1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Site Exploited by recent 0-day reported by vBulletin, ad code inserted.

Discussion in 'vBulletin' started by sdi_employee, Sep 5, 2013.

  1. #1

    I recently fell victim to the /install folder exploit mentioned by vBulletin in a security update today. I believe I found all backdoors and dropped off plugins/code.

    That being said, it looks like they somehow managed to modify one of my templates (or code executed by a template) that is injecting ad code into my page that makes the site unusable (in addition to probably messing around quite a bit with someones ad views with a hidden iFrame.

    In any case, I found a line in my footer that looked like this:

    {vb:raw vboptions.copyrighttext}

    It may look fairly innocuous (in fact, it seems as though this is required to get the digitalpoint copyright signature at the bottom of the page, but whatever this is executing is causing the hidden iframes and endless ad hosts javascript to be executed.

    I've removed it for now, but has anyone seen this? Know how to clear out the bad code so I can put the copyright notice back?
    sdi_employee, Sep 5, 2013 IP
  2. digitalpoint

    digitalpoint Overlord of no one Staff

    Likes Received:
    Best Answers:
    Trophy Points:
    Digital Goods:
    You should've able to go into your options and edit the copyrighttext field. I think it might be hidden, so you will need to be in debug mode to see it in there.
    digitalpoint, Sep 5, 2013 IP
  3. vespinoy

    vespinoy Active Member

    Likes Received:
    Best Answers:
    Trophy Points:
    Just clear the Copyright text in AdminCP --> Options --> Site Name/URL/Contact Details
    Also check your Control Panel Log for activities your admin account has been making outside a familiar IP.
    I thought it was an injection but it might just be a case of someone logging into your account and editing the templates.
    Changing your password is highly recommended.
    vespinoy, Nov 17, 2013 IP