The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
07-12-2010, 04:59 PM
|
|||
|
|||
Site hacked via page navigation? (vB 3.8.5)
Hi all...just wanted to report here while waiting for my support ticket.
My site just started showing a very subtle hack...whenever one views a forum, then tries to move to another page of threads...upon the second click on any navigation control (page #, etc)...i get redirected to some pharmacy site. There is no diff between forumdisplay on my site and a known good copy, I'm still running further diffs to see if this is a file hack or some injection. Nothing has changed in the last few weeks. Not sure how it's even happening, the URLs are not compromised, and the problem happens in every forum (and can be reproduced on any page depending on what order you click the nav controls). :/ 
|
|
#2
07-12-2010, 05:05 PM
|
|||
|
|||
|
Its doubtful this is a vb issue code wise, no need to alarm the masses.
Sounds like a simple issue, possibly left html on in a forum and someone made a html post, could be a code injection using spacer open or close etc in a template, did you check either?
|
|
#3
07-12-2010, 05:15 PM
|
|||
|
|||
|
Thanks for the response...no alarm needed...I'm just in that panicked state.
 I haven't changed any templates in a while...but don't know how to check for bad fields in the database.
|
|
#4
07-12-2010, 05:35 PM
|
|||
|
|||
|
Well, i didnt mean you changed a template, the injection may have been injected into a template.
Did you verify html is off in all forums? Should work as long as your running 3.7.x/3.8.x Code:
UPDATE forum SET options=options - 256 WHERE (options & 256);
|
|
#5
07-13-2010, 01:32 AM
|
|||
|
|||
|
So...just as an update...somehow my host was accessed and an additional file was included in the global.php (what looked like randomly buried in a directory of my wiki). But....changed all my passwords, reverted that file to the original, and the hack was back in a different manner in 30 minutes (new filenames and locations, same content...).
Still working with my host on this one...but any suggestions (along with pointing and laughing) are welcome.  --------------- Added [DATE]1278999435[/DATE] at [TIME]1278999435[/TIME] --------------- Another update...everything I can figure out on my own (no help from host :/ ) is that my ad server (OpenX) was compromised with some sort of exploit that allows uploading of files (??), both times it happened there were many large POST requests to a known problem .php file in OpenX. I should've upgraded sooner. This was a pretty insidious hack that attempted to hide itself from human users and display pharmacy pages to web search bots...but was clearly targetted at vBulletin. So anyone running OpenX I would encourage you to upgrade ASAP. Thanks for letting me vent here.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 04:24 PM.