Announcement

Collapse
No announcement yet.

How to get rid of this virus iframe hack on vbulletin.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] How to get rid of this virus iframe hack on vbulletin.

    Basically googled blocked the vbulletin we are running, it had the error that site is infected bla bla.

    I reupped clean vbulletin files, fresh template in the folder. No old files.

    Still that error comes and forums try to open up a popup.

    I even search for that word in my phpmyadmin db but its not in sql.

    So question is where is that iframe code located??? I am really worried now, what should I do??

    Click image for larger version

Name:	popup.jpg
Views:	1
Size:	47.6 KB
ID:	3718838

  • #2
    Have you looked in the page source to see where it's coming from? If could be an ad, a modified template, an add-on or a modified file.

    Please see this thread on how to make your vBulletin more secure:

    http://www.vbulletin.com/go/secure

    If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      Are you using openx?
      .......

      Comment


      • #4
        On my domain.com the forums are running at domain.com/forums

        I renamed that folder, then deleted it.

        created new forums folder.

        re upploed FRESH VB files, no 3rd party template, disabled hook plugins.

        1 day later I see that popup try to open on forum home.

        It is not coming from the template, I have searched, even searched in the sql db for that word or link that tries to open up in popup.

        Thing is I have my own dedicated server at 10tb.com so how will they help, they will tell me to secure the server myself.

        Ramsesx -> No I am not using openx.

        Comment


        • #5
          That picture is certainly not of a default vB.

          First, repupload the original vB 'install' directory and files for your version, except for install.php. Then run '.../install/finalupgrade.php'.

          If you still have this problem after that, then this is from a modification.

          To troubleshoot this, first reupload all the original vB non-image files (except install.php). Make sure you upload these in ASCII format and overwrite the ones on the server. Also be sure to upload the admincp files to whichever directory you have set in your config.php file. Then run 'Suspect File Versions' in Diagnostics to make sure you have all the original files for your version and that none show 'File does not contain expected contents':

          Admin CP -> Maintenance -> Diagnostics -> Suspect File Versions


          [Note: In some cases you may also need to remove any of the listed .xml files in the includes/xml directory.]

          Next, disable all products (except vB Blog and vB CMS if you are running the Suite.)

          Admin CP -> Plugins & Products -> Manage Products -> Disable


          Then manually uncheck all plugins that are not for 'vBulletin Blog' and vBulletin CMS' here:

          Admin CP -> Plugins & Products -> Plugin Manager


          You must do BOTH of those steps in order to disable all non vBulletin Modifications.

          Then if you still have this problem, create a new style and choose no parent style. This will force it to use the default templates. Finally empty your browser cache, close all browser windows then try again. Make sure you change to the new style and view your forums with it.

          Do you have the same problem? If so, remove all ads.
          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
          Change CKEditor Colors to Match Style (for 4.1.4 and above)

          Steve Machol Photography


          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


          Comment


          • #6
            Thanks I will get back once tried.

            Comment


            • #7
              OK i did all, and very strangely I saw at the bottom of the forums that something was trying to load from some yahooo000 URL.

              check screenshot:


              So I went to phpmyadmin and searched for that "ya00ho00.com" and I got the following result:

              In session table when i tried to edit it, it had following path (location is posted below)


              location field in above's screenshot says:

              mydomain.com/forums/admincp/template.php?do=modify&searchset=184&searchstring=ya000ho00.com&titlesonly=0



              Should I delete that session?

              Comment


              • #8
                Sure, try that. Also try emptying your browser cache.
                Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                Change CKEditor Colors to Match Style (for 4.1.4 and above)

                Steve Machol Photography


                Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                Comment


                • #9
                  Steve, that is very weird. Now I try to search for "ya000ho00.com" and it doesnt show any results in my phpmyadmin. Before it was.

                  Maybe because it was in a "session" table, and it got expired or something?


                  Comment


                  • #10
                    OK at the bottom of my browser I can see, the forums try to load something from

                    ya000ho00.com and domdex.com

                    I searched the template no such words found, I searched the SQL no such words found.

                    I am really confused now, I have changed the ftp, root pw everything, the folders are fresh installed, then why this.

                    How do I get rid of this.


                    Comment


                    • #11
                      Honestly I do not see how that could be if you followed all of my instructions. Have you?

                      If so, fill out a support ticket at:

                      http://members.vbulletin.com/members...ontactform.php

                      Please include a complete description of the problem and be sure to include the login info to your Admin CP, phpMyAdmin and FTP in the 'Sensitive Data' field.
                      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                      Change CKEditor Colors to Match Style (for 4.1.4 and above)

                      Steve Machol Photography


                      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                      Comment


                      • #12
                        OK I removed googlebot.php and now it is not tyring to load or read yahooo00 dot com and other domdex . com site.

                        that is very weird.

                        Why did the problem occur in the first place with googlebot.php? What is the purpose of that file.

                        Comment


                        • #13
                          That is not a vB file and not something that the default vB code or templates would ever use.
                          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                          Change CKEditor Colors to Match Style (for 4.1.4 and above)

                          Steve Machol Photography


                          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                          Comment


                          • #14
                            So finally the problem solved.

                            But one question that is still bothering me is that why did the forums index try to read that file?

                            I know that the file was causing it, but what code made it read from the forums?

                            Is deleting enough or should I digg more and find out what was pointing towards that file?

                            Comment


                            • #15
                              The default vB code and templates would never even look for or at the file.

                              Personally I think there is a good possibility your web hosting account has been hacked, assuming you did not inadvertently upload that file yourself. I would change your hosting account password and notify your host.
                              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                              Change CKEditor Colors to Match Style (for 4.1.4 and above)

                              Steve Machol Photography


                              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X