vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=328189

How to get rid of popup / redirects? Please help :-(
by marikko
21 Aug 2020 18:12

Hi all,

I just updated to the latest vbulletin version because there seem to be some tricky hack on my board that redirects users to spammy websites by just clicking anywhere on the page ( http://www.sims4ever.de/forum.php ) or by just waiting some seconds (tested in chrome) for the popup to appear. After updating the problem were solved but few days later the popups are back again. Is there any known vulnerability in vbulletin 4.2.5. Alpha 3 that enables hackers to do stuff like this? How could I fix it?

This is an URL of one of the popups that appear:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Example content of popup:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


Dave 21 Aug 2020 18:27

There's malicious JavaScript injected into the file http://www.sims4ever.de/highslide/hi...ith-gallery.js on the very last line.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

https://i.imgur.com/MKlZMi4.png

Remove that from the file, clear the cache and you should hopefully be fine.

marikko 21 Aug 2020 19:50

Thank you Dave, it seems to fix the issue. But I am still not sure how the attacker could infect this file.

Hostboard 23 Aug 2020 14:09

I would start at checking your directory permissions first.
Also it has been 4 years since that software was updated.
I did find notices of of an exploit.

https://www.securityfocus.com/bid/39239

marikko 16 Sep 2020 17:05

The latest version is 4.2.5 as far as I know.

And the hacker was on my site again. He changed
clientscript/vbulletin_read_marker.js

and I don't know how.
The "file last changed date" in my FTP Client says that this file has not been touched for long time.
I already added directory protection for admin panel.

Anything else I could do to prevent this hacker to change files on my website?
Permissions seem to be correct (0644)

Hostboard 16 Sep 2020 17:28

Sorry, you had mentioned v4.2.5 Alpha 3 That is a pre-beta release and as noted 4.2.5 was publicly released as the final version in the 4 series. Please make sure you are running 4.2.5

This can be tricky as the attacker could have uploaded/placed a back door file.

I would re-upload ALL core files
Reupload ALL plugin files and make sure you have their latest releases..
I would do a folder by folder comparison of ALL files making sure they are all valid and a backdoor file is not hiding.
Change your FTP password as well as any other accounts that would have this level of access.
Change ALL admin passwords of the VB site.
Check the file/folder permissions based on the recommendations by VB.

vBulletin also has a tool to help identify out of date files:
ACP > Plugins & Products > Check ALL versions.

Time stamps are easily manipulated and you should not rely on them:
https://www.sitelock.com/blog/this-w...ut-dont-touch/


All times are GMT. The time now is 11:28.

Powered by vBulletin® Version 3.8.14
Copyright © 2021, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.