do thousands of things, but having to be fighting against security flaws and sql injection, is no longer mine, I lose Money, and we are no longer partners.

A greeting and the best for vB.

vBulletin 4 End of Life

Popup injection? (vB 4.2.2 Patch Level 4)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics