Announcement

Collapse
No announcement yet.

VBulletin Forum Hacked/Exploited

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • VBulletin Forum Hacked/Exploited

    I recently reinstalled my OS after a virus infection, to find my forum has also been infected. The main page is now blank, and was trying to load something called mynewnameshop.cn:8080 and some other junk website. I was able to find some dodgy IFrames hidden in the index.html and index.php of my forum, but removing them has had little effect.

    I managed to access my forum through my donation page, but I cannot access the Admin or Mod CPs, and looking at my FTP I believe they have been deleted. Trying to click them will only direct to index.php (which is a blank page).

    I am running vbulletin v. 3.7.4, and unfortunately haven't been able to upgrade due to financial constraints.

  • #2
    upload and overwrite all the files with the ones not infected..
    Simple Straight Forward EU cPanel vBulletin Web Hosting Provider.

    Comment


    • #3
      Thanks. That's restored access to the forum and Admin/Mod CPs, but I still feel uneasy that this exploit might be hiding elsewhere on the forum.

      Comment


      • #4
        Run the Suspect File Version tool under Maintenance -> Diagnostics. It will allow you to identify any unknown files and delete them. Any files with a name consisting solely of numbers and the extension of php should be deleted.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API - Full / Mobile
        Vote for your favorite feature requests and the bugs you want to see fixed.

        Comment


        • #5
          I've also upgraded to 3.8.2, but it's happened again..... Another weird Chinese link in the source code of the main index (which redirects to the forum). Same thing happened to Admin & ModCPs too.

          Btw, do you think any of this could be due to having a Play-Asia affiliation banner on the site? I've had it there awhile though, before all this happened.

          Diagnosis report:
          Suspect File Versions Scanned 61 files
          ./ banlog.php File not recognized as part of vBulletin billspaypal.php File not recognized as part of vBulletin billspaypal_donated.php File not recognized as part of vBulletin index.php File does not contain expected contents rules.php File not recognized as part of vBulletin Scanned 3 files
          ./archive index.php File does not contain expected contents Scanned 53 files
          ./clientscript index.html File not recognized as part of vBulletin vbulletin_editor.css File does not contain expected contents Scanned 4 files
          ./clientscript/yui index.html File not recognized as part of vBulletin Scanned 2 files
          ./clientscript/yui/animation index.html File not recognized as part of vBulletin Scanned 2 files
          ./clientscript/yui/connection index.html File not recognized as part of vBulletin Scanned 2 files
          ./clientscript/yui/dragdrop index.html File not recognized as part of vBulletin Scanned 2 files
          ./clientscript/yui/yahoo-dom-event index.html File not recognized as part of vBulletin Scanned 58 files
          ./headcp index.php File does not contain expected contents Scanned 2 files
          ./images/regimage/fonts index.html File not recognized as part of vBulletin Scanned 129 files
          ./includes class_userprofile.php File does not contain expected contents index.html File not recognized as part of vBulletin Scanned 18 files
          ./includes/cron index.html File not recognized as part of vBulletin Scanned 8 files
          ./includes/paymentapi index.html File not recognized as part of vBulletin Scanned 7 files
          ./includes/xml index.html File not recognized as part of vBulletin Scanned 94 files
          ./install index.html File not recognized as part of vBulletin upgrade_372.php File not recognized as part of vBulletin upgrade_373.php File not recognized as part of vBulletin upgrade_374.php File not recognized as part of vBulletin Scanned 10 files
          ./secondcp index.php File does not contain expected contents

          Comment


          • #6
            Apparently these iFrame attacks are caused by someone hacking your FTP, right?

            Comment


            • #7
              See this thread here: http://www.vbulletin.com/forum/showthread.php?t=308397
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API - Full / Mobile
              Vote for your favorite feature requests and the bugs you want to see fixed.

              Comment


              • #8
                My computer is clean, and unmaskparasites now says my site is likewise (whereas before it alerted me to the malicious iframe).

                I contacted my host, and they said this kind of thing is performed through third-party software and not FTP/cPanel access. Therefore something is being exploited in my vbulletin?

                Btw, I also fixed all the discrepancies within the Diagnosis. Most of them were index.html files that been infected with iframes. However, these three still remain: upgrade_372, 373 and 374.php - Files not recognized as part of vBulletin. ????

                Comment


                • #9
                  Originally posted by Masamune. View Post
                  My computer is clean, and unmaskparasites now says my site is likewise (whereas before it alerted me to the malicious iframe).

                  I contacted my host, and they said this kind of thing is performed through third-party software and not FTP/cPanel access. Therefore something is being exploited in my vbulletin?

                  Btw, I also fixed all the discrepancies within the Diagnosis. Most of them were index.html files that been infected with iframes. However, these three still remain: upgrade_372, 373 and 374.php - Files not recognized as part of vBulletin. ????
                  Considering those are apart of vbulletin. Them not recognizing seems suspicious so remove them. Back them up first however.

                  Comment

                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                  Working...
                  X