Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 21 Aug 2020, 17:12
marikko marikko is offline
 
Join Date: Jul 2020
Post How to get rid of popup / redirects? Please help :-(

Hi all,

I just updated to the latest vbulletin version because there seem to be some tricky hack on my board that redirects users to spammy websites by just clicking anywhere on the page ( http://www.sims4ever.de/forum.php ) or by just waiting some seconds (tested in chrome) for the popup to appear. After updating the problem were solved but few days later the popups are back again. Is there any known vulnerability in vbulletin 4.2.5. Alpha 3 that enables hackers to do stuff like this? How could I fix it?

This is an URL of one of the popups that appear:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Example content of popup:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Reply With Quote
  #2  
Old 21 Aug 2020, 17:27
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
There's malicious JavaScript injected into the file http://www.sims4ever.de/highslide/hi...ith-gallery.js on the very last line.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

https://i.imgur.com/MKlZMi4.png

Remove that from the file, clear the cache and you should hopefully be fine.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #3  
Old 21 Aug 2020, 18:50
marikko marikko is offline
 
Join Date: Jul 2020
Thank you Dave, it seems to fix the issue. But I am still not sure how the attacker could infect this file.
Reply With Quote
  #4  
Old 23 Aug 2020, 13:09
Hostboard's Avatar
Hostboard Hostboard is offline
 
Join Date: May 2002
Real name: Steven
I would start at checking your directory permissions first.
Also it has been 4 years since that software was updated.
I did find notices of of an exploit.

https://www.securityfocus.com/bid/39239
__________________
Custom Solutions for your vBulletin

Reply With Quote
  #5  
Old 16 Sep 2020, 16:05
marikko marikko is offline
 
Join Date: Jul 2020
The latest version is 4.2.5 as far as I know.

And the hacker was on my site again. He changed
clientscript/vbulletin_read_marker.js

and I don't know how.
The "file last changed date" in my FTP Client says that this file has not been touched for long time.
I already added directory protection for admin panel.

Anything else I could do to prevent this hacker to change files on my website?
Permissions seem to be correct (0644)
Reply With Quote
  #6  
Old 16 Sep 2020, 16:28
Hostboard's Avatar
Hostboard Hostboard is offline
 
Join Date: May 2002
Real name: Steven
Sorry, you had mentioned v4.2.5 Alpha 3 That is a pre-beta release and as noted 4.2.5 was publicly released as the final version in the 4 series. Please make sure you are running 4.2.5

This can be tricky as the attacker could have uploaded/placed a back door file.

I would re-upload ALL core files
Reupload ALL plugin files and make sure you have their latest releases..
I would do a folder by folder comparison of ALL files making sure they are all valid and a backdoor file is not hiding.
Change your FTP password as well as any other accounts that would have this level of access.
Change ALL admin passwords of the VB site.
Check the file/folder permissions based on the recommendations by VB.

vBulletin also has a tool to help identify out of date files:
ACP > Plugins & Products > Check ALL versions.

Time stamps are easily manipulated and you should not rely on them:
https://www.sitelock.com/blog/this-w...ut-dont-touch/
__________________
Custom Solutions for your vBulletin

Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 11:58.

Layout Options | Width: Wide Color: