vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Hacked/ Problems in Chrome/ Need Help! (https://vborg.vbsupport.ru/showthread.php?t=286335)

SgtSling 08-05-2012 02:49 AM
Hacked/ Problems in Chrome/ Need Help!
 
1 Attachment(s)
My website,
http://www.rotharmy.com/forums/forum.php
Is having problems. Everytime a page is loaded (I use chrome) it displays something that says "what service should be used for viewing" and lists wordpress, rssfeedreader, etc.
Is anyone else getting this?
Any suggestions? Is this a hack or something that I need to change with chrome?
I am attaching a picture of what is happening...


Somehow someone hacked into my board and it makes every page forum/cms/blog display this in the page source

<div style="position:absolute;left:-9999px"><iframe width="100" height="100" frameborder="0" src="http://www.cliphai.com/feeds/posts/default" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no"></iframe><a href="http://www.cliphai.com" alt="clip hai, phim hai, hoi xoay dap xoay, camera cong so, thu gian cuoi tuan" title="clip hai, phim hai, hoi xoay dap xoay, camera cong so, thu gian cuoi tuan">clip hai,phim hai,hoi xoay dap xoay,camera cong so,thu gian cuoi tuan,hoai linh</a>,<a href="http://www.vinathemes.com" alt="wordpress templates,premium wordpress templates,blogger templates,premium blogger templates,blogspot,themes,blog backgronds,2 column,3 column,4 column,blogger themes,blog skins,free templates,layouts,designs,xml,widgets,blogger.com, templates-blogger,download" title="wordpress templates,premium wordpress templates,blogger templates,premium blogger templates,blogspot,themes,blog backgronds,2 column,3 column,4 column,blogger themes,blog skins,free templates,layouts,designs,xml,widgets,blogger.com, templates-blogger,download">wordpress templates,premium wordpress templates,blogger templates,premium blogger templates,blogspot,themes,blog backgronds,2 column,3 column,4 column,blogger themes,blog skins,free templates,layouts,designs,xml,widgets,blogger.com, templates-blogger,download</a></div>



I have my admin and modcp folder password protected. I am not sure how this happened, or how to delete it.

I searched in the templates and it isn't found there. I searched in the footer, head include and header and didn't find it. It appears right below the "footer_links" in the source. I haven't seen this problem here.

1. Rss feeds is currently disabled, I have never used it. The rss feeds section displays this:
No feeds are currently defined.
2. I tried this https://www.vbulletin.com/forum/cont...vBulletin-Site search your database for iframe code. and could not find any.

Any suggestions on where this can be located? thanks!

oldlock 08-05-2012 12:08 PM
I have exactly the same issue, just presented today.

zascok 08-05-2012 12:53 PM
check the DB for "base64" as well

oldlock 08-05-2012 01:15 PM
Thus far none of the processes in the 'hacked site' guide have uncovered the cause of this.

Lynne 08-05-2012 04:11 PM
Try disabling your modifications/plugins and see if you still have this problem.
Note: To temporarily disable the plugin system, edit includes/config.php and add this line right under <?php

PHP Code:
define('DISABLE_HOOKS'true); 
If that removed the code, then you know it is a plugin that is causing the issue. If they didn't add it via the admincp, then they added it directly to the database which means your server is not secure.

SgtSling 08-05-2012 04:38 PM
Quote:
Originally Posted by Lynne (Post 2354719)
Try disabling your modifications/plugins and see if you still have this problem.
Note: To temporarily disable the plugin system, edit includes/config.php and add this line right under <?php

PHP Code:
define('DISABLE_HOOKS'true); 
If that removed the code, then you know it is a plugin that is causing the issue. If they didn't add it via the admincp, then they added it directly to the database which means your server is not secure.
Disabling the mod/plugins did not fix the issue. I also downloaded the entire website to see if it was a file issue and could not find it.
I searched the DB and could not find it.
I am thinking that because plugins are disabled, it is a DB issue right?

Thanks for all the help....

--------------- Added [DATE]1344190164[/DATE] at [TIME]1344190164[/TIME] ---------------

I think I have it sorted out. I did an entrie database search for "cliphai" and found it in the footer template file. Funny thing is, when I went to the template in the control panel (vbulletin) I could not find it. The cliphai thing only appears in the template on the database.
Weird. Not sure how that works. Anyways, it fixed it.
I have my admin and modcp directories password secured. any clues on what my next steps are to secure this?

Lynne 08-05-2012 05:11 PM
If it was not showing up in the actual template, but was only changed in the database, then somebody had direct access to your database to change this. I would strongly suggest telling your host about this and changing all your server passwords.

oldlock 08-05-2012 09:09 PM
I found it in the same manner, odd thing is the code had iframe tags in it but the normal search did not find them. I've advised the site owner to check his passwords etc. I suspect the problem is there as there are many other VB sites on my server and no others were effected.


All times are GMT. The time now is 11:49 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01152 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete