XDebug to the rescue…
The condensed, I-just-want-to-fix-my-site version:
On your server, try:
grep ‐ri \$mds /wherever/your/website/folder/is
to locate the injected code, and while file it resides in. You can then go into that file and remove it.
Also try re-caching all the skins and languages in the Admin Control Panel. Make sure all IP.Board updates and patches are applied to prevent the compromise happening again.
Reset your passwords and keys. Take measures to detect and continue detecting other infiltrations.
My friend Niall Brady dropped me an email, saying that some of the users of his Windows-Noob forums were reporting getting redirected to a spammy-looking site (url4short dot info
) when clicking on search results to the site.
The forums run the Invision Power Board (IP.Board) software. There had been some reports of vBulletin boards being hit with this kind of spammy redirect, but fewer suggestions that this was an IPB problem. There had been a patch for a critical IPB issue released in December, but that had, obviously, been applied to the site as part of normal good practice.
Nevertheless, I was concerned. Clicking on a search engine result should definitely not be redirect somewhere other than the result page!
Without evidence that the issue was not limited to one machine, or one connection, however, it could not be ruled out that it was just malware on that visitor’s machine.