Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #16  
Old 28 Nov 2016, 18:48
MarkFL's Avatar
MarkFL MarkFL is online now
 
Join Date: Feb 2014
Real name: Mark
Can you post exactly what you were told to do?
__________________
Former vBulletin.org Staff Member



Support for my products (as well as updates/new product publishing) has been moved to MHB - vBulletin Products and TAZ - Add-ons
Reply With Quote
  #17  
Old 28 Nov 2016, 18:49
mscottralston mscottralston is offline
 
Join Date: Apr 2013
Hi MarkFL,

Indeed it was harvesting passwords. How awful. I will be backing up and deleting all four plugins.

Any idea how these got on our boards in the first place? I am going to be updating from 4.2.0 to 4.2.3 ASAP, but wanted to try to fix this issue before I did...
Reply With Quote
  #18  
Old 28 Nov 2016, 18:53
MarkFL's Avatar
MarkFL MarkFL is online now
 
Join Date: Feb 2014
Real name: Mark
I would suspect an SQL exploit, and updating to vB 4.2.3 PL2 would be a good idea.
__________________
Former vBulletin.org Staff Member



Support for my products (as well as updates/new product publishing) has been moved to MHB - vBulletin Products and TAZ - Add-ons
Reply With Quote
  #19  
Old 28 Nov 2016, 18:59
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
Definitely upgrade to the latest version as soon as possible.
It's entirely possible that they modified vBulletin's PHP files as well.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #20  
Old 28 Nov 2016, 20:01
mscottralston mscottralston is offline
 
Join Date: Apr 2013
Will the upgrade to 4.2.3 overwrite these possibly-modified PHP files? Other than any possible compromises to security, the other thing I'm interested in is the extensive set of permissions-locked boards that we use -- not everything visible by everyone. As long as those permissions are preserved, I should be good, but if preserving them could allow a hack to persist, maybe not so good...
Reply With Quote
  #21  
Old 28 Nov 2016, 20:06
MarkFL's Avatar
MarkFL MarkFL is online now
 
Join Date: Feb 2014
Real name: Mark
Yes, the upgrade will overwrite the default vB PHP files, and your permissions should be preserved and shouldn't be involved in any exploit.
__________________
Former vBulletin.org Staff Member



Support for my products (as well as updates/new product publishing) has been moved to MHB - vBulletin Products and TAZ - Add-ons
Reply With Quote
  #22  
Old 28 Nov 2016, 20:20
mscottralston mscottralston is offline
 
Join Date: Apr 2013
Thanks again.

Assuming nothing goes awry, how long should a typical update take to complete?
Reply With Quote
  #23  
Old 28 Nov 2016, 20:28
MarkFL's Avatar
MarkFL MarkFL is online now
 
Join Date: Feb 2014
Real name: Mark
Originally Posted by mscottralston View Post
Thanks again.

Assuming nothing goes awry, how long should a typical update take to complete?
It depends on the size of your board, but it shouldn't take more than an hour, including making your backups.
__________________
Former vBulletin.org Staff Member



Support for my products (as well as updates/new product publishing) has been moved to MHB - vBulletin Products and TAZ - Add-ons
Reply With Quote
  #24  
Old 28 Nov 2016, 23:21
Bill Stuntz Bill Stuntz is offline
 
Join Date: Feb 2015
If I recall correctly this infection, is VERY sneaky because it hides itself if your computer has followed the redirection. I THINK it will only show itself to your computer once per day. If you've seen it and done something that you THINK fixed it, following the infected link a second time will LOOK like it's fixed - because it won't redirect a second time. And tomorrow you might see it again - ONCE.
Reply With Quote
  #25  
Old 28 Nov 2016, 23:28
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
A full scan of Malwarebytes on your own computer is also a smart thing to consider. https://www.malwarebytes.com/
There is lots of different malware out there that steals your locally saved FTP logins.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #26  
Old 28 Nov 2016, 23:45
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by oguzdinc View Post
I also could not solve my problem. As vbulletinsupport told me i deleted all plugins, and also i deleted ech files and i only have VSa - Advanced Forum Statistics on my website and it is the latest version. İ have to delete it?
One main question I have is:

- After you deleted all plugins, did you replace all your files with fresh files?

Let's say you're running vBulletin 4.2.2 - You will need to download a 100% fresh and new copy of the 4.2.2.zip from https://members.vbulletin.com and ensure you overwrite all files with the new files (to ensure any old hacked files are now replaced AND clean).

Note to everyone else: If you want to upgrade to 4.2.3 after fixing 4.2.2 then that is okay, but always be aware that you should replace all the files, with the SAME EXACT version files from a fresh .zip you download from vBulletin.com and FIX the site first THEN you can upgrade if you wish - DO NOT ASSUME that upgrading will simply fix your hacked site, in super duper rare occasions IF it was a simple file edit then it will but 99% of the time it's not that simple.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman - Custom vBulletin Modifications, Styles, and Services.
Need a Host? I recommend URLJet.

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #27  
Old 29 Nov 2016, 06:29
oguzdinc oguzdinc is offline
 
Join Date: Jan 2008
Originally Posted by TheLastSuperman View Post
One main question I have is:

- After you deleted all plugins, did you replace all your files with fresh files?

Let's say you're running vBulletin 4.2.2 - You will need to download a 100% fresh and new copy of the 4.2.2.zip from https://members.vbulletin.com and ensure you overwrite all files with the new files (to ensure any old hacked files are now replaced AND clean).

Note to everyone else: If you want to upgrade to 4.2.3 after fixing 4.2.2 then that is okay, but always be aware that you should replace all the files, with the SAME EXACT version files from a fresh .zip you download from vBulletin.com and FIX the site first THEN you can upgrade if you wish - DO NOT ASSUME that upgrading will simply fix your hacked site, in super duper rare occasions IF it was a simple file edit then it will but 99% of the time it's not that simple.
d

Yes first i deleted plugins and then i upgraded to latest version. But it did not solve the problem.
Reply With Quote
  #28  
Old 29 Nov 2016, 16:05
mscottralston mscottralston is offline
 
Join Date: Apr 2013
Hey guys,

Yeah, google thinks we're still hacked, probably with the original issue (the occasional browser redirect; that password-logging plugin hasn't reinstalled itself yet, at least). I've been following google's advice, but curl is no help. Inspecting the front page, there are a few javascript codes I don't recognize. One might be google analytics? The others, I'm not sure.

For your consideration:

<script async="" src="https://www.google-analytics.com/analytics.js"></script>
<script type="text/javascript">
<!--
if (typeof YAHOO === 'undefined') // Load ALL YUI Local
{
document.write('<script type="text/javascript" src="clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=420"><\/script>');
document.write('<script type="text/javascript" src="clientscript/yui/connection/connection-min.js?v=420"><\/script>');
var yuipath = 'clientscript/yui';
var yuicombopath = '';
var remoteyui = false;
}
else // Load Rest of YUI remotely (where possible)
{
var yuipath = 'clientscript/yui';
var yuicombopath = '';
var remoteyui = true;
if (!yuicombopath)
{
document.write('<script type="text/javascript" src="clientscript/yui/connection/connection-min.js"><\/script>');
}
}
var SESSIONURL = "";
var SECURITYTOKEN = "guest";
var IMGDIR_MISC = "images/misc";
var IMGDIR_BUTTON = "images/buttons";
var vb_disable_ajax = parseInt("0", 10);
var SIMPLEVERSION = "420";
var BBURL = "http://privateerpressforums.com";
var LOGGEDIN = 0 > 0 ? true : false;
var THIS_SCRIPT = "index";
var RELPATH = "forum.php";
var PATHS = {
forum : "",
cms : "",
blog : ""
};
var AJAXBASEURL = "http://privateerpressforums.com/";
// -->
</script>

<script type="text/javascript" src="clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=420"></script>
<style>@media print {#ghostery-purple-box {display:none !important}}</style>
<script type="text/javascript" src="clientscript/yui/connection/connection-min.js?v=420"></script>
<script type="text/javascript" src="http://privateerpressforums.com/clientscript/vbulletin-core.js?v=420"></script>
<link rel="stylesheet" type="text/css" href="clientscript/vbulletin_css/style00009l/main-rollup.css?d=1479505047">

---

Since some of those plugins were hung on 'ajax', this seems promising. Any idea what 'Yui' is?

Thanks!

--------------- Added 29 Nov 2016 at 16:24 ---------------

Also, per Superman's comment: I would very much like to download and rewrite my installation with a fresh copy my current version (4.2.0, patch 3) before upgrading to 4.2.3, but problematically, only 4.2.0 patch 4 is available for download off the official site. Any suggestions?

Thanks!
Reply With Quote
  #29  
Old 29 Nov 2016, 16:33
Dave Dave is online now
 
Join Date: Jun 2010
Real name: Dave
yui is Yahoo User Interface if I recall correctly. You can overwrite it with the higher patch version just fine, patches simply overwrite files that had a bug or exploit and I believe never requires additional installation.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #30  
Old 29 Nov 2016, 19:49
Paul M's Avatar
Paul M Paul M is offline
 
Join Date: Sep 2004
Real name: Paul M
Originally Posted by mscottralston View Post
I would very much like to download and rewrite my installation with a fresh copy my current version (4.2.0, patch 3) before upgrading to 4.2.3, but problematically, only 4.2.0 patch 4 is available for download off the official site. Any suggestions?
Not sure why you would bother, but just use the Patch 4 files.

You would be better off just uploading the 4.2.3 files and upgrading.
__________________
Former vBulletin.org Staff Member


Cable Forum
Please do not PM me about custom work - I no longer undertake any.
Note: I will not answer support questions via e-mail or PM - please use the relevant thread or forum.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


New To Site? Need Help?

All times are GMT. The time now is 17:31.

Layout Options | Width: Wide Color: