Announcement

Collapse
No announcement yet.

Major security issue, any help?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Major security issue, any help?

    Few days ago someone has done something and managed to redirect couple of urls on our site to his phishing site which looks exactly the same but on different url. We were running vb3.8.2
    I thought it might have something to do with not installing patches. My updates rights have expired and latest I could download is 3.8.3 so I installed it and uploaded patches for 3.8.4 since files don't seem to be too different and everything was working fine.

    But today issue has reappeared. Two links that are being redirected are new posts:
    Code:
    http://www.mydomain.com/search.php?do=getnew
    and from quick links Today's posts:
    Code:
    http://www.mydomain.com/search.php?do=getdaily
    They were redirected to:
    Code:
    http://www.fakesite.com/login.aspx?
    which looked like exact copy of our site and I imagine someone was trying to steal login data.

    Redirect is still on although phishing site is down, actually reports server error on that particular landing page. The base url is still working fine.

    Any ideas please on how someone could have done this and how could I stop it ?
    There is nothing in the templates mentioning this fake url. Didn't notice any files on server have been changed either. Tried disabling plugins but no luck.

    I am a little low on funds to upgrade to vb4 atm, not that I am too keen on doing so even if money was no issue.

  • #2
    Check the parked domains page and redirects in your cPanel for your hosting account.
    Check all your logs and post anything that looks like a hacking, because this looks as if it is.
    That's it. If you REALLY can't say ANYTHING nice to me at all on this forum, then I am going to go insanely mad at you. I've had enough of the UNTOLD ABUSE you are all giving me and you should really be CONSIDERATE of other people.

    Comment


    • #3
      Originally posted by Homeworld'sa View Post
      Check the parked domains page and redirects in your cPanel for your hosting account.
      Check all your logs and post anything that looks like a hacking, because this looks as if it is.
      Thanks for replying.

      There is no parked domains in cPanel. And only one redirect which is just to avoid people using url without www.
      Nothing strange in apache logs that mentions this redirect happening.

      Comment


      • #4
        Which pages are the redirects happening on? Check the files and see if any code was injected into them.
        That's it. If you REALLY can't say ANYTHING nice to me at all on this forum, then I am going to go insanely mad at you. I've had enough of the UNTOLD ABUSE you are all giving me and you should really be CONSIDERATE of other people.

        Comment


        • #5
          Check your plugins (Not products) and templates for potential redirects.

          Either way your site has most likely been comprised at some level due to an insecurity. I'd take it offline while trying to resolve what the problem is and ensuring it doesn't/can't happen in the future.

          Comment


          • #6
            Originally posted by Homeworld'sa View Post
            Which pages are the redirects happening on? Check the files and see if any code was injected into them.
            Only on new posts link and today's posts as mentioned in first post.

            Originally posted by nforums View Post
            Check your plugins (Not products) and templates for potential redirects. If you mean on which page on forums, it is there on index, showthread on any of them where navbar is displayed.

            Either way your site has most likely been comprised at some level due to an insecurity. I'd take it offline while trying to resolve what the problem is and ensuring it doesn't/can't happen in the future.
            I did turn off forums as soon as I noticed the issue. Tried disabling plugins/hooks from vbulletin option and redirect is still there. Couldn't find anything in the templates either. I really can't see what could be causing this.
            I tried creating new style with default templates and it is still there.
            Last edited by karabaja; Mon 15 Feb '10, 11:10am.

            Comment


            • #7
              Go into your file manager and search inside the file "search.php" and look for any code that could be redirecting users.
              That's it. If you REALLY can't say ANYTHING nice to me at all on this forum, then I am going to go insanely mad at you. I've had enough of the UNTOLD ABUSE you are all giving me and you should really be CONSIDERATE of other people.

              Comment


              • #8
                No, didn't find anything strange in search.php but uploaded the original file just to be safe and it is still happening.

                Comment


                • #9
                  If it means anything I can open mydomain.com/search.php and preform a search without being redirected. Only when going to
                  Code:
                  search.php?do=getnew
                  and
                  Code:
                  search.php?do=getdaily
                  redirection kicks in.

                  Comment


                  • #10
                    I don't know what the problem could be. Are you sure there is no bad redirection code? Try reuploading all of the vBulletin files in ASCII format, and overwrite the current version.
                    That's it. If you REALLY can't say ANYTHING nice to me at all on this forum, then I am going to go insanely mad at you. I've had enough of the UNTOLD ABUSE you are all giving me and you should really be CONSIDERATE of other people.

                    Comment


                    • #11
                      Have you checked your .js files?
                      My Live vB5 Site - NZEating.com
                      vBulletin Hosting | vBulletin Services - Need hosting for your vB? Need it installed? Something else? Let me take that hassle off your hands.

                      Comment


                      • #12
                        Originally posted by Ace View Post
                        Have you checked your .js files?
                        It does seem to be some js file. When I disable javascript in my firefox this redirect doesn't happen when I click on New posts.

                        Any idea which .js file could be doing this ?

                        Comment


                        • #13
                          As Homeworld'sa has already suggested above, try re-uploading all original vBulletin files making sure you overwrite the ones already on the server
                          Vote for:

                          - *Admin Settable Paid Subscription Reminder Timeframe*
                          -
                          *PM - Add ability to reply to originator only*
                          - Add Admin ability to auto-subscribe users to specific channel(s)
                          - "Quick Route" Interface...

                          Comment


                          • #14
                            Originally posted by Trevor Hannant View Post
                            As Homeworld'sa has already suggested above, try re-uploading all original vBulletin files making sure you overwrite the ones already on the server
                            I did do that already. And it is still there.
                            I've just tried checking all .js files that firebug reported to be loading on index page. And I've renamed them one by one and refreshed so they wouldn't be loaded. Despite everything this redirect would still happen when I click on New posts.
                            Is there perhaps any javascripts that are loaded when going to New posts that wouldn't be loaded on index page?
                            Is there any way maybe to debug what is exactly happening with the browser when this link is clicked or something like that.

                            Comment


                            • #15
                              Give this a shot http://www.vbulletin.org/forum/showthread.php?t=220967

                              Comment

                              Related Topics

                              Collapse

                              Working...
                              X