My website,
http://www.rotharmy.com/forums/forum.php
Is having problems. Everytime a page is loaded (I use chrome) it displays something that says "what service should be used for viewing" and lists wordpress, rssfeedreader, etc.
Is anyone else getting this?
Any suggestions? Is this a hack or something that I need to change with chrome?
I am attaching a picture of what is happening...


Somehow someone hacked into my board and it makes every page forum/cms/blog display this in the page source

<div style="position:absolute;left:-9999px"><iframe width="100" height="100" frameborder="0" src="http://www.cliphai.com/feeds/posts/default" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no"></iframe><a href="http://www.cliphai.com" alt="clip hai, phim hai, hoi xoay dap xoay, camera cong so, thu gian cuoi tuan" title="clip hai, phim hai, hoi xoay dap xoay, camera cong so, thu gian cuoi tuan">clip hai,phim hai,hoi xoay dap xoay,camera cong so,thu gian cuoi tuan,hoai linh</a>,<a href="http://www.vinathemes.com" alt="wordpress templates,premium wordpress templates,blogger templates,premium blogger templates,blogspot,themes,blog backgronds,2 column,3 column,4 column,blogger themes,blog skins,free templates,layouts,designs,xml,widgets,blogger.com, templates-blogger,download" title="wordpress templates,premium wordpress templates,blogger templates,premium blogger templates,blogspot,themes,blog backgronds,2 column,3 column,4 column,blogger themes,blog skins,free templates,layouts,designs,xml,widgets,blogger.com, templates-blogger,download">wordpress templates,premium wordpress templates,blogger templates,premium blogger templates,blogspot,themes,blog backgronds,2 column,3 column,4 column,blogger themes,blog skins,free templates,layouts,designs,xml,widgets,blogger.com, templates-blogger,download</a></div>



I have my admin and modcp folder password protected. I am not sure how this happened, or how to delete it.

I searched in the templates and it isn't found there. I searched in the footer, head include and header and didn't find it. It appears right below the "footer_links" in the source. I haven't seen this problem here.

1. Rss feeds is currently disabled, I have never used it. The rss feeds section displays this:
No feeds are currently defined.
2. I tried this https://www.vbulletin.com/forum/cont...vBulletin-Site search your database for iframe code. and could not find any.

Any suggestions on where this can be located? thanks!

I have exactly the same issue, just presented today.

check the DB for "base64" as well

Thus far none of the processes in the 'hacked site' guide have uncovered the cause of this.

Try disabling your modifications/plugins and see if you still have this problem.
Note: To temporarily disable the plugin system, edit includes/config.php and add this line right under <?php

define('DISABLE_HOOKS', true);

If that removed the code, then you know it is a plugin that is causing the issue. If they didn't add it via the admincp, then they added it directly to the database which means your server is not secure.

Try disabling your modifications/plugins and see if you still have this problem.
Note: To temporarily disable the plugin system, edit includes/config.php and add this line right under <?php

define('DISABLE_HOOKS', true);

If that removed the code, then you know it is a plugin that is causing the issue. If they didn't add it via the admincp, then they added it directly to the database which means your server is not secure.

Disabling the mod/plugins did not fix the issue. I also downloaded the entire website to see if it was a file issue and could not find it.
I searched the DB and could not find it.
I am thinking that because plugins are disabled, it is a DB issue right?

Thanks for all the help....

--------------- Added 1344190164 at 1344190164 ---------------

I think I have it sorted out. I did an entrie database search for "cliphai" and found it in the footer template file. Funny thing is, when I went to the template in the control panel (vbulletin) I could not find it. The cliphai thing only appears in the template on the database.
Weird. Not sure how that works. Anyways, it fixed it.
I have my admin and modcp directories password secured. any clues on what my next steps are to secure this?

If it was not showing up in the actual template, but was only changed in the database, then somebody had direct access to your database to change this. I would strongly suggest telling your host about this and changing all your server passwords.

I found it in the same manner, odd thing is the code had iframe tags in it but the normal search did not find them. I've advised the site owner to check his passwords etc. I suspect the problem is there as there are many other VB sites on my server and no others were effected.