Got hacked. What now? [Archive]

View Full Version : Got hacked. What now?

Berethorn

10-16-2008, 06:09 PM

Hi everyone, haven't been here in a long time,

But last week my site got hacked. Practically every single page displays the typical black bg "you were hacked, haha" message (and nothing else) Restoring the entire file system did nothing, leading me to believe the hack is hidden in the database somewhere.

I'm not sure if I should post the link to my forum so people can see, or not?

Not only has it been a terribly long time since I backed up the database (I've been a bad admin and haven't been active at my forum), but the backup file is so large I don't know if I can restore it with phpMyAdmin.

A much better solution would be fixing the database. Where should I look in the database? Keep in mind that this bit of code or whatever effects every page with the exception of admincp/index.php (it displays the login page, but once you try to login, you get the hacked page again).

Any help is appreciated!!!

Lynne

10-16-2008, 06:14 PM

I would look for files in your directories that shouldn't be there. Is there a link to the site that we can see this happening?

Berethorn

10-16-2008, 06:31 PM

Quarterbore

10-16-2008, 06:45 PM

I am working on a server side spider to find hacked files and I would really be interested in working with you on this if you are game.

First, go into your server and look for an .htaccess file and make sure they didn't drop something in there. Often that is how they do this and it could be an easy fix to make it stop.

Next, go into your FTP program and look at the date/time that your files were changed. It is possible that they did not change all of your files. The files that were changed should be copied somewhere where they can be looked at later to try to help identify the culprate and perhaps learn how to identify their work in the future.

Then, you should replace all of the files that were modified with safe versions. I hope you have backups as otherwise this can be a painful experience. From there, let's hope that your site works but if not you may need to get more help.

If you find modified files, send me a PM and I will give you some clues on what I could use to bulk my hacker detector script I have started.

--------------- Added 1224186718 at 1224186718 ---------------

I also find it strange when you look atthe source for the code I get this:



The site itself is just a front...

Berethorn

10-16-2008, 07:12 PM

I know, it's very strange. And it seems like it would be easy to find. :(

As for .htaccess, I can't find one unfortunately - that would have been too easy.

For your second suggestion, alas, I already over writ the entire forum directory, so no evidence remains. But since the hack is still there, I don't believe it's actually in the files themselves. I still think it's a database thing.

puertoblack2003

10-16-2008, 07:20 PM

http://www.landofrohan.com/forum/forumdisplay.php

(I edited the index.php page to give a notice to forumites - hence the link to forumdisplay)

I do believe I took care of any files that shouldn't have been there, as I replaced the entire /forum directory with a backup. :)

it appears to be a file that you have to check when viewing the source code

index4_files/ads.js find that file some how it's using that to deface your page and in the sql you would have to go to post or thread to view that code too.

Berethorn

10-16-2008, 07:44 PM

Hmn. There's no index4_files/ads.js anywhere on my server. Seems that's hosted remotely somewhere else. I'll look in post or thread in the DB though I'm not sure where to look in them. :(

Lynne

10-16-2008, 07:48 PM

After you got hacked, did you restore your database from a backup?

Search and see if you have a plugin you don't recognize.

Berethorn

10-16-2008, 07:54 PM

Quarterbore

10-16-2008, 07:57 PM

I haven't backed up the database, no. The last backup is from January. You don't have to tell me I should have backed up more (I used to).

I would still try to restore the January one if I could, but I think it's too big for phpMyAdmin to handle, and too big to send to the folks at my server to have them do it. Nonetheless I will find a way if needs must.

A reminder to everyone that this really is easy to prevent!!!

Tutorial: Using the CRON tab to do daily backups and long term MYSQL archives (http://www.vbclassified.com/showthread.php?t=241)

--------------- Added 1224191004 at 1224191004 ---------------

Did you try disabling the plugin system by editing your config file?

To temporarily disable the plugin system, edit config.php

FIND
<?php

AFTER ADD
define('DISABLE_HOOKS', true);

That will at least confirm there is no way it is in the plugin system somehow.

Just remove it when you are done and you will be back to normal.

Quarterbore

10-16-2008, 08:08 PM

I am an idiot...

Just upload the attached file to your server. you will need to change the extension to .php (the file is safe). See if you can run it or if that is redirected somewhere.

Berethorn

10-16-2008, 08:11 PM

A reminder to everyone that this really is easy to prevent!!!

Tutorial: Using the CRON tab to do daily backups and long term MYSQL archives (http://www.vbclassified.com/showthread.php?t=241)

Thanks, and no thanks. :p

No, seriously, I didn't know about automatic backups. That's a great tip!

I disabled plugins as you said, and no change, so at least that's narrowed out.

Quarterbore

10-16-2008, 08:16 PM

try uploading that file and see if you still have the problem. If so, then it is not a vbulletin or database issue. You may need to rename it forumdisplay.php to me sure as well.

Berethorn

10-16-2008, 08:35 PM

It shows up fine - "I hate hackers" - and I agree with it. ;)

But afterwards I realized I'd already edited my index.php.

http://www.landofrohan.com/forum/index.php?

Quarterbore

10-16-2008, 08:37 PM

OK, so you uploaded that file to "forumdisplay.php" and it didn't redirect?

This is important as that confirms this is not some server trick!

----------------------------------

The next thing I would do is make a new database and reinstall the forum software to the new database WITHOUT changing your existing site! You can create a new directory as the new copy can be anywhere as you really just need the database. You will need to install the same version you are running now so if you are running 3.6.11 don't install a 3.7.x or you will get errors.

Once it is installed and running, then go to the config file of the hacked forums and change the config file to have it look at the NEW database.

If you don't get this problem, then the issue is certainly in your database!

Berethorn

10-16-2008, 08:46 PM

puertoblack2003

10-16-2008, 08:51 PM

Yes, I uploaded it as forumdisplay.php. No redirect. No server trick.

Okay, I'll try that. Meanwhile, if it IS a problem with the database, where is it likely to be? I know the possibilities are endless, but... i have searched the database quite a bit already but it's a big place.

Thanks for all your help, eh? :)

in db start from the last and work your way back..its easier that way. which i've done just my .2 :)

Quarterbore

10-16-2008, 08:56 PM

Yes, I uploaded it as forumdisplay.php. No redirect. No server trick.

Okay, I'll try that. Meanwhile, if it IS a problem with the database, where is it likely to be? I know the possibilities are endless, but... i have searched the database quite a bit already but it's a big place.

Thanks for all your help, eh? :)

You said you have a backup from January, restore that to a new database and change your config file to point to the new database and see if you are still redirected. If you are, then the problem is not the database but something they slipped into a file somewhere.

snakes1100

10-16-2008, 09:21 PM

There is no need to use a backup, this is a database driven hack, you need to start searching for phrases he has on that page in your DB, use phpmyadmin, thats fixable, after you find it all, start upgrading your forums & plugins.

Lynne

10-16-2008, 09:24 PM

I just wanted to add..... he got onto your site somehow and he will do so again unless to 'fix' the hole in your security. You may need to be talking to your host to help figure out how he got in.

Berethorn

10-16-2008, 09:38 PM

Yes, Lynne, this is a wakeup call indeed. I may reinstall and tighten things up after I get the problem sorted out. The main thing now to salvage months of user data, posts, and settings.

I did as Quarterbore said, and confirmed it to be a database problem.

Snakes1100, there are hundreds of pages in the phrases table in the database (if that's what you meant). Any hint where to start? :(

Quarterbore

10-16-2008, 09:51 PM

So, how did you fix it?

http://www.landofrohan.com/forum/forumdisplay.php

edit - never mind you did a fresh install huh?

Berethorn

10-16-2008, 09:54 PM

It's not fixed... I just did like you said and installed vb to a new database then edited the original config.php to point to it. The old database is still there, and I'm looking through it. Perhaps I could try exporting and importing bits from the old database into the new "test" DB until something breaks.

Quarterbore

10-16-2008, 09:59 PM

I would go with snakes suggestion first.

Try searching for "index4_files" in your database...

If that doesn't work, look for something else in the source code that would be unique like "hacked" perhaps.

snakes1100

10-16-2008, 10:14 PM

Berethorn

10-16-2008, 10:20 PM

I haven't found anything that way... my feeling is that the "hacker page" is remotely hosted, and that none of what you see is actually in the database. What I fear IS in the database is some harder-to-find redirector. :(

puertoblack2003

10-16-2008, 10:24 PM

Sorry, you will need to search the entire DB, in phpmyadmin, click the db to view all the tables, click search form there at the top and click/select all tables to search at one time. with keywords/phrases that the hacker has on the page.

quick question, why would it be in phrase? wouldn't that be either in post or thread in db ?.Back when we had the forum that was being hacked by scripts kiddys because of a old mod here.And i was able to resolve it tru those two tables.

Quarterbore

10-16-2008, 10:33 PM

Berethorn

10-16-2008, 11:24 PM

I FOUND IT! :D

It was your base64 hint! There was base 64 code hidden in the templates table, in a row with the title "spacer_open" which was part of something I added long ago - I don't know what for. But I think it was a random placement of the base64 code. I copied and then deleted the offending code, and now the site seems to be back to normal! Absolutely stunning what some code in one obscure area can do...

So thank you so much everyone! and especially Quarterbore who came up with the key to the mystery in the end: is there any information you want from me to help with your tool? :)

snakes1100

10-16-2008, 11:26 PM

quick question, why would it be in phrase? wouldn't that be either in post or thread in db ?.Back when we had the forum that was being hacked by scripts kiddys because of a old mod here.And i was able to resolve it tru those two tables.

I never said it was "in" a phrase, i said search for a "phrase" that the hacker used, ie keywords.

--------------- Added 1224203268 at 1224203268 ---------------

I FOUND IT! :D

It was your base64 hint! There was base 64 code hidden in the templates table, in a row with the title "spacer_open" which was part of something I added long ago - I don't know what for. But I think it was a random placement of the base64 code. I copied and then deleted the offending code, and now the site seems to be back to normal! Absolutely stunning what some code in one obscure area can do...

So thank you so much everyone! and especially Quarterbore who came up with the key to the mystery in the end: is there any information you want from me to help with your tool? :)

Keep your forum closed and update the forums, hacks, remove any files from the server that are no longer used, the security hole is most likely still there.

Berethorn

10-16-2008, 11:34 PM

Alright. I'll try to beef up the guard. :)

Quarterbore

10-16-2008, 11:53 PM

I would be curious to see the code they added if you can send me a PM with the encripted code. I am sure it is just an encripted refresh but I will see if I can decript it. I have been studying the enemy for a while and there probably isn't much I can get from the code but I would still like to see it for basic syntax.

You obviously have something they were able to take advantage of to do a sql injection. So, as suggested get the forums upgraded and evaluate your hacks you have added. Also, don't forget to get the automated database backups running as if they did this the hacker could have deleted your entire database as well!

TheLastSuperman

10-17-2008, 12:08 AM

Ok, guilty as charged... I skimmed a bit...

Here's what I would do:

Make a backup now instead of tinkering w/ the only (although hacked) full version of your database that exist. Make a copy of that and tinker w/ it!

Check the FTP or File Manager for recently modified files or folders and review the code. Also make sure however your vewing the files you have it to where it's not hiding any from your view.

As for restoring a large DB try bigdump.php or SQLyog Enterprise and give it a shot!

S-MAN

Berethorn

10-17-2008, 12:09 AM

Yes, luckily it wasn't a destructive hack; more of an informative one. I'll send it to you in a sec.

Unfortunately I have to pay $60 to renew to download anything above 3.6.8. I don't think it's feasible for me now.

Quarterbore

10-17-2008, 12:26 AM

Thanks for the code and for your reference you should never send code like that unmodified. For example, if you get encrypted code like that if you modify the start of the encrypted code so it is changed...

From: eval(base64_decode('

To: eval(baNOCODEse64_decNOTode('

The code can not be executed! You really have to be careful with encrypted code like that as you never know everything it does until it is decrypted. Luckily, there are tools out there that can decript stuff pretty darned easily anymore.

--------------- Added 1224207351 at 1224207351 ---------------

I decripted the code and it was relatively harmless HTML code. There was nothing in there to log passwords as an example.

I am posting the code here just for the record and so you can see it. That nonsense of letters and numbers when decoded is the code that follows!

echo "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">

<HTML
dir=rtl><HEAD><TITLE>:.: Hacked By ِAb0-Salem :.:</TITLE>
<SCRIPT language=javascript src=\"index4_files/ads.js\"></SCRIPT>

<META http-equiv=Content-Type content=\"text/html; charset=windows-1256\">
<META http-equiv=Content-Language content=en-us>
<STYLE>TABLE.MsoNormalTable {
FONT-SIZE: 10pt; FONT-FAMILY: \"Times New Roman\"; mso-style-parent: \"\"
}
.page {
BACKGROUND: #000000; FONT: bold 12pt arial,verdana,helvetica,sans-serif; COLOR: #acacac
}
.vbmenu_popup {
BORDER-RIGHT: #21728f 1px solid; BORDER-TOP: #21728f 1px solid; BACKGROUND: #000000; FONT: 8pt ms sans serif,arial; BORDER-LEFT: #21728f 1px solid; COLOR: #acacac; BORDER-BOTTOM: #21728f 1px solid
}
.thead {
FONT-WEIGHT: normal; FONT-SIZE: 8pt; BACKGROUND: #000000 repeat-x left top; COLOR: #ebebeb; FONT-STYLE: normal; FONT-FAMILY: ms sans serif, arial; FONT-VARIANT: normal
}
TD.thead {
PADDING-RIGHT: 4px; PADDING-LEFT: 4px; PADDING-BOTTOM: 4px; PADDING-TOP: 4px
}
.tborder {
BACKGROUND: #000000
}
.alt1 {
BACKGROUND: none transparent scroll repeat 0% 0%; COLOR: #acacac
}
DIV {
COLOR: #000
}
DIV {
FONT-FAMILY: arial,sans-serif
}
DIV.Section1 {
page: Section1
}
</STYLE>
<BGSOUND src=\"\" loop=infinite>
<META content=\"MSHTML 6.00.2900.3314\" name=GENERATOR></HEAD>
<BODY text=#c0c0c0 vLink=#c0c0c0 aLink=#c0c0c0 link=#c0c0c0 bgColor=#000000>
 
<SCRIPT language=JavaScript> if (document.all){ Cols=15; Cl=24; Cs=50; Ts=12; Tc='#008800'; Tc1='red'; MnS=25; MxS=30; I=Cs; Sp=new Array();S=new Array();Y=new Array(5,6); C=new Array();M=new Array();B=new Array(); RC=new Array();E=new Array();Tcc=new Array(\"x\",\"h\",\"a\",\"h\",1,\"x\"); document.write(\"<div id='Container' style='position:absolute;top:0;left:-\"+Cs+\"'>\"); document.write(\"<div style='position:relative'>\"); for(i=0; i < Cols; i++){ S[i]=I+=Cs; document.write(\"<div id='A' style='position:absolute;top:0;font-family:Arial;font-size:\" +Ts+\"px;left:\"+S[i]+\";width:\"+Ts+\"px;height:0px;color:\"+Tc+\";visibility:hidden'></div>\"); } document.write(\"</div></div>\"); for(j=0; j < Cols; j++){ RC[j]=1+Math.round(Math.random()*Cl); Y[j]=0; Sp[j]=Math.round(MnS+Math.random()*MxS); for(i=0; i < RC[j]; i++){ B[i]=''; C[i]=Math.round(Math.random()*1)+' '; M[j]=B[0]+=C[i]; } } function Cycle(){ Container.style.top=window.document.body.scrollTop ; for (i=0; i < Cols; i++){ var r = Math.floor(Math.random()*Tcc.length); E[i] = ''+Tcc[r]+''; Y[i]+=Sp[i]; if (Y[i] > window.document.body.clientHeight){ for(i2=0; i2 < Cols; i2++){ RC[i2]=1+Math.round(Math.random()*Cl); for(i3=0; i3 < RC[i2]; i3++){ B[i3]=''; C[i3]=Math.round(Math.random()*1)+' '; C[Math.floor(Math.random()*i2)]=' '+' '; M[i]=B[0]+=C[i3]; Y[i]=-Ts*M[i].length/1; A[i].style.visibility='visible'; } Sp[i]=Math.round(MnS+Math.random()*MxS); } } A[i].style.top=Y[i]; A[i].innerHTML=M[i]+' '+E[i]+' '; } setTimeout('Cycle()',50) } Cycle(); } </SCRIPT>

<SCRIPT language=JavaScript> puchtit=\"] Ab0-Salem [\"; letrero2=\"·.¸¸.·´´¯`··._.··.¸¸.·´´¯`··._. ··.¸¸.·´´¯\"; letrero1=\"·.¸¸.·´´¯`··._.··.¸¸.·´´¯`··._. ··.¸¸.·´´¯\";;ultimo1=letrero1.length-1; ultimo2=letrero2.length-1; tiempo=setTimeout(\"scroll()\",.1); function scroll() { aux1=letrero1.charAt(ultimo1-1); letrero1=aux1+letrero1.substring(0,ultimo1-1); aux2=letrero2.charAt(0); letrero2=letrero2.substring(1,ultimo2+1)+aux2; window.status=\"(\" + letrero2 + puchtit + letrero1 + \")\"; tiempo=setTimeout(\"scroll()\",.1); return true; } // --> </SCRIPT>

<DIV style=\"COLOR: #000; FONT-FAMILY: arial,sans-serif\" align=center>
<DIV class=Section1>
<DIV
style=\"WIDTH: 900px; COLOR: rgb(0,0,0); FONT-FAMILY: arial,sans-serif; HEIGHT: 374px\"
align=center>
<TABLE style=\"WIDTH: 90%\" height=500 cellPadding=0 width=\"90%\" border=0>
<TBODY>
<TR>
<TD
style=\"BORDER-RIGHT: red 0.75pt solid; PADDING-RIGHT: 0.75pt; BORDER-TOP: red 0.75pt solid; PADDING-LEFT: 0.75pt; FONT-WEIGHT: normal; FONT-SIZE: 14pt; PADDING-BOTTOM: 0.75pt; BORDER-LEFT: red 0.75pt solid; COLOR: rgb(28,176,129); PADDING-TOP: 0.75pt; BORDER-BOTTOM: red 0.75pt solid; FONT-STYLE: normal; FONT-FAMILY: verdana,geneva,lucida,'lucida grande',arial,helvetica,sans-serif; FONT-VARIANT: normal\">
 
H0 H0, You G0t
Defaced Just Be CoOol And Learn
!
 


 
 [ W3 Do Wh4t w3
s4y ]  
 
 
HaCkEd
By ;
 
 [ Ab0-Salem
]
Wh3r3 is The Security Dude ?
 Yeah, IT Seems Security Doomed to FAILURE
(^_*) ..

Just Secure
Your Mind , Then Secure Your Site Dude !
==--===--===--===--===--===--===--===--===--===--===
W3
M4k3 Th!s ++++en N3t
Try To Play With Us And U Will Know
The W3 r Th3 G4m3
==--===--===--===--===--===--===--===--===--===--===
 
 [
Ab0-Salem]
<A
href=\"\"></A>
<A
></A>
 
 
 
<EMBED
name=video pluginspage=http://www.real.com/player/
src=http://www.members.lycos.co.uk/sn1p3r/mu/nana.rm width=165 height=62
hidden=true type=audio/x-pn-realaudio-plugin loop=\"true\" autostart=\"true\"
nojava=\"true\" controls=\"ControlPanel,StatusBar\" maintainaspect=\"false\">
</TR></TBODY></TABLE></DIV></DIV></DIV></BODY></HTML>
";

Berethorn

10-17-2008, 12:42 AM

Oh dear, that was clumsy of me. :(

Hornstar

11-01-2008, 03:50 AM

...try looking for "REFRESH" or "HTTP-EQUIV"

I know you don't know me but if you would like help I would be glad to try to help but the only I could do that is to get access to your database. I am very curious how they did this for the tool I am coding hence my interest.

EDIT: you are searching like this, right:

%refresh%
%http-equiv%
%index4_files%

I ask as I get hits for the first two and my site is not hacked. But there are not may of them so you can look at them to find the cause.

Also search for this if you are not finding anything...

%base64%

I searched my database for %base64% and found quite a fair few hits but can not determine which are legit or not.

My site got hacked last week and I found a different method to get my templates showing up instead of the hacked version, however i still have a couple of the hacked templates up as I have not had time to change those just yet.

Any idea what table name, or what kind of code i should be looking for more exactly?

Quarterbore

11-03-2008, 06:02 PM

There shouldn't be any base 64 scripts in your forums ;)

puertoblack2003

11-04-2008, 01:31 AM

how is that even embed? is it a mod badly written?

Hornstar

11-05-2008, 06:07 AM

There shouldn't be any base 64 scripts in your forums ;)

What should I do?

Search results for "%base64%" at least one of the words:
2 match(es) inside table vb3_datastore
4 match(es) inside table vb3_plugin
2 match(es) inside table vb3_pmtext
4 match(es) inside table vb3_post
3 match(es) inside table vb3_postedithistory
1 match(es) inside table vb3_postparsed
1 match(es) inside table vb3_word

Total: 17

Example: Table: vb3_word

SQL query: SELECT *
FROM `***_***`.`vb3_word`
WHERE ( `wordid` LIKE '%%base64%%'
OR `title` LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
)
LIMIT 0 , 30

Wordid: 57647
title: base64

Example: table vb3_plugin
SQL query: SELECT *
FROM `***_***`.`vb3_plugin`
WHERE ( `pluginid` LIKE '%%base64%%'
OR `title` LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
OR `hookname` LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
OR `phpcode` LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
OR `product` LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
OR `devkey` LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
OR `active` LIKE '%%base64%%'
OR `executionorder` LIKE '%%base64%%'
)
LIMIT 0 , 30

$attachpatch_patchfirstpost = array ();
global $foruminfo, $vbulletin;

if (!empty ($vbulletin->options['attachpatch_patchfirstpost'])) {
$attachpatch_patchfirstpost = preg_replace ('/[^0-9,]*/', '', $vbulletin->options['attachpatch_patchfirstpost']);
$attachpatch_patchfirstpost = explode (',', $attachpatch_patchfirstpost);
}

if
(
$vbulletin->options['attachpatch_enable']
AND
(
in_array($foruminfo['forumid'], $attachpatch_patchfirstpost)
OR
$vbulletin->options['attachpatch_patchfirstpost'] == -1
)
AND
$post['parentid'] == 0
)
{
if (!isset ($attachpatchinfo))
{
// initialize my variables
$attachpatchinfo = array ();
$attachpatchinfo['mycounter'] = 0; // counts loop iterations
$attachpatchinfo['combinedfilesize'] = 0;
$attachpatchinfo['moderatedattachments'] = '';
$attachpatchinfo['showmoderatedattachments'] = false;
$attachpatchinfo['visibleattachments'] = false;
$attachpatchinfo['attachmentids'] = array ();
$attachpatchinfo['dateline'] = 0;
$attachpatchinfo['counter'] = 0; // this is the vB download counter for the attachment
}

// count attachments to know the last time we go thru the loop
++$attachpatchinfo['mycounter'];

if ($attachment['visible'])
{
// do the necessary stuff from the original loop in the function
// skip the various built-in vb templates (image/thumbnail etc)
if (THIS_SCRIPT == 'external')
{
$attachment['counter'] = $vbphrase['n_a'];
$show['views'] = false;
}
else
{
$show['views'] = true;
}

// remember that there is at least one visible (not moderated) attachment
$attachpatchinfo['visibleattachments'] = true;

// add up total filesize of non-moderated attachmentes
$attachpatchinfo['combinedfilesize'] += $attachment['filesize_real'];

// save the attachment ids, dateline & counter to output in the template
$attachpatchinfo['attachmentids'][] = $attachment['attachmentid'];
$attachpatchinfo['dateline'] = $attachment['dateline']; // dateline & counter will end up being that of the
$attachpatchinfo['counter'] = $attachment['counter']; // last attachment, but that should suffice.
}
else
{
// do default vb moderated attachments (but save 'em to our variable)
eval('$attachpatchinfo[\'moderatedattachments\'] .= "' . fetch_template('postbit_attachmentmoderated') . '";');
$attachpatchinfo['showmoderatedattachments'] = true;
}

// set to false so that the vB original loop does less
// it does a moderated attachment instead of the real ones.
// which will have to be erased later.
$attachment['visible'] = false;

// last time thru the loop, save the info for later.
if ($attachpatchinfo['mycounter'] == $attachcount)
{
// format the filesize nicely
$attachpatchinfo['combinedfilesizepretty'] = vb_number_format($attachpatchinfo['combinedfilesize'], 1, true);

// save the whole she-bang for the next plugin.
$this->post['attachpatchinfo'] = $attachpatchinfo;

// we know there's at least on visible (not moderated) attachment
if ($attachpatchinfo['visibleattachments'])
{
$attachpatchinfo['attachmentids'] = implode(',', $attachpatchinfo['attachmentids']);

global $threadinfo;
$attachpatchinfo['encodedthreadtitle'] = urlencode(base64_encode($threadinfo['title']));

// process all attachments thru the postbit_attachmentszippedtogether template
// do it here at the end, so it only gets done once.
eval('$this->post[\'otherattachments\'] .= "' . fetch_template('postbit_attachmentszippedtogether' ) . '";');
$show['otherattachment'] = true;
}
}
}

terracore

11-07-2008, 02:58 AM

I was just following this thread and searched my database (I've recently been hacked) and found 2 instances of %base64% IS THIS A PROBLEM?

Hornstar

11-07-2008, 04:22 AM

I was just following this thread and searched my database (I've recently been hacked) and found 2 instances of %base64% IS THIS A PROBLEM?

Whoever can answer this can you also provide a solution about what we need to do to clean this up and fix things. thanks.

JayGatz

11-08-2008, 07:59 PM

What mods have you added?

Silver_Seagull

11-13-2008, 12:48 AM

I got hacked by ab0-salem as well... I am in the process of "sanitizing" my database, but I am new to this: I am not sure where I should "snip" this base64 decode...can anyone help?

snip...
,\"subscriptions.php\")) {\r\n\r\neval(gzinflate(base64_decode(\'HJ ...snip... 8A\')));\r\n\r\nexit;\r\n}\r\n\";}',1), [end of line in file]

PS - I'm also interested in seeing what exactly this is/does, but it decodes to a binary file and that's where I get lost. Any help is appreciated! :)

henlyn

11-13-2008, 08:31 AM

Will re post... sorry

snakes1100

11-13-2008, 08:36 AM

Please create your own thread.

You need to read the vbulletin manual, it has full descriptions of what you need to do.

If you have a vhost server, you will be stuck with using a script, which arent 100% dependable, you should always dump your db via the command line thru ssh w/mysqldump or in windows via the mysql cmd-line client.

henlyn

11-13-2008, 08:41 AM

Right Thanks

Hornstar

11-22-2008, 08:55 PM

I found that they have uploaded 2 files called moj.php and sql.php in my downloads folder which was chmod 777 because of the downloadsII mod. I have since changed this to 755 but that mod no longer works with it 755. Both files contained base 64 code (encrypted) so I have a feeling this is where the hacking took place. I am looking elsewhere for any more .php files that should not be uploaded.

Is there something I can search for in SSH to see if there are any files containing base64 code, and is there some sort of setting on my server I should have enabled/disabled to ensure these types of files can not be run etc.