Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 Programming Discussions
  #1  
Old 11-09-2010, 04:15 PM
Jaske's Avatar
Jaske Jaske is offline
 
Join Date: Apr 2010
Location: South Philadelphia
Posts: 51
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default My Forum Has Been Hacked-PLEASE HELP!

Okay I'm new to vB and I'm still getting to know the ins and outs of it and I really hate asking for help without first trying to fix any problems I have, but I can not fix this problem and I know it has got to be a minor hack, but I just can't figure out where to look.

Today I logged into my forum and noticed on a few of the pages where the names of the threads are listed there are 3 small links that say "watch movies-buy movies-movies download". they are in the middle of the thread, between the thread name and the last post (see attachments below).

Now I have tried to look for the links in 'edit templates' but had no luck. Maybe someone on here can direct me in the right place to search?

The links appear to be on the page because when I scroll they move upward with the threads.

I also just checked my cPanel and in my forum directory there are a bunch of pages with names like "0a332aaf80d731a786131f1712d05670" but no info on the page when I open it up to view it...only "0.6" or "9"....any idea what these are? I don't remember them being there before....are they some sort of log?

Anyway, if you have an idea of what file(s) I should edit please let me know...this is aggravating as all hell!!




Reply With Quote
  #2  
Old 11-09-2010, 04:32 PM
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Posts: 2,559
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Can you post the link to your forum? Those weired files, do they have any codes in them?
Reply With Quote
  #3  
Old 11-09-2010, 04:58 PM
Jaske's Avatar
Jaske Jaske is offline
 
Join Date: Apr 2010
Location: South Philadelphia
Posts: 51
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by borbole View Post
Can you post the link to your forum? Those weired files, do they have any codes in them?
the weird files have only the number "0" or "0.6" in them (without quotes)....wondering if I should just delete them...
here's the link to one of the forum pages with the "watch movies" links...
http://www.illadelstylez.com/forum/f...ketches-Canvas
Reply With Quote
  #4  
Old 11-09-2010, 06:59 PM
Ninos Ninos is offline
 
Join Date: Jul 2010
Posts: 64
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I can't give much help with the inner workings of vBulletin, but yes, delete them files now.

--------------- Added [DATE]1289336423[/DATE] at [TIME]1289336423[/TIME] ---------------

Nice forum by the way.
Reply With Quote
  #5  
Old 11-09-2010, 07:14 PM
Jaske's Avatar
Jaske Jaske is offline
 
Join Date: Apr 2010
Location: South Philadelphia
Posts: 51
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Ninos View Post
I can't give much help with the inner workings of vBulletin, but yes, delete them files now.

--------------- Added 09 Nov 2010 at 16:00 ---------------

Nice forum by the way.
thanks.

--------------- Added 09 Nov 2010 at 16:52 ---------------

Now I deleted all the weird files that I know for sure didn't belong in the directory but after I deleted them all (around 100+) a couple at a time keep popping up...the files are named "1b7fdbbea3567de746321d9915b3502c" and all have different numbers & letters...I'll delete those, refresh the directory then there's 2-3 new ones...WTF!!!
Can anyone give me a name of an add-on or contribution that can scan the files? Something like "KISS File Safe" for OsCommerce....only for vBulletin...and is there any must-have security addons I should install? please help!
Reply With Quote
  #6  
Old 11-10-2010, 08:50 AM
TheRageIsOn TheRageIsOn is offline
 
Join Date: Mar 2010
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hey, i am wondering why can anyone other than you ( root ) write
in your webserver directories ?
Are they read only ?
Reply With Quote
  #7  
Old 11-10-2010, 09:11 AM
Outbackmark's Avatar
Outbackmark Outbackmark is offline
 
Join Date: Jun 2007
Posts: 125
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Those files are something to do with it, as TheRage says, check the write permissions in your directory and change your root password asap, also for any FTP accounts you may have set up.
There have been additions made to FORUMHOME forumdisplay and threaddisplay templates. This code
Code:
<!--343a46459562b88e7bf7d0a890b75727--><div style="position:absolute; left:324px; top: -100px;"><a href="http://www.extafilm.com/">watch movies</a>. <a href="http://www.moviethone.com/">movies download</a>. <a href="http://www.qubmovies.com/">buy movies</a></div><!--/343a46459562b88e7bf7d0a890b75727-->
has been addred to those templates, the will probably be an xml file of some sort in one of your directories, thats installing this code in a similar way that addons/hacks add code to templates in VB/PHP.
You need to run VB Diagnostics/Suspect File Versions and check all non VB files, most addon/hack files will have recognizable names and alien files can be spotted fairly easily in the report.
I would also suggest you get your host to run a scan in your partition and make sure it's clean.
Reply With Quote
  #8  
Old 11-10-2010, 02:57 PM
Jaske's Avatar
Jaske Jaske is offline
 
Join Date: Apr 2010
Location: South Philadelphia
Posts: 51
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Outbackmark View Post
Those files are something to do with it, as TheRage says, check the write permissions in your directory and change your root password asap, also for any FTP accounts you may have set up.
There have been additions made to FORUMHOME forumdisplay and threaddisplay templates. This code
Code:
<!--343a46459562b88e7bf7d0a890b75727--><div style="position:absolute; left:324px; top: -100px;"><a href="http://www.extafilm.com/">watch movies</a>. <a href="http://www.moviethone.com/">movies download</a>. <a href="http://www.qubmovies.com/">buy movies</a></div><!--/343a46459562b88e7bf7d0a890b75727-->
has been addred to those templates, the will probably be an xml file of some sort in one of your directories, thats installing this code in a similar way that addons/hacks add code to templates in VB/PHP.
You need to run VB Diagnostics/Suspect File Versions and check all non VB files, most addon/hack files will have recognizable names and alien files can be spotted fairly easily in the report.
I would also suggest you get your host to run a scan in your partition and make sure it's clean.
I found the links with Firebug but when I looked in the files I couldn't find them. So they are at the very top of the pages? I did see a long line of numbers like you posted...I will change passwords, run the check and keep posted what I get.
Reply With Quote
  #9  
Old 11-10-2010, 08:18 PM
swiper the fox swiper the fox is offline
 
Join Date: Dec 2007
Posts: 101
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

https://vborg.vbsupport.ru/showthread.php?t=203933
install instructions

Download: http://www.vbulletin-germany.org/showthread.php?t=5467

this is a very handy plugin which will assist you with searching for this and where/what plug-in it may be coming from
Reply With Quote
  #10  
Old 11-12-2010, 07:04 AM
DigitalDark DigitalDark is offline
 
Join Date: Dec 2009
Posts: 78
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Probably these links are generated in php files of vBulletin. There is an option in vBulletin that recognizes external files:

Admincp -> Manteinance -> Check Version File (3rd option).

The files of plugins and other programs will appear. I'm sure that your vBulletin files (php files) has been modified and are linked with the strange "145384asdada5d6s54d6a5sd4a6sd" files.
If I were you I will download the vBulletin package again and reupload all the files. If you get the same after this step, it means that your sql data base has been touched.

Good luck.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:34 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07504 seconds
  • Memory Usage 2,257KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete