vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Malicious code found on forum (https://vborg.vbsupport.ru/showthread.php?t=327638)

MrHorror 11-08-2019 12:21 AM

Malicious code found on forum
 
So we're running vb4.1.10 and I used chrome to inspect our page. Found this iframe:

<iframe src="//deloplen.com/fac.php" style="display: none;"></iframe>
#document

I need to remove it but have no idea where it's located. I checked multiple templates. Any ideas?

In Omnibus 11-08-2019 01:37 AM

The most likely source is going to be a third party modification. Having said that vBulletin 4.1.1 is extremely outdated and has countless security holes which have been patched since its release. Is there a particular reason you're running that version? It would be advisable to upgrade to version 4.2.5 unless you have a compelling reason for keeping that version.

MrHorror 11-08-2019 03:38 AM

We’re running the patched version. We’re not planning on upgrading to 4.1.2 because we put so much work into skinning 4.1.10. Which was a pain to begin with. As for mods, we turned all plugins off and we still get pop up redirects from this site. Its cookie is also constantly found in our cookies list. Do you have any idea as to what template this code might be present in? Can iframe be executed from any template? It seems to be positioned in the body of the forum. Where would I find those templates. I’ve already combed:

Forum head
Forum header
All css templates
Forum footer

and a few others.

--------------- Added [DATE]1573192701[/DATE] at [TIME]1573192701[/TIME] ---------------

Also since the source seems to be a php file, is it possible I could find the source of this malware in my vbulletin files in my file manager? I?ve read this same malware has been used on some wordpress forums and the source was discovered inside wordpress functions.php file.

Dave 11-08-2019 11:06 AM

It's really hard to say from our position. It can be anywhere from the database (datastore), any template (that is then injected into another template through injected code) or filesystem (.js or .php files).

Mark.B 11-08-2019 05:15 PM

There could be multiple unpatched security issues in a version that old. It really isn't plausible to secure it without upgrading. You would at the very least need to find a third party code auditor and pay them to audit the code for security flaws. Even then, if they aren't familiar with vBulletin code, there are no guarantees.

Outside of the navbar and activity stream there aren't major styling changes between 4.1.10 and 4.2.5. Rather than spend hours pouring over code hoping to find flaws, it would be far more efficient and a better use of time to upgrade to 4.2.5 and sort any styling problems out.

MrHorror 11-08-2019 08:26 PM

Okay so doing some further inspecting? This code seems to be located in the body wrapper. Right above this: <!-- closing div for body_wrapper -->

So now I need to know what templates in my style manager give me access to editing the body wrapper?

MrHorror 11-10-2019 08:26 PM

Good news guys. I removed an add-on in our forum for 'twitbox,' an active twitter box that appears on the right side of the page so users can read our tweets. I scrubbed the code from multiple style templates and now...No more popups! The deloplen cookie is also gone completely. :up:

markhendo1986 11-22-2019 09:09 AM

Hi MrHorror,
I'm now experiencing the exact same issue as yourself with regards to spam delopen links opening in new tabs when clicking anything within the forum. I can see these links within an iFrame when inspecting the home page but like yourself, I'm not able to find out exactly which templates I need to clean to get rid of them.
Could you advise which templates were affected?
PS - To confirm, I do have the latest patched version of release v4.

MrHorror 11-22-2019 06:21 PM

Hi. Do you have twitbox installed?

markhendo1986 12-02-2019 08:35 AM

No, I don't have Twitbox. So was it just code from that plugin that you had to remove from your templates?


All times are GMT. The time now is 02:04 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01023 seconds
  • Memory Usage 1,727KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete