Found malware

[cric2k]

Hi,

I found a virus being embedded in the template 'headinclude_bottom' - it was a clever javascript insert that was only showing itself to certain members (for instance not admins).

When I removed {vb:raw template_hook.headinclude_bottom_css} from headinclude_bottom it no longer embedded the malware in the html.

I've tried looking about plugins and can't find the hook - am I supposed to be looking for a hook, or does anyone have any idea how someone has managed to get this data in there?

I'm on 4.1.9 by the way.

Thanks

[Dave]

It could of been something which was present in the style you downloaded?

Please list all of your plugins here.
Also go to Maintenance > Diagnostics > Suspect File Versions and run it, check for any suspicious files on your server.

[cric2k]

Quote:

Originally Posted by Dave

It could of been something which was present in the style you downloaded?

Please list all of your plugins here.
Also go to Maintenance > Diagnostics > Suspect File Versions and run it, check for any suspicious files on your server.

Hi,

I've been running my style for four years now and I've been monitoring the admin log - I'm pretty sure it wasn't a breach through the admincp.

After checking files on the server I found 'eAccelerator control panel' saved as 'control____.php' in the root - I can't remember using this...

I've put a list of active Products below (there's hundreds of plugins). Having checked the plugins I don't think there are any outside of one of these products (apart from some of my custom ones).

Thanks

[Dave]

Plugins look fine. Did you download the style you're using somewhere online? If so, could you post the link here?

[cric2k]

Quote:

Originally Posted by Dave

Plugins look fine. Did you download the style you're using somewhere online? If so, could you post the link here?

Sorry I really can't remember - I've tried looking at my html to see if there's any commenting in there but it's not obvious where the style came from. I heavily modified the design from something I found on these forums back in 2010. I'm pretty sure the style itself didn't come with an in-built virus template since I've been using it for long, but I'm not sure if it has any vulnerabilities in itself.

[Firyou]

There are a lot of ways someone could have gained access to those files and compromised it. If you have the install folder in your vb root, I suggest removing ASAP. One of the most known 0 day exploits is through the use of that folder.

I would also check to your plugins/products asap as well. If someone gained access to your admincp area, it's not farfetch'd to think that they didn't install a shell in there. A shell would give them pretty much ftp access to the server, so check for suspicious plugin names.

I would also recommend protecting those directories with some sort of .htaccess. It's another obstacle for intruders and it'll slow them down by a lot IMO.

[Dave]

It's indeed hard to figure out how that code got there. Someone will have to check your FTP for suspicious files and every single hook for malicious code.

[cric2k]

ok thanks. I've a dedicated box with command line access, I ran a command to see all modified physical files in the last month and can't find anything looks suspect. I'm thinking it has to be SQL insert as there's nothing in the control panel logs either - I was just hoping that there was known issue with 4.1.9 (patch level 4).

--------------- Added [DATE]1413471264[/DATE] at [TIME]1413471264[/TIME] ---------------

or also, an SQL query I could run to see where that hook is being used... I've tried fishing around myself in plugins but haven't been able to find it.

[Seven Skins]

Reading these may help you.

http://www.vbulletin.com/forum/forum...24#post4020224
http://www.vbulletin.com/forum/forum...36#post4020236