Hacked now what...
 

My forum was recently hacked... Everything seems to be cleaned up and I am now going through the proper steps to secure the forum properly.

The problem we are experiencing now is different though, since the hacking:

I use CKEditor quick reply/quick edit, but all of the buttons (IMG, URL, VIDEO, ETC) all grey out the screen when you click them and freeze the browser tab until you go back a page.

I reinstalled the add-on and I can't seem to correct this issue, any thoughts on what may be next to fix it? It is causing a real hinderance for my users

Thanks

<a href="http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5" target="_blank">http://www.vbulletin.com/forum/forum...-1-vbulletin-5</a>

I appreciate the effort to help... but I already noted I'm going through the steps to secure the forum properly.

That is not what I need help with.

Thanks

A link and possibly a screengrab of what you're describing might help. A picture is worth a thousand words, personal experience is worth a book.:D

Thanks for the response!

This is the IMG button after pushing. It does this for pretty much all except the bold/italic/font size buttons.

https://vborg.vbsupport.ru/external/2013/10/53.png


This is what happens when you push edit post. It just sits there with the loading icon

https://vborg.vbsupport.ru/external/2013/10/54.png

It kind of FEELS like you have something going on with the clientscript js

Maybe a corrupt file on the server clientscript folder?

Some mods DO autoedit the global clientscript js file. It's in the clienscript folder. It can't hurt to re-upload this file, allowing overwrite to get it back to native vB code. In version 3.8 it's "vbulletin_global.js" not sure what it is in v4.

Sometimes when you uninstall a Mod that autoedited a js file, the file edit still exists and has no function, essentially breaking the code.

That appears to have no fixed it. I replaced it with my original .js for my v4 update.

Thanks for the effort though

Well, I was just spitballing based on what you were saying and on the images you provided. Might could tell more if I could log in to a account.

I forgot to mention, browsers cache the global.js file. Clear your cache and see if there's improvement.

Cleared the cache and still issues. I'm guessing the next step would be to re-upload the entire clientscript folder?

It can't do any harm. Again, I am operating mostly in the dark here. I am hoping someone with more knowledge sees this thread and chimes in.

How are you caching on the server?

There's a very small number of validation errors in your HTML. I always rule those out first when checking for problems like this.

I'm not even sure I fully understand what you are saying with the validation errors. I am no expert.

Check the article listed at the bottom of my profile about Validating vBulletin. You don't have that many, so it should be pretty easy to fix them and rule them out. Invalid HTML can randomly break JavaScript on a page.

Hi,

Am newbie here and run a forum called www.myfiatworld.com.
As of now I can see some Cold Z3ro and hackteach.org links at the bottom my forum transaction log/transaction stats area within admincp.It looks odd to me and hence a bit worried.

Hope some one will help me to get rid off this.

Thanks & Regards

Manoj

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

Update: Back on topic.


Digital jedi, I tried the validation.. and I'm either failing completely at it or do not understand how it works.

It takes a bit of Googling sometimes. For the first error, I did cover that one in my article. No caps in most HTML code. That will probably fix THAT error. But like I mentioned in that article, you need to start with the top one and work your way down, as errors cascade. So fixing one can correct, or even reveal, others. Remember to check your code using Direct Input, as well, as the validator can't see the HTML generated to a logged in user.

I guess I meant to say... It appears none of the errors have to do with javascript at all. So how would they affect that issue?

The error only needs to be in the HTML to break JavaScript functionality. A single error in code construction can cause any number of other errors. You won't know for sure until you rule them out.

General Information about JavaScript

JavaScript is typically used to dynamically change things and add interactivity, since it runs on the browser. Although it is very robust in parsing the DOM, errors in HTML structure can cause the JavaScript parser to construct the DOM inadequately: thus JavaScript can not find the desired target it is looking for.

For beginners validators are another nice tool, but they are hardly perfect. You could have all sorts of validation errors and your JavaScript will work just fine or it can pass validation and your JavaScript fails.

Many users find a JavaScript/jQuery code snippet and insert it their programming. In many cases they end up corrupting the global namespace and the code snippets misbehave, sometimes with no errors what-so-ever.

When debugging JavaScript problems with vBulletin: duplicate your style with the style manager and revert any templates that might interfere with what you are testing -- start with "headerinclude" template. You can also use browser addons and intrinsic browser tools to disable a particular JavaScript interactively.

Hopefully this will help somebody. :)

Back to square one - have you disabled the hooks to see if this still occurs?

I created a account on your board and see the issue when I try to send a new PM, I get the WYSIWYG editor and when clicking on the video or image icons, the awesomebox shading (or whichever js you're using) covers the entire screen and there is no dialog box. Refreshing the browser makes this disappear however, back button not necessary. The URL button however, works as it should.

Start with disabling hooks... Then go from there. If that cures the issues then you know the "CKEditor quick reply/quick edit" Mod is causing your troubles.

SCRATCH THAT: In debugging your script on that send PM page, there appears to be a issue with the "ckeditor.js" file. Disable that Mod and consult the add-on developer in the thread where you got this Mod, is my suggestion. This really ain't all that hard. This stuff is a javascript function and it is not working, as I spitballed before.

MORE INFO: Errors for "videotag.js" and "image.js" both read the same: "[21:45:17.044] TypeError: responseXML is null"

You should disable this Mod for the sake of your users, until you can figure out what is wrong with it.Yes, they do.

That mod has been disabled already since I first encountered the issue.

In regards to the awesomebox shading, that started to occur when the issue started to occur. You can open the editor in a new window and it works.. otherwise it just sits at that shaded screen for infinity.

I fully uninstalled it and still no fix for the issue. Going through a few steps right now

--------------- Added [DATE]1383909453[/DATE] at [TIME]1383909453[/TIME] ---------------

Disabling hooks fixes the issue it seems. If it is the CKeditor mod, and the issue still occurs after uninstalling this mod.. That makes no sense to me, unless it permanently changed files

Disabled or not, it was still calling its own files.That's what I said, earlier in the thread. Some of these Mods do auto-rewrites of just about any file on your system including templates, js files, PHP files, you name it.

Uninstalling sometimes reverts the changes but not always.

Do you still have all hooks disabled? I just tested the edit button, working. Image insert and video insert, working.

Yes all hooks are still currently disabled

I just answered your PM at your board.

After uninstalling the suspected offending mod, and then re-enabling hooks the issue comes back. It may be due to another mod?

Very possible. Let me go in and look at the pages again, and run the FF debug mode on them. You'll need to re-enable hooks for me to do that.


Alternatively since we appear to be in vastly different time zones you can disable plugins one at a time until the issue goes away with hooks enabled. Do this in plugin manager. Once you find the offending Modification, you can re-enable all the other plugins and we can discuss if maybe you're experiencing a hook conflict, or otherwise.