Redirection hack to R00TW0RM

**TheLastSuperman** · Thu 28 Jun '12, 7:22am

Try some of the information listed here - https://www.vbulletin.com/forum/cont...vBulletin-Site

It could be a simple .htaccess redirect in that file or worse but use the above guide and see if you can't track it down and rid yourself of this

.

**mavherzog** · Thu 28 Jun '12, 7:54am

Originally posted by TheLastSuperman

Try some of the information listed here - https://www.vbulletin.com/forum/cont...vBulletin-Site

It could be a simple .htaccess redirect in that file or worse but use the above guide and see if you can't track it down and rid yourself of this

.

They modified the templates directly in the db. The Fix-it template script helped me recompile those templates and remove the redirect (for now).

Site is always patched to the latest/greatest vB version and locked down pretty tight (as per security best practices detailed on this site). Maybe I am facing a zero day vulnerability not yet discovered in vB???

**Loco.M** · Thu 28 Jun '12, 8:02am

Originally posted by mavherzog

Maybe I am facing a zero day vulnerability not yet discovered in vB???

or maybe a poorly coded mod?

**TheLastSuperman** · Thu 28 Jun '12, 8:05am

I doubt it's a Zero Day... I will never say never on something like that but I will doubt the fire out of it

. Please be sure to check for suspicious files and remember, if you have any other software installed, openx for ads as a example or anything at all, ensure none of those platforms are being exploited and that all other software is also fully up to date and secured to the best of your knowledge at all times

.

Edit: Also the possibility they have a shell script or similar on the site that was put up when you were initially hacked, with something like that they can continue to gain access despite a security patch being applied.

vBulletin 4 End of Life

Redirection hack to R00TW0RM

[Forum] Redirection hack to R00TW0RM

Comment

Comment

Comment

Comment