PDA

View Full Version : My Forum Has Been Hacked-PLEASE HELP!


Jaske
11-09-2010, 04:15 PM
Okay I'm new to vB and I'm still getting to know the ins and outs of it and I really hate asking for help without first trying to fix any problems I have, but I can not fix this problem and I know it has got to be a minor hack, but I just can't figure out where to look.

Today I logged into my forum and noticed on a few of the pages where the names of the threads are listed there are 3 small links that say "watch movies-buy movies-movies download". they are in the middle of the thread, between the thread name and the last post (see attachments below).

Now I have tried to look for the links in 'edit templates' but had no luck. Maybe someone on here can direct me in the right place to search?

The links appear to be on the page because when I scroll they move upward with the threads.

I also just checked my cPanel and in my forum directory there are a bunch of pages with names like "0a332aaf80d731a786131f1712d05670" but no info on the page when I open it up to view it...only "0.6" or "9"....any idea what these are? I don't remember them being there before....are they some sort of log?

Anyway, if you have an idea of what file(s) I should edit please let me know...this is aggravating as all hell!!:mad:

https://vborg.vbsupport.ru/external/2010/11/46.png


https://vborg.vbsupport.ru/external/2010/11/47.png

borbole
11-09-2010, 04:32 PM
Can you post the link to your forum? Those weired files, do they have any codes in them?

Jaske
11-09-2010, 04:58 PM
Can you post the link to your forum? Those weired files, do they have any codes in them?

the weird files have only the number "0" or "0.6" in them (without quotes)....wondering if I should just delete them...
here's the link to one of the forum pages with the "watch movies" links...
http://www.illadelstylez.com/forum/forumdisplay.php/6-Sketches-Canvas

Ninos
11-09-2010, 06:59 PM
I can't give much help with the inner workings of vBulletin, but yes, delete them files now.

--------------- Added 1289336423 at 1289336423 ---------------

Nice forum by the way.

Jaske
11-09-2010, 07:14 PM
I can't give much help with the inner workings of vBulletin, but yes, delete them files now.

--------------- Added 09 Nov 2010 at 16:00 ---------------

Nice forum by the way.
thanks.

--------------- Added 09 Nov 2010 at 16:52 ---------------

Now I deleted all the weird files that I know for sure didn't belong in the directory but after I deleted them all (around 100+) a couple at a time keep popping up...the files are named "1b7fdbbea3567de746321d9915b3502c" and all have different numbers & letters...I'll delete those, refresh the directory then there's 2-3 new ones...WTF!!!
Can anyone give me a name of an add-on or contribution that can scan the files? Something like "KISS File Safe" for OsCommerce....only for vBulletin...and is there any must-have security addons I should install? please help!

TheRageIsOn
11-10-2010, 08:50 AM
Hey, i am wondering why can anyone other than you ( root ) write
in your webserver directories ?
Are they read only ?

Outbackmark
11-10-2010, 09:11 AM
Those files are something to do with it, as TheRage says, check the write permissions in your directory and change your root password asap, also for any FTP accounts you may have set up.
There have been additions made to FORUMHOME forumdisplay and threaddisplay templates. This code <!--343a46459562b88e7bf7d0a890b75727--><div style="position:absolute; left:324px; top: -100px;"><a href="http://www.extafilm.com/">watch movies</a>. <a href="http://www.moviethone.com/">movies download</a>. <a href="http://www.qubmovies.com/">buy movies</a></div><!--/343a46459562b88e7bf7d0a890b75727--> has been addred to those templates, the will probably be an xml file of some sort in one of your directories, thats installing this code in a similar way that addons/hacks add code to templates in VB/PHP.
You need to run VB Diagnostics/Suspect File Versions and check all non VB files, most addon/hack files will have recognizable names and alien files can be spotted fairly easily in the report.
I would also suggest you get your host to run a scan in your partition and make sure it's clean.

Jaske
11-10-2010, 02:57 PM
Those files are something to do with it, as TheRage says, check the write permissions in your directory and change your root password asap, also for any FTP accounts you may have set up.
There have been additions made to FORUMHOME forumdisplay and threaddisplay templates. This code <!--343a46459562b88e7bf7d0a890b75727--><div style="position:absolute; left:324px; top: -100px;"><a href="http://www.extafilm.com/">watch movies</a>. <a href="http://www.moviethone.com/">movies download</a>. <a href="http://www.qubmovies.com/">buy movies</a></div><!--/343a46459562b88e7bf7d0a890b75727--> has been addred to those templates, the will probably be an xml file of some sort in one of your directories, thats installing this code in a similar way that addons/hacks add code to templates in VB/PHP.
You need to run VB Diagnostics/Suspect File Versions and check all non VB files, most addon/hack files will have recognizable names and alien files can be spotted fairly easily in the report.
I would also suggest you get your host to run a scan in your partition and make sure it's clean.

I found the links with Firebug but when I looked in the files I couldn't find them. So they are at the very top of the pages? I did see a long line of numbers like you posted...I will change passwords, run the check and keep posted what I get.

swiper the fox
11-10-2010, 08:18 PM
https://vborg.vbsupport.ru/showthread.php?t=203933
install instructions

Download: http://www.vbulletin-germany.org/showthread.php?t=5467

this is a very handy plugin which will assist you with searching for this and where/what plug-in it may be coming from

DigitalDark
11-12-2010, 07:04 AM
Probably these links are generated in php files of vBulletin. There is an option in vBulletin that recognizes external files:

Admincp -> Manteinance -> Check Version File (3rd option).

The files of plugins and other programs will appear. I'm sure that your vBulletin files (php files) has been modified and are linked with the strange "145384asdada5d6s54d6a5sd4a6sd" files.
If I were you I will download the vBulletin package again and reupload all the files. If you get the same after this step, it means that your sql data base has been touched.

Good luck.