Hi All,

I'm running a 3.8.1 forum and recently we've had a couple of intrusions where .js files were modified in the clientscript folder. I was able to remove those but some users have reported that they still getting virus warnings occasionally.

Can anyone help me understand how someone may be able to modify the files in the clientscript folder? I don't believe they've gain access to the server directly. Could there be malicious code in our database? if so, which tables/fields should I know? Is there a query I can use to find them?

Thanks.

Ask your host to check the access/ftp logs for around the time of the hack to see what exactly went down. You are running a very old version which has several known security issue. I think it would help to upgrade your forum to the latest version of the 3.8x series.

I think it would help to upgrade your forum to the latest version of the 3.8x series.

I agree with this. There have been a lot of security patches since 3.8.1. Not having them will leave your forum vulnerable.

Ineed, if you are able to, upgrade to vB 3.8.7 - other than that, check the permissions on your clientscript folder - do you allow files to be written in /clientscript/vbulletin_css/ ?

I know on one occasion, a client of mine was hacked... come to find out a plugin was created w/o them knowing so check your files for any changes via timestamps and also check your plugins, ensure that there are no spare "iffy" plugins active ;).

Ask your host to check the access/ftp logs for around the time of the hack to see what exactly went down. You are running a very old version which has several known security issue. I think it would help to upgrade your forum to the latest version of the 3.8x series.

We've checked the logs and didn't see anything related to the files. We have plans to upgrade to the latest version this weekend... hopefully that will help

--------------- Added 1314984001 at 1314984001 ---------------

Ineed, if you are able to, upgrade to vB 3.8.7 - other than that, check the permissions on your clientscript folder - do you allow files to be written in /clientscript/vbulletin_css/ ?

It is indeed open with 777 access. what should the vbulletin_css folder permissions be?

--------------- Added 1314984225 at 1314984225 ---------------

I know on one occasion, a client of mine was hacked... come to find out a plugin was created w/o them knowing so check your files for any changes via timestamps and also check your plugins, ensure that there are no spare "iffy" plugins active ;).

The other admin handles the plugins and we may have a few that may be suspect... I'll have to check them out. Thanks

It is indeed open with 777 access. what should the vbulletin_css folder permissions be?

755

755

Thank you! I've changed it to 755 now. Do you guys think this could of allowed access into the clientscript folder for modification? I thought permissions can not go up the tree.

Umm.. this might be a dumb question but..

If you've changed the CSS to be stored on disk, doesn't that folder need to be 777? I think 755 will give a write access error.