Spam appearing in title & tab heading

[bartman9]

In my vBulletin 4 forum, there is spam appearing in the title. I have attached an image to show you what I am talking about.



I thought it was just some residual data from spam that was deleted. But, when I post a new note, it does not go away. Any idea how it got there and how I can remove it?

It only appears as the page is loading. Once the page fully loads, it is overwritten with the Forum Name in the settings. My site is painfully slow right now, so it is real obvious. The URL is there, so you can give it a try.

Any help is appreciated.
Thanks!
Dave

[ozzy47]

Try and see if the site is still slow, and the issue persists with all mods off.

Open your includes/config.php file and below<?php add this line:

PHP Code:

 define('DISABLE_HOOKS', true); 


So it looks like this:

PHP Code:

<?php
define('DISABLE_HOOKS', true);
/*=================================================  =====================*\
|| ##################################################  ################## ||
|| # vBulletin 4.2.2

[Max Taxable]

Well.... You don't have any third party links in your pageload, so this has to be coming from one of your scripts. Here's the breakdown:

http://www.webpagetest.org/result/14...353/1/details/

Also... Make the vB default style available for the public.... So we can test it vs your current one.

[bartman9]

I did disable all the plugins via the config.php, as suggested. It seems to run a little faster, but still running slow.

The webpagetest is pretty interested. Lots of data that I don't understand. Do you see anything there that is slowing things down?

I tried to activate the other styles, but it doesn't seem to be working. I selected them in the style manager, but they still don't show up when I view the forum.

[Max Taxable]

Your site is gazillions of times faster now EDIT - Spam problem still persists.

Quote:

I tried to activate the other styles, but it doesn't seem to be working. I selected them in the style manager, but they still don't show up when I view the forum.

In general settings, allow users to choose styles --> YES


You have two .tff files that look suspicious to me and they are causing the bulk of your slow loading. .tff files are font files, they are executable files and i have never seen a style use them this way, downloading them to the users' computer.

I suspect they're not really font files.

HTML Code:

GET /quillingforum/style/fes.ttf HTTP/1.1
Accept: */*
Referer: http://www.quilledcreations.com/quillingforum/lndex.php
Accept-Language: en-US
X-Download-Initiator: file="doc 0AA8 win 37A8; css; font"
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) PTST/158
Origin: http://www.quilledcreations.com
Accept-Encoding: gzip, deflate
Host: www.quilledcreations.com
DNT: 1
Connection: Keep-Alive
Cookie: bb_lastvisit=1390534736; bb_lastactivity=0; PHPSESSID=indvdktugif37snufbq77u2u16

And

HTML Code:

GET /quillingforum/style/seg.ttf HTTP/1.1
Accept: */*
Referer: http://www.quilledcreations.com/quillingforum/lndex.php
Accept-Language: en-US
X-Download-Initiator: file="doc 0AA8 win 37A8; css; font"
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) PTST/158
Origin: http://www.quilledcreations.com
Accept-Encoding: gzip, deflate
Host: www.quilledcreations.com
DNT: 1
Connection: Keep-Alive
Cookie: bb_lastvisit=1390534736; bb_lastactivity=0; PHPSESSID=indvdktugif37snufbq77u2u16

This is why i want to test your vb default theme. If these exist there then we know they are NOT font files.

File locations:

HTML Code:

http://www.quilledcreations.com/quillingforum/style/fes.ttf

And

HTML Code:

http://www.quilledcreations.com/quillingforum/style/seg.ttf

[bartman9]

Okay, I was able to change that and allow users to select the style.

[Max Taxable]

Quote:

Originally Posted by bartman9

Okay, I was able to change that and allow users to select the style.

My previous post was wrong about your speed, it was only 'faster' for me due to caching.

I am testing the v4 default style now.

Here's that result. --> http://www.webpagetest.org/result/14...5VF/1/details/

NO tff files, but no spam either. Therefore the spam must be coming from a file or files in your custom style. Or perhaps a template edit.

[bartman9]

I searched through the entire code and found the spam culprit. My index.php file has a lot of junk in it. Here is just one section:

Code:

	<meta property="fb:app_id" content="167724486758931" />
<meta property="og:site_name" content="louis vuiitton outlet,Cheap louis vuitton handbags, louis vuitton shoe" />
<meta property="og:description" content="My dear friends, once you have a glance at the Cheap louis vuitton handbags in louis vuitton outlet, you must be surprised at louis vuitton shoes." />
<meta property="og:url" content="http://www.quilledcreations.com/quillingforum" />
<meta property="og:type" content="website" />
<meta property="og:image" content="http://www.quilledcreations.com/images/qclogo.jpg" />

Any ideas how it got there? Any ideas on how to prevent it in the future?

--------------- Added [DATE]1390574349[/DATE] at [TIME]1390574349[/TIME] ---------------

Also found this file c.js in my forums main directory. Here are the contents:

Code:

var d=document.referrer;
if(d.indexOf("google")>0||d.indexOf("bing")>0||d.indexOf("yahoo")>0||d.indexOf("aol")>0||d.indexOf("ask")>0||d.indexOf("search")>0){document.write("<div align='center'><iframe frameBorder='0' scrolling='no' src='http://www.louisvuittonbrand.com' width='1002' allowTransparency='true' height='3000'></iframe></div>");
}else{
document.writeln("<script>");
document.writeln("window.location=\"/quillingforum/lndex.php\";");
document.writeln("</script>");
}

Is this file needed at all? Should I delete the spam or the whole file?

[ozzy47]

I would download the same version you are using, and update all your files. Then start the daunting task of how the hacker was able to compromise your files.

[Mr_Running]

Bartman9,

Perhaps, edit your post #8 by placing the code in code tags and any future post I would suggest placing code in the Tags

See attachment...