Our Forum is being hacked or something?

Many members, without their knowledge are posting a smile which includes somekind of a link, anyone who opens that page, a popup appears and asks for the username and password, the popup location is on another site and when the members insert their username and password, the other site is getting them:

Here is an image (forum.tayyar.org is our forum url, while alhms.com is the site that is hacking us?)

http://forum.tayyar.org/h1.gif

This is the smile that is appearing in many threads and PMs by the members (the members are not aware that they are inserting it)

http://forum.tayyar.org/h2.gif

The smile contains this link: http://www.alhms.com/jz/smile.gif (click on it and the pop up will appear)

Any idea what is happening and how can i stop it?

Thank you

You need to figure how the smilie is getting into the posts and messages. Disable your modifications and see if it still appears. What version of vBulletin are you running?

Tell your members not to enter their details, I think the domain/folder on which the image is hosted is protected by a login. Whether the site is collecting the Login Information I don't know.

But as you have correctly identified, the problem is with that image. That is what is causing the login to appear, you need to find out how it is getting there.

The person who is doing it opened an account and posted that he is doing it, his IP match with several other IPs that our members posted with that smile (they told me they did not post, they inserted their username and password when the page poped up).

Now i turned the Forum off, and disabled all the modifications and tried to open a page, the pop up is still showing.

you need to remove the image from the posts

you need to remove the image from the posts

we are doing that, we emailed the person with his IP that he has 1 hour to disable what he is doing or we will report his IP to the authorities, http://www.alhms.com/jz/smile.gif is now not asking for username and pasword (he removed it) and we opened the Forum back:

http://forum.tayyar.org/f8/bug-reporting-33058/

The person who is doing it opened an account and posted that he is doing it, his IP match with several other IPs that our members posted with that smile (they told me they did not post, they inserted their username and password when the page poped up).
So you are saying that he used the accounts of other members to make those posts? Did he maybe steal their login info with that login popup?

Ok, here is the source of the hacker: http://lebforces.org/forum/showthread.php?t=31501

When the pop up came up, i inserted the following "212.107.116.238 proxy4.cyberia.net.sa"

Now that use who opened that thread in the above link is putting what i sent.

--------------- Added 1207400355 at 1207400355 ---------------

Here is what is happening, first a user (the hacker) is a manually inserting a picture (the Smile), the picture contains link and when someone opens the thread, the pop up appears, members are seeing the pop up and inserting the username and password, the username and password is going to the hacker, who is using them and posting more of the same.

We know the source, but how can we stop it? I disabled html and it is still happening

You can not stop this unless you disable external images completly.

The best is to educate your members never to enter their board details when presented with an unexpected password popup.

Ban his IP at the server level, I'm sure he'll get around it, then use a replacement variable to rename the image link, censor the domain its coming from, umm thats all i can think of that may help short of disabling all external images till he moves on.

You can not stop this unless you disable external images completly.

The best is to educate your members never to enter their board details when presented with an unexpected password popup.

Ban his IP at the server level, I'm sure he'll get around it, then use a replacement variable to rename the image link, censor the domain its coming from, umm thats all i can think of that may help short of disabling all external images till he moves on.

Done all that,

Thank you

You can not stop this unless you disable external images completly.

The best is to educate your members never to enter their board details when presented with an unexpected password popup.
If you know the URL can't you use a replacement variable to censor the text?

Yes you can stop this by censoring the known link.

Preventing that this can be done (ie. you don't know the link they will use yet) is not possible however as you can not determine (or each link posted would need to be test in some way if the image is protected or not) if it is a mallicious link or not.

Bottomline is that they will always find ways to try to trick your members. Only educations is a real solution. Compair it with spam emails, phishing emails (which are similar to what happens here) or emails with mallicious links. Almost impossible to stop, only real solution is to educate people to think before clicking or entering personal information.