Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 09 Nov 2010, 18:15
Jaske's Avatar
Jaske Jaske is offline
 
Join Date: Apr 2010
My Forum Has Been Hacked-PLEASE HELP!

Okay I'm new to vB and I'm still getting to know the ins and outs of it and I really hate asking for help without first trying to fix any problems I have, but I can not fix this problem and I know it has got to be a minor hack, but I just can't figure out where to look.

Today I logged into my forum and noticed on a few of the pages where the names of the threads are listed there are 3 small links that say "watch movies-buy movies-movies download". they are in the middle of the thread, between the thread name and the last post (see attachments below).

Now I have tried to look for the links in 'edit templates' but had no luck. Maybe someone on here can direct me in the right place to search?

The links appear to be on the page because when I scroll they move upward with the threads.

I also just checked my cPanel and in my forum directory there are a bunch of pages with names like "0a332aaf80d731a786131f1712d05670" but no info on the page when I open it up to view it...only "0.6" or "9"....any idea what these are? I don't remember them being there before....are they some sort of log?

Anyway, if you have an idea of what file(s) I should edit please let me know...this is aggravating as all hell!!




Reply With Quote
  #2  
Old 09 Nov 2010, 18:32
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Can you post the link to your forum? Those weired files, do they have any codes in them?
__________________
My mods.
Reply With Quote
  #3  
Old 09 Nov 2010, 18:58
Jaske's Avatar
Jaske Jaske is offline
 
Join Date: Apr 2010
Originally Posted by borbole View Post
Can you post the link to your forum? Those weired files, do they have any codes in them?
the weird files have only the number "0" or "0.6" in them (without quotes)....wondering if I should just delete them...
here's the link to one of the forum pages with the "watch movies" links...
http://www.illadelstylez.com/forum/f...ketches-Canvas
Reply With Quote
  #4  
Old 09 Nov 2010, 20:59
Ninos Ninos is offline
 
Join Date: Jul 2010
I can't give much help with the inner workings of vBulletin, but yes, delete them files now.

--------------- Added 09 Nov 2010 at 21:00 ---------------

Nice forum by the way.

Last edited by Ninos; 09 Nov 2010 at 21:00. Reason: Auto-Merged DoublePost
Reply With Quote
  #5  
Old 09 Nov 2010, 21:14
Jaske's Avatar
Jaske Jaske is offline
 
Join Date: Apr 2010
Originally Posted by Ninos View Post
I can't give much help with the inner workings of vBulletin, but yes, delete them files now.

--------------- Added 09 Nov 2010 at 16:00 ---------------

Nice forum by the way.
thanks.

--------------- Added 09 Nov 2010 at 16:52 ---------------

Now I deleted all the weird files that I know for sure didn't belong in the directory but after I deleted them all (around 100+) a couple at a time keep popping up...the files are named "1b7fdbbea3567de746321d9915b3502c" and all have different numbers & letters...I'll delete those, refresh the directory then there's 2-3 new ones...WTF!!!
Can anyone give me a name of an add-on or contribution that can scan the files? Something like "KISS File Safe" for OsCommerce....only for vBulletin...and is there any must-have security addons I should install? please help!

Last edited by Jaske; 09 Nov 2010 at 21:53. Reason: Auto-Merged DoublePost
Reply With Quote
  #6  
Old 10 Nov 2010, 10:50
TheRageIsOn TheRageIsOn is offline
 
Join Date: Mar 2010
Hey, i am wondering why can anyone other than you ( root ) write
in your webserver directories ?
Are they read only ?
Reply With Quote
  #7  
Old 10 Nov 2010, 11:11
Outbackmark's Avatar
Outbackmark Outbackmark is offline
 
Join Date: Jun 2007
Those files are something to do with it, as TheRage says, check the write permissions in your directory and change your root password asap, also for any FTP accounts you may have set up.
There have been additions made to FORUMHOME forumdisplay and threaddisplay templates. This code
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

has been addred to those templates, the will probably be an xml file of some sort in one of your directories, thats installing this code in a similar way that addons/hacks add code to templates in VB/PHP.
You need to run VB Diagnostics/Suspect File Versions and check all non VB files, most addon/hack files will have recognizable names and alien files can be spotted fairly easily in the report.
I would also suggest you get your host to run a scan in your partition and make sure it's clean.
__________________
Aus Scambaiters
Reply With Quote
  #8  
Old 10 Nov 2010, 16:57
Jaske's Avatar
Jaske Jaske is offline
 
Join Date: Apr 2010
Originally Posted by Outbackmark View Post
Those files are something to do with it, as TheRage says, check the write permissions in your directory and change your root password asap, also for any FTP accounts you may have set up.
There have been additions made to FORUMHOME forumdisplay and threaddisplay templates. This code
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

has been addred to those templates, the will probably be an xml file of some sort in one of your directories, thats installing this code in a similar way that addons/hacks add code to templates in VB/PHP.
You need to run VB Diagnostics/Suspect File Versions and check all non VB files, most addon/hack files will have recognizable names and alien files can be spotted fairly easily in the report.
I would also suggest you get your host to run a scan in your partition and make sure it's clean.
I found the links with Firebug but when I looked in the files I couldn't find them. So they are at the very top of the pages? I did see a long line of numbers like you posted...I will change passwords, run the check and keep posted what I get.
Reply With Quote
  #9  
Old 10 Nov 2010, 22:18
swiper the fox swiper the fox is offline
 
Join Date: Dec 2007
http://www.vbulletin.org/forum/showthread.php?t=203933
install instructions

Download: http://www.vbulletin-germany.org/showthread.php?t=5467

this is a very handy plugin which will assist you with searching for this and where/what plug-in it may be coming from
Reply With Quote
  #10  
Old 12 Nov 2010, 09:04
DigitalDark DigitalDark is offline
 
Join Date: Dec 2009
Probably these links are generated in php files of vBulletin. There is an option in vBulletin that recognizes external files:

Admincp -> Manteinance -> Check Version File (3rd option).

The files of plugins and other programs will appear. I'm sure that your vBulletin files (php files) has been modified and are linked with the strange "145384asdada5d6s54d6a5sd4a6sd" files.
If I were you I will download the vBulletin package again and reupload all the files. If you get the same after this step, it means that your sql data base has been touched.

Good luck.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 00:45.

Layout Options | Width: Wide Color: