Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 04 Sep 2013, 22:35
dawges dawges is offline
 
Join Date: May 2007
iframe injected into all templates

I have searched Google and have found a couple of forums suffering the same fate.

Today all of a sudden I noticed my pages loading slow so i looked at the code. I see a iframe at the bottom of all my pages:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

My question is, how did it get there and how do i get rid of it?

--------------- Added 04 Sep 2013 at 22:37 ---------------

I am running version 4.2.0 by the way.
Reply With Quote
  #2  
Old 04 Sep 2013, 22:47
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
You may want to check your templates and see if you were hacked and someone added it into your templates.
Reply With Quote
  #3  
Old 04 Sep 2013, 22:58
dawges dawges is offline
 
Join Date: May 2007
Originally Posted by ozzy47 View Post
You may want to check your templates and see if you were hacked and someone added it into your templates.
I checked the footer template but i dont know what to look for. I dont see the code just jump out.
Reply With Quote
  #4  
Old 04 Sep 2013, 23:00
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Ok next step is to disable all plugins to see if it is coming from there.

Open your config.php and below<?php add this line:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

So it looks like this:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Then check the page again and see if the iframe is still there.
Reply With Quote
  #5  
Old 04 Sep 2013, 23:19
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Cool

If you have vBSEO installed this is very likely, could also be from the recently discovered install directory exploit we are unsure without actually investigating it ourselves.

Try running the queries listed on my blog post scroll down to find "Run the following Queries in phpMyAdmin" and do so - http://www.vbulletin.com/forum/blogs...vbulletin-site

Some basics:
  1. Start off by replacing all files with 100% fresh vbulletin files of the exact same version.
  2. Next run queries listed on the blog and investigate all that come up. If your not running a custom style then first delete any malicious plugins/templates and you can delete the default style and remake a new one (create a new style after removing the malicious plugins etc then delete the old one otherwise your primary is the default and it will not allow you to delete etc).
  3. Next check filesystem - AdminCP > Maintenance > Diagnostics > Suspect File Versions and check to see what is listed, cross reference that via FTP and inspect file dates etc; Anything named odd should be investigated i.e. sexy.php, lol.php anything seemingly odd however not all hackers are so apparent they could have named it crontools.php or something you would if not 100% familiar with the product assume was a normal file so take your time checking.
  4. Once you feel its clean, either create or login your Google webmaster tools and request the site be checked, once they verify its clean you're normally good to go.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!

Last edited by TheLastSuperman; 07 Sep 2013 at 18:52. Reason: spWelling :P
Reply With Quote
  #6  
Old 04 Sep 2013, 23:22
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Thanks Mike, I knew I seen that somewhere before, I just could not for the life of me remember where it was.
Reply With Quote
  #7  
Old 04 Sep 2013, 23:27
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Cool

Originally Posted by ozzy47 View Post
Thanks Mike, I knew I seen that somewhere before, I just could not for the life of me remember where it was.
lol tis now bookmarked, I've been visiting profile on vb.com them finding all blog posts lololol .
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #8  
Old 04 Sep 2013, 23:27
dawges dawges is offline
 
Join Date: May 2007
Disabling Hooks does nothing, the iframe stays.



Superman I do not have vBSEO installed, However i will read the post you provided and report back.
Reply With Quote
  #9  
Old 04 Sep 2013, 23:29
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Hmmm then it may be in the files somewhere, if it is not in the templates or plugins. Let us know what you come up with after following the post.
Reply With Quote
  #10  
Old 04 Sep 2013, 23:29
dawges dawges is offline
 
Join Date: May 2007
I have 4 new administrator in my admin group. All hackers.
Reply With Quote
  #11  
Old 04 Sep 2013, 23:31
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Real name: Chris
Ouch, you need to find out how they got in.
Reply With Quote
  #12  
Old 04 Sep 2013, 23:32
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Delete your install directory
__________________
Looking for ImpEx?
Reply With Quote
  #13  
Old 04 Sep 2013, 23:34
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Cool

Originally Posted by dawges View Post
Disabling Hooks does nothing, the iframe stays.



Superman I do not have vBSEO installed, However i will read the post you provided and report back.
If you had it in the past let us know, if you have never installed and used it then simply read my blog and run the queries listed from within phpmyadmin. If you are not the best at dealing with this type of stuff or using phpmyadmin then please post the results here and we'll try to assist you the best we can.

*Also who is your host? No name required I simply ask as some do backups free of charge some daily, some do hourly backups and they may have one handy and can simply restore the site to just before the time of being hacked - if that is the case you will lose all posts/info since said time but you'll go back to the point before infection where your safe to assume it's clean, then the objective at that time would be to rid yourself of any possible exploits such as removing the /install/ directory and checking for suspect file versions etc.
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!

Last edited by TheLastSuperman; 04 Sep 2013 at 23:41.
Reply With Quote
  #14  
Old 04 Sep 2013, 23:36
dawges dawges is offline
 
Join Date: May 2007
This username appeared 4 times in the admin group:

Th3H4ck
Reply With Quote
  #15  
Old 04 Sep 2013, 23:39
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Originally Posted by dawges View Post
This username appeared 4 times in the admin group:

Th3H4ck
Note the userid's of those 4 accounts, you may need them for reference later but as soon as you write them down delete those admin accounts and as Zachery noted then me as well, delete the /install/ directly immediately if its present.

*Stop for one second though and reply to my backup question above ^ Do you have a recent backup? If so its better to restore and nip any possible exploits in the bud. If no backups then continue on investigating and clearing out any malicious code/files/other.

Edit: I'm taking the family out to dinner but will check this when I return as I have work to do tonight regardless .
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 19:13.

Layout Options | Width: Wide Color: