Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 08-05-2012, 02:49 AM
SgtSling SgtSling is offline
 
Join Date: Oct 2001
Posts: 156
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Hacked/ Problems in Chrome/ Need Help!

My website,
http://www.rotharmy.com/forums/forum.php
Is having problems. Everytime a page is loaded (I use chrome) it displays something that says "what service should be used for viewing" and lists wordpress, rssfeedreader, etc.
Is anyone else getting this?
Any suggestions? Is this a hack or something that I need to change with chrome?
I am attaching a picture of what is happening...


Somehow someone hacked into my board and it makes every page forum/cms/blog display this in the page source

<div style="position:absolute;left:-9999px"><iframe width="100" height="100" frameborder="0" src="http://www.cliphai.com/feeds/posts/default" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no"></iframe><a href="http://www.cliphai.com" alt="clip hai, phim hai, hoi xoay dap xoay, camera cong so, thu gian cuoi tuan" title="clip hai, phim hai, hoi xoay dap xoay, camera cong so, thu gian cuoi tuan">clip hai,phim hai,hoi xoay dap xoay,camera cong so,thu gian cuoi tuan,hoai linh</a>,<a href="http://www.vinathemes.com" alt="wordpress templates,premium wordpress templates,blogger templates,premium blogger templates,blogspot,themes,blog backgronds,2 column,3 column,4 column,blogger themes,blog skins,free templates,layouts,designs,xml,widgets,blogger.com, templates-blogger,download" title="wordpress templates,premium wordpress templates,blogger templates,premium blogger templates,blogspot,themes,blog backgronds,2 column,3 column,4 column,blogger themes,blog skins,free templates,layouts,designs,xml,widgets,blogger.com, templates-blogger,download">wordpress templates,premium wordpress templates,blogger templates,premium blogger templates,blogspot,themes,blog backgronds,2 column,3 column,4 column,blogger themes,blog skins,free templates,layouts,designs,xml,widgets,blogger.com, templates-blogger,download</a></div>



I have my admin and modcp folder password protected. I am not sure how this happened, or how to delete it.

I searched in the templates and it isn't found there. I searched in the footer, head include and header and didn't find it. It appears right below the "footer_links" in the source. I haven't seen this problem here.

1. Rss feeds is currently disabled, I have never used it. The rss feeds section displays this:
No feeds are currently defined.
2. I tried this https://www.vbulletin.com/forum/cont...vBulletin-Site search your database for iframe code. and could not find any.

Any suggestions on where this can be located? thanks!
Attached Images
File Type: jpg popup.jpg (79.0 KB, 0 views)
Reply With Quote
  #2  
Old 08-05-2012, 12:08 PM
oldlock oldlock is offline
 
Join Date: Jul 2009
Posts: 69
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have exactly the same issue, just presented today.
Reply With Quote
  #3  
Old 08-05-2012, 12:53 PM
zascok zascok is offline
 
Join Date: Jul 2010
Posts: 146
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

check the DB for "base64" as well
Reply With Quote
  #4  
Old 08-05-2012, 01:15 PM
oldlock oldlock is offline
 
Join Date: Jul 2009
Posts: 69
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thus far none of the processes in the 'hacked site' guide have uncovered the cause of this.
Reply With Quote
  #5  
Old 08-05-2012, 04:11 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Try disabling your modifications/plugins and see if you still have this problem.
Note: To temporarily disable the plugin system, edit includes/config.php and add this line right under <?php

PHP Code:
define('DISABLE_HOOKS'true); 
If that removed the code, then you know it is a plugin that is causing the issue. If they didn't add it via the admincp, then they added it directly to the database which means your server is not secure.
Reply With Quote
  #6  
Old 08-05-2012, 04:38 PM
SgtSling SgtSling is offline
 
Join Date: Oct 2001
Posts: 156
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Lynne View Post
Try disabling your modifications/plugins and see if you still have this problem.
Note: To temporarily disable the plugin system, edit includes/config.php and add this line right under <?php

PHP Code:
define('DISABLE_HOOKS'true); 
If that removed the code, then you know it is a plugin that is causing the issue. If they didn't add it via the admincp, then they added it directly to the database which means your server is not secure.
Disabling the mod/plugins did not fix the issue. I also downloaded the entire website to see if it was a file issue and could not find it.
I searched the DB and could not find it.
I am thinking that because plugins are disabled, it is a DB issue right?

Thanks for all the help....

--------------- Added [DATE]1344190164[/DATE] at [TIME]1344190164[/TIME] ---------------

I think I have it sorted out. I did an entrie database search for "cliphai" and found it in the footer template file. Funny thing is, when I went to the template in the control panel (vbulletin) I could not find it. The cliphai thing only appears in the template on the database.
Weird. Not sure how that works. Anyways, it fixed it.
I have my admin and modcp directories password secured. any clues on what my next steps are to secure this?
Reply With Quote
  #7  
Old 08-05-2012, 05:11 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If it was not showing up in the actual template, but was only changed in the database, then somebody had direct access to your database to change this. I would strongly suggest telling your host about this and changing all your server passwords.
Reply With Quote
  #8  
Old 08-05-2012, 09:09 PM
oldlock oldlock is offline
 
Join Date: Jul 2009
Posts: 69
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I found it in the same manner, odd thing is the code had iframe tags in it but the normal search did not find them. I've advised the site owner to check his passwords etc. I suspect the problem is there as there are many other VB sites on my server and no others were effected.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:55 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04334 seconds
  • Memory Usage 2,254KB
  • Queries Executed 14 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (1)postbit_attachment
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete