Announcement

Collapse
No announcement yet.

Malware problem - rewriting of clientscript/vbulletin_global.js and vbulletin_menu.js

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Malware problem - rewriting of clientscript/vbulletin_global.js and vbulletin_menu.js

    A few weeks ago one of my forums was hit by malware and Google flagged it which decimated traffic to the site.

    A little later Google Webmaster tools provided me with information on which files had been compromised, namely clientscript/vbulletin_menu.js (I think).

    Yesterday the site was hit again with the file clientscript/vbulletin_global.js compromised, and once again Google flagged the site with a Malware alert which wiped out traffic numbers to the forum.

    I'm kind of scratching my head over how these files are being changed and although I've done a search on here for the same problem I've not located the same issue.

    It's one thing to keep uploading clean files, but to have to keep cleaning up the damage is very annoying

    One question that comes to mind is how can the files be altered without the need for the username or password to the server or forum? I also set-up an additional layer of protection for the admin files via the cPanel but apparently there is still a vulnerability.

    BTW, I seem to have misplaced the link provided by Wayne Luke some months ago regarding protecting forums from hacking/malware issues for which I implemented many of the recommendations made.

  • #2
    Originally posted by richpal View Post
    One question that comes to mind is how can the files be altered without the need for the username or password to the server or forum?
    They can't. Someone needs access to the server in order to alter the files. I'd suggest you talk to your host about this so you may go through your server access logs.

    Please don't PM or VM me for support - I only help out in the threads.
    vBulletin Manual & vBulletin 4.0 Code Documentation (API)
    Want help modifying your vbulletin forum? Head on over to vbulletin.org
    If I post CSS and you don't know where it goes, throw it into the additional.css template.

    W3Schools <- awesome site for html/css help

    Comment


    • #3
      Originally posted by Lynne View Post
      They can't. Someone needs access to the server in order to alter the files. I'd suggest you talk to your host about this so you may go through your server access logs.
      Hi Lynne and thank you for your quick reply, have changed all the passwords so await to see what happens next. I asked my host about the server logs and they assured me that no one had used ftp to access the files apart from my IP address.

      Don't suppose anyone could provide me with the link containing recommendations for protecting the forum and/or server from hacking and malware issues. Am sure it was a post or blog by Wayne Luke.

      UPDATE: Found the link, it was a blog by Wayne Luke: https://www.vbulletin.com/forum/blog.php/868
      Last edited by richpal; Tue 21st Aug '12, 2:22pm. Reason: Found post by Wayne Luke for protecting the forum and/or server from hacking and malware issues

      Comment


      • #4
        Are you running Plesk? If so I can almost GAURENTEE (sp?) you they're getting in that way. I was running Plesk on my old server and an exploit in it allowed them to put files directly on to my server. Specifically the blackhole malicious exploit stuff.

        Hire the guys at Total Server Solutions (tell them the owner of icedogfans sent you) and they can patch Plesk for you. Plesk has been hit BAD as of late, by malicious code intrusions.

        I switched servers and made sure to switch my control panel to cPanel.

        Also... you might want to check your ajax.php script as mine (for version vb 3.6.8) had a hole in it that allowed them to directly put files with a GET command right onto my server. I now run ajax.php for vB 4.0.2 on my 3.6.8 forum and the hole is no longer there.

        Comment


        • #5
          Originally posted by z0diac View Post
          Are you running Plesk? If so I can almost GAURENTEE (sp?) you they're getting in that way. I was running Plesk on my old server and an exploit in it allowed them to put files directly on to my server. Specifically the blackhole malicious exploit stuff.

          Hire the guys at Total Server Solutions (tell them the owner of icedogfans sent you) and they can patch Plesk for you. Plesk has been hit BAD as of late, by malicious code intrusions.

          I switched servers and made sure to switch my control panel to cPanel.

          Also... you might want to check your ajax.php script as mine (for version vb 3.6.8) had a hole in it that allowed them to directly put files with a GET command right onto my server. I now run ajax.php for vB 4.0.2 on my 3.6.8 forum and the hole is no longer there.
          Thanks for the info, thankfully I'm using cPanel rather than Plesk but that is more luck than judgement. After I contacted my hosting company they updated the php on the server to the latest version - I can only assume that this was why the site was originally compromised. The forum software is 3.8.7 patch 3 so I presume the ajax.php should be OK.

          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...
          X