I've now upgraded to 4.1.9, and so far so good, although I'm slightly nervous, as others on here have said the same thing, only for it to return. Did I read somewhere that 4.1.9 allows 2 separate passwords, 1 for the general forum, 1 for the admin area? How do I change my passwords?

i suspect it will return - this is the 4 time ive have tried this - its the same every time and very simple to fix

so until vb finds a solution on how tey manage to infiltrate the templates - do as i described before...

its a fine quick fix

As I see it the strategy is not to just keep deleting it. If hackers can insert this, what is to prevent them from inserting even more dangerous and harder to find scripts?

absolutely nothing...

but as long as vb dont do nothing to prevent it - theres not much we can do besides that

I can confirm someone with a Ukraine IP accessed my AdminCP using the User ID#1 and modified the footer template. It appears as if had something to do with a file called plugin.php - How they got my username and password for this account I have no idea. My very helpful ISP ran a total scan on my site, and checked the logs, and assured me nobody but me has accessed the server. Here are my Admin logs if it helps anyone figure this out. I am using 4.1.3 Patch Level 1

3295 admin 01:40, 20th Dec 2011 template.php updatetemplate style id = 1 91.203.88.106
3294 admin 01:40, 20th Dec 2011 template.php edit style id = 0 91.203.88.106
3293 admin 01:40, 20th Dec 2011 template.php modify 91.203.88.106
3292 admin 01:40, 20th Dec 2011 template.php updatetemplate style id = 1 91.203.88.106
3291 admin 01:40, 20th Dec 2011 template.php edit style id = 0 91.203.88.106
Control Panel Log

[Restart]
Help
Control Panel Log Viewer (page 2/34) | There are 3,390 total log entries.
ID User Name Date Script Action Info IP Address
3290 admin 01:40, 20th Dec 2011 template.php modify 91.203.88.106
3289 admin 01:40, 20th Dec 2011 template.php modify 91.203.88.106
3288 admin 01:10, 20th Dec 2011 template.php updatetemplate style id = 1 91.203.88.106
3287 admin 01:10, 20th Dec 2011 template.php edit style id = 0 91.203.88.106
3286 admin 01:10, 20th Dec 2011 template.php modify 91.203.88.106
3285 admin 01:10, 20th Dec 2011 template.php inserttemplate style id = 3 91.203.88.106
3284 admin 01:10, 20th Dec 2011 template.php add style id = 3 91.203.88.106
3283 admin 01:10, 20th Dec 2011 template.php modify 91.203.88.106
3282 admin 01:10, 20th Dec 2011 template.php modify 91.203.88.106
3281 admin 23:42, 18th Dec 2011 plugin.php kill plugin id = 206 91.203.88.106
3280 admin 23:42, 18th Dec 2011 plugin.php delete plugin id = 206 91.203.88.106
3279 admin 23:42, 18th Dec 2011 plugin.php modify 91.203.88.106
3278 admin 23:42, 18th Dec 2011 plugin.php update 91.203.88.106
3277 admin 23:42, 18th Dec 2011 plugin.php add 91.203.88.106
3276 admin 22:42, 18th Dec 2011 plugin.php kill plugin id = 205 91.203.88.106
3275 admin 22:42, 18th Dec 2011 plugin.php delete plugin id = 205 91.203.88.106
3274 admin 22:42, 18th Dec 2011 plugin.php modify 91.203.88.106
3273 admin 22:42, 18th Dec 2011 plugin.php update 91.203.88.106
3272 admin 22:42, 18th Dec 2011 plugin.php add 91.203.88.106
3271 admin 22:40, 18th Dec 2011 plugin.php kill plugin id = 204 91.203.88.106
3270 admin 22:40, 18th Dec 2011 plugin.php delete plugin id = 204 91.203.88.106
3269 admin 22:40, 18th Dec 2011 plugin.php modify 91.203.88.106
3268 admin 22:40, 18th Dec 2011 plugin.php update 91.203.88.106
3267 admin 22:40, 18th Dec 2011 plugin.php add 91.203.88.106
3266 admin 22:39, 18th Dec 2011 plugin.php kill plugin id = 203 91.203.88.106
3265 admin 22:39, 18th Dec 2011 plugin.php delete plugin id = 203 91.203.88.106
3264 admin 22:39, 18th Dec 2011 plugin.php modify 91.203.88.106
3263 admin 22:39, 18th Dec 2011 plugin.php update 91.203.88.106
3262 admin 22:39, 18th Dec 2011 plugin.php add 91.203.88.106
3261 admin 22:22, 18th Dec 2011 plugin.php kill plugin id = 202 91.203.88.106
3260 admin 22:22, 18th Dec 2011 plugin.php delete plugin id = 202 91.203.88.106
3259 admin 22:22, 18th Dec 2011 plugin.php modify 91.203.88.106
3258 admin 22:22, 18th Dec 2011 plugin.php update 91.203.88.106
3257 admin 22:22, 18th Dec 2011 plugin.php add 91.203.88.106
3256 admin 21:52, 18th Dec 2011 plugin.php kill plugin id = 201 91.203.88.106
3255 admin 21:52, 18th Dec 2011 plugin.php delete plugin id = 201 91.203.88.106
3254 admin 21:52, 18th Dec 2011 plugin.php modify 91.203.88.106
3253 admin 21:52, 18th Dec 2011 plugin.php update 91.203.88.106
3252 admin 21:52, 18th Dec 2011 plugin.php add 91.203.88.106
3251 admin 21:38, 18th Dec 2011 plugin.php kill plugin id = 200 91.203.88.106
3250 admin 21:38, 18th Dec 2011 plugin.php delete plugin id = 200 91.203.88.106
3249 admin 21:38, 18th Dec 2011 plugin.php modify 91.203.88.106
3248 admin 21:38, 18th Dec 2011 plugin.php update 91.203.88.106
3247 admin 21:38, 18th Dec 2011 plugin.php add 91.203.88.106
3246 admin 20:44, 18th Dec 2011 plugin.php kill plugin id = 199 91.203.88.106
3245 admin 20:44, 18th Dec 2011 plugin.php delete plugin id = 199 91.203.88.106
3244 admin 20:44, 18th Dec 2011 plugin.php modify 91.203.88.106
3243 admin 20:43, 18th Dec 2011 plugin.php update 91.203.88.106
3242 admin 20:43, 18th Dec 2011 plugin.php add 91.203.88.106

I had the exact same IP do this to my site on the same day as you! I'll add that IP to an htaccess blacklist but I'm sure that won't be the end of it!

So there is still no official explanation for why this is happening?

This sounds pretty serious
several vb sites infected

are other scripts getting hit?
mybb, phpbb, ipb or xenforo forums?

Extremely serious. I could have went with countless other message boards when I set up my community but I went with vB because I assumed that the $300 premium would provide the kind of support that would prevent (or atleast minimize) this kind of thing. Yet this thread is now 2 weeks old and still no official word on why this is happening (that I know of, if I am wrong on this my apologies).

The last thing I want is to have my website infecting user computers.

The majority do seem to be vBulletin sites... http://www.google.com/search?q="koko... by vBulletin"

"kokosina.in" has 405 hits on Google, 233 of them include the phrase "Powered by vBulletin". Give or take a dozen for links pointing to threads on this site and scrapers that repost RSS feeds, it's still quite alarming...

VERY Alarming IMHO...

Has vbulletin officially replied to this?
Other then the normal (we don't support modded forums) answer??

Every site that I have looked at appears to have been infected on an exploit that was present in 4.1.3 and the patch levels weren't applied in time and/or passwords weren't changed. The exploiters at that time usually left backdoors in the system that were also not removed. The exploit has been fixed for quite some time now. I have not seen any site where the initial exploit has occurred on a 4.1.8 or 4.1.9 board.

If you have additional information then you need to suppy it.

We can't force customers to update to the latest software. We issue notices when patch levels are released but can't force them to be installed. Customers need to maintain their sites on the latest versions of the software or properly apply security patches when they are released.

I agree with you but don't the powers that be, think it's alarming that so many vBulletin sites are getting infected?

Wayne, if that is the case that's fair enough. I was not updated with the latest patches, and yes, that is my fault.

However, I was simply looking for an official word that your team knows exactly what is happening and what needs to be done to fix it. You provided that now, that this was a issue discovered back in 4.1.3. If you had provided that earlier in this thread and I missed it my apologies.