Just bumping this up, as I'm a bit worried about it. When pages are loading on my site, the page name sometimes briefly reads: http://kokosina.in This is not at all related to my site. Does anyone know what this could be? Has anyone here come across this before?

OK, further to the post above, now as my pages are loading, I'm getting other weird names, such as fleshox.cz.cc midgetjasmine.us nic.cz.cc abused-domain.cz.cc These are appearing as the page is loading, eg, it'll say: Waiting for....and will give the details of my page as it loads, then suddenly one of the above will appear, the vanish again relatively quickly. Its beginning to worry me. Has anyone experienced anything like this? Is my website under threat? Are my forum members under threat?

I should point out that so far I've only noticed it on Internet Explorer, not Google Chrome as yet.

Just checked on Mozilla, and its happening on there too!

Edit: Its also happening on Google Chrome.

I started getting the fleshox.cz.cc hits today. I imagine its an injection.

Thanks RJO. What is an injection?

see the same thing

I am seeing the same things.

Also, when I try to click on any of the links in my admin area they are not working. For example, clicking on the "search for users" link goes nowhere.

after seeing this I updated vBullitin but am still experiencing and seeing the same issues.

Thanks mferree. How did you find the links in the admin area? Can you delete them?

Do you use any type of ads? Most likely something like that.

Link to your site?

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

3) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

4) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

5) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

Query for step 4 and 5 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

6) Run this query:
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

problem resolved

First, it doesn't appear to have anything to do with the ads that are on the site.

Second, I went ahead and uploaded the most recent version of vbullitin and it appears to have resolved the issue. I suggest doing the same.

Mike

Wayne, many thanks for your help. Much appreciated. I will go through your list. At this stage I don't have any ads on the site, its only been running 6-8 months and I haven't been trying to sell advertising.

Thanks again Wayne.

Thanks Trevor, it is here: http://www.theroaringseason.com/

I have the same problem now

Members on my forum are getting attacked too. What I don't understand is why when I log on to my own forum I am not attacked and Kaspersky does not show a warning box. However when I just look at Trevours website it brings up the warning ?

I followed your advice on my site with 1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.


There were two files I deleted, but one 'connection-min.js' says file does not contain expected data. How do you replace this file ?

I have tried reading up on 'injection hacking' but am confused as to how this achieved. Is my SQL database corrupted now or is it a front end hack using someone elses ID ??

Try my webiste and see if you get the warning as I don't but members do ?