Announcement

Collapse
No announcement yet.

Vbulletin Virus URGENT HELP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Vbulletin Virus URGENT HELP

    I have an I frame exploit on my site.

    I have disabled the board but am now at a loss as to know what to do.

    This is very very bad. I have never had a problem with previous versions.

    Any advice appreciated. Knew I shouldnt have bought VB4

  • #2
    Originally posted by PondPikey View Post
    I have an I frame exploit on my site.

    I have disabled the board but am now at a loss as to know what to do.

    This is very very bad. I have never had a problem with previous versions.

    Any advice appreciated.
    Where is the Iframe appearing? Is it on all pages at a particular place on the page? Have you run a search in your templates for the code to generate the Iframe?

    Knew I shouldnt have bought VB4
    And who says this is a problem with vB4? If it was an inherent problem wouldnt' this forum be inundated with disgruntled, hacked customers?
    Vote for:

    - *Admin Settable Paid Subscription Reminder Timeframe*
    -
    *PM - Add ability to reply to originator only*
    - Add Admin ability to auto-subscribe users to specific channel(s)
    - "Quick Route" Interface...

    Comment


    • #3
      Originally posted by Trevor Hannant View Post
      Where is the Iframe appearing? Is it on all pages at a particular place on the page? Have you run a search in your templates for the code to generate the Iframe?
      Seems to be everywhere. The only mod that was running an iframe was the shoutbox, which is now disabled. I have created a new theme without a parent and the problem still exists.

      And who says this is a problem with vB4? If it was an inherent problem wouldnt' this forum be inundated with disgruntled, hacked customers?
      Well there are defintley a few about, seems to be more issues with vb4 then I ever had with 3.7!

      Any advice would be appreciated.

      Comment


      • #4
        Can you post the link to your forum?

        Comment


        • #5
          1) Fixing the damage:

          You need to restore a backup from before the forum was hacked. If you don't have a backup then you should ask your host if they have one.

          2) Preventing future attacks:

          Here are some security tips to help prevent this in the future:

          https://www.vbulletin.com/forum/showthread.php?t=194701

          3) Finding out exactly how they hacked you:

          If an admin or mod account was hijacked then you might find evidence of their activities in the vBulletin logs:

          Admin CP -> Statistics & Logs

          It can be difficult to track down exactly how the hacker got in. You will need to consult with your host to examine the server logs for evidence of intrusion. Otherwise you can just follow the above security tips to help prevent future attacks.
          Vote for:

          - *Admin Settable Paid Subscription Reminder Timeframe*
          -
          *PM - Add ability to reply to originator only*
          - Add Admin ability to auto-subscribe users to specific channel(s)
          - "Quick Route" Interface...

          Comment


          • #6
            Originally posted by borbole View Post
            Can you post the link to your forum?
            Warning: http://www.carpy.co.uk/forumdisplay.php

            Comment


            • #7
              I don't see anything untoward in the source code for the 'board closed' page
              Vote for:

              - *Admin Settable Paid Subscription Reminder Timeframe*
              -
              *PM - Add ability to reply to originator only*
              - Add Admin ability to auto-subscribe users to specific channel(s)
              - "Quick Route" Interface...

              Comment


              • #8
                Originally posted by Trevor Hannant View Post
                I don't see anything untoward in the source code for the 'board closed' page
                Nope, but as soon as you log on it gets crazy!

                Comment


                • #9
                  Originally posted by PondPikey View Post
                  Nope, but as soon as you log on it gets crazy!
                  How exactly does it go crazy? Can you post a screenshot?

                  Check the db for the malicious iframe code, more specifically the templates table. Ask your host as well to check their logs and see how they got access to your forum. After you clean up your forum, change all your log in infos and then upgrade it to 4.1.4 a.s.a.p.

                  Comment


                  • #10
                    Click image for larger version

Name:	avg.JPG
Views:	1
Size:	20.1 KB
ID:	3682610

                    See attached screenshot.

                    Just taken a database backup. What should I be searching for on phpmyadmin?!

                    Hope you can help!

                    Comment


                    • #11
                      Could you view the html source in your browser and save the source to .txt and attach it?
                      NOTE: not the php source or anything inside admincp templates, the source of the page which comes up with that error (just to be clear)

                      Comment


                      • #12
                        Thanks ZeroHour, take a looksie...I cant see anything blatant..

                        Thanks in advance

                        htmlOuput.txt

                        Comment


                        • #13
                          Cant see anything initially, what AV is telling you there is a virus and what browser? Does it happen in other browsers?
                          Short of seeing the site turned on with my dev tools I cant see the page problem.

                          Comment


                          • #14
                            Yup same errror on IEA and Chrom, Sophos reports it as a skiddie!

                            Comment


                            • #15
                              I get this error in FF. >>>
                              Content Encoding Error
                              The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.
                              Please contact the website owners to inform them of this problem.
                              ...

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X