No announcement yet.

EMERGENCY! Injection attack VB 4.2.3

  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] EMERGENCY! Injection attack VB 4.2.3


    I believe there is an injection attack that took place on our 4.2.3 forum.

    At first just 1 or 2 users experienced a small adware that came up on the top left of the forum, on some page loads, but it was just the one person so I had them do malware scans etc. Probably just them.
    Then I had my server scanned by the hosting company for malware, found none, just to be sure.

    Then today multiple users are reporting the red Google popup saying the domain has malware.

    I've run multiple tools to test my domain such as AVG, McAfee, Mxtoolbox and all say there is nothing wrong, no blacklists etc.

    However, using Webmaster Tools, there seems to be one js script injected before the DOCTYPE which is most likely the problem. I can't see this <script> using normal view-source option in the browser, nor with F12 tools etc. The only way I've seen this script is viewing raw return data with CURL and with Webmaster Tools.

    The script being injected looks like this:

    HTML Code:
    <script type='text/javascript' src=''>
    I replaced a bunch of the URL with periods for brevity.

    I need to find out how to remove the injection attack, and make sure the site is clean, and find out how it happened.

    As far as plugins, I only run four: disable lockout notification emails, spam-o-matic, rotating banner system, and tapatalk. I don't even use the Blog or CMS. I've had these plugins installed for years and years, nothing is new.

    I have tried searching the source files of VB but the pure text of the injection is not in there, so I don't know how they are masking the code. I'm trying to search the database and templates for where the injection is taking place, but not having luck.

    I have ran the suspect file tool, it only returns the files which are not part of VB but which I know are valid, like my own files, or plugin files etc.

    I need the proper method to track this down and remove it, find out why it happened, and plug the hole!

  • #2
    This is the proper methodology to secure your site:

    All of your custom files should be considered suspect and investigated. Every plugin should be considered suspect and investigated.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.


    • #3
      Right now VB is suspect and investigated
      Most of that stuff I've done for years.


      • #4
        This was very hard tracking down, the script I posted was not found when using a view-source or even dev tools. The script is only seen in the source using a raw response tool such as CURL or WGET or certain browser plugins which show the raw responses.

        As I was removing old VB files marked as not part of current version, at some point, whether it was a php file or a js file, the header just up and stopped. I had already tried disabling all plugins but that didn't work.
        There was also one file marked as having different content, but this was a new file, I reuploaded the file twice and it continued to tell me the content was different, until I was done deleting all the other files. Then the final time I uploaded that file, it didn't report as having different content.

        This has been very weird. I can't say what the fix was, it almost felt like the "hacker" was on to me and simply stopped, I don't know.

        I don't know how the source code of vBulletin works but I don't see how some orphan files can be used like this. Is VB doing some kind of autoloading of all files everywhere in the system? I mean, if it's an orphaned file, not loaded by the VB core, how is it being used for a hack??


        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.