Popup injection? (vB 4.2.2 Patch Level 4)
Collapse
This topic is closed.
X
X
-
It got me too. I was on an old version, upgraded to 4.2.4, and it got me again yesterday. However, thanks to this thread (specifically Ianno & Trevor Hannant) I found the "vBulletin" init_startup plugin that could have been there for a long time. I have my fingers crossed!. I had discovered the connection-min.js myself with the Google Chrime debugger. Miraculous actually since I know literally nothing about PHP and the giant codebase for this application. I believe the init_startup plugin utilized and maybe created a couple of files subscriptionsxxx.php. I got rid of them too and nothing bad has happened so far.
My modified connection-min.js had the same date/time modified date as all of the other files. Somehow it was modified then touched back to the exact same time as the original. How did you guys spot the modified file(s)?Last edited by dc3dreamer; Thu 27 Apr '17, 2:30am.Comment
-
Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
dc3dreamer where did you find the subscriptionsxxx.php files that you got rid of?
I just found that init_startup plugin backdoor by paying a specialist to check the server.
It's very strange though that several vBulletin forums are now hacked the same way. It must be a flow somewhere. Or it's our fault, as it seems we all initially had older vBulletin versions.Comment
-
dc3dreamer where did you find the subscriptionsxxx.php files that you got rid of?
I just found that init_startup plugin backdoor by paying a specialist to check the server.
It's very strange though that several vBulletin forums are now hacked the same way. It must be a flow somewhere. Or it's our fault, as it seems we all initially had older vBulletin versions.
Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
Well, nothing was strange before March-April this year. I guess some hackers found the flaws. Argh, now I regret for not upgrading to the latest version all the time (I'm always afraid that some core plugins for my community won't work with the new version, so that's why I'm always hesitating to upgrade right away).Comment
-
I had it happen on 4.2.4. The problem may have been a plugin "vBulletin" init_startup. I removed it. We'll see how long my 4.2.4 survives again. I think there are some posts missing in this discussion by the way, including most recent. It's stopping at April 17, yety I got a notice that ianno posted this morning!! Plus I posted several that aren't showing either. WEIRD!
[edit] On a whim, I changed the Filter from "All Time" to "Last Week" and voila! the recent posts (including this one) are now visible.Last edited by dc3dreamer; Fri 28 Apr '17, 7:50am. Reason: Found these late postings by changing the filter - see my edit in the nostComment
-
There was a flaw a couple of years ago. We released security patches and informed people to look for these exploits. Your site could have been exploited for years.Comment
-
dc3dreamer where did you find the subscriptionsxxx.php files that you got rid of? Were they on the forum root or in what folders?Comment
-
If one VB file is known to be infected it's easy enough to replace them all with fresh copies downloaded from the Member's Area than try to edit them one by one.Comment
-
I started experiencing this issue around the end of March and resolved it yesterday. For me it was the Litespeed caching plugin. When it's enabled a line like this appears in the header near the login code:
http://d1mob6w0cdx3a7.cloudfront.net/?wbomd=655065 It's a link to the javascript code that causes the redirect. I had to disable the Litespeed plugin, disable Litespeed caching and delete the Litespeed cache on the server to get rid of it.
ETA: I was up to date on all of the security patches. I looked at the Litespeed caching plugin code and didn't see anything malicious. I don't know how they were able to achieve this.Last edited by Home Alone; Tue 2 May '17, 6:35am.Comment
-
More than a month ago they hacked my vbulletin and sent the first attempt to enter the forum, to another advertising site.
The bug was in vB 4.2.2 Patch Level 4, and I was informed by google and marked as hacked vbulletin site.
Perform all the upgrade steps, a 4.2.3. Improve my host, new php, security, delete everything I could to make everything original.
A week ago, they had made me again. Currently my site is offline, while I check the database, but vbulletin has a serious problem.Comment
-
More than a month ago they hacked my vbulletin and sent the first attempt to enter the forum, to another advertising site.
The bug was in vB 4.2.2 Patch Level 4, and I was informed by google and marked as hacked vbulletin site.
Perform all the upgrade steps, a 4.2.3. Improve my host, new php, security, delete everything I could to make everything original.
A week ago, they had made me again. Currently my site is offline, while I check the database, but vbulletin has a serious problem.Comment
-
Paul, a pleasure to be able to answer you. As a user of your system in the last 8 years, I can indicate that the commercial decisions that have taken since the purchase of Jelsoft made the best system of forums known now is one more in the middle of the list, since you lost the charisma.
What is the serious problem? - That I as a client is at this moment, instead of thinking about buying the license of your product vb5, for a new project, this already testing a product of the competition, and looking at which modules + core I acquire, and to see the cost of the 6 months renovation.
Believe me that in 8 years I never had the need to write them since I could solve any situation of your product, since I dedicate myself to do thousands of things, but having to be fighting against security flaws and sql injection, is no longer mine, I lose Money, and we are no longer partners.
A greeting and the best for vB.Comment
Related Topics
Collapse
-
by jmgreenAfter upgrading from 5.4 to 5.5.1 today, I am now getting MySQL Database errors. I've submitted a ticket and haven't gotten a response yet, so I thought I'd post here.
I'm running:
...-
Channel: Support Issues & Questions
-
-
by msouefiGoogle's Page Speed Insights tells me the following:
Remove unused JavaScript to reduce bytes consumed by network activity. Learn more....-
Channel: Support Issues & Questions
-
-
by Frank.YatesAll I got was this, no idea how to fix it.
Code:Unexpected Text: <?xml version="1.0" encoding="windows-1252"?>
-
Channel: Support Issues & Questions
-
-
by sergiomcHello, after several times of trying to upgrade to v5 and only get errors, my boss told me to try do this in localhost first and then when i learn do the hosting, the problem is that I do not use localhost....
-
Channel: vBulletin 5 Installs & Upgrades
-
-
I have my "zażółć gęślą jaźń" polish characters in titles, posts etc. And they are not good looking in the browser....
How can i change...-
Channel: Support Issues & Questions
-
Comment