It infected my 3.8 forum, and I found it through both AV and the file name. I knew it didn't belong. What was strange was, the site worked fine, but the home page would not load. I restored from my backups several times and it would load fine for maybe 24 hours, then the same problem happened over and over, until I finally found and removed it. I lost months of posts, but finally seem to have the forum stable again. What I am wondering is if I have anything else to worry about? Has this file done anything else to my forum? I don't know PHP, and I am really in the dark about what this means. Although, it's obvious that there is some malicious code in it. Especially the part about "Webshell by oRb" and the lines from about 743 - 754.

Can anyone explain to me how this ended up in my web root and what the hell it did (or tried to do) to my forum? I have renamed the extension to txt and it should not be dangerous at all now. That is all I have changed about the file. Any help would be greatly appreciated. I have been running this forum for about 10 years and this is the most serious problem/attack I have ever had. If anyone can help me figure out what happened and/or how to avoid it from happening again, I sure would appreciate it.

Without going through it line by line, it looks like it gives the person any and all information that they want about your server - the password, open ports, where any config files are located (for php, mysql, apache, etc), privileges, backups... anything they asked for (you can see all that starting around line 75). It looks like it gives the user a form where they may select what to get/do to your server.

Well, that's just great! How did this happen? Nobody has ever had access to my root folder ever. Nothing seems to have been compromised. What should I do? The file creation dates way back to Jan, and nothing weird happened until recently.

I don't run an Apache server. It appears that may be why it didn't work?

--------------- Added 26 Nov 2011 at 19:24 ---------------

Is my forum safe with the file removed if nothing else has happened? As far as I know, the only thing that went wrong is my home page would not load. Everything else on the forum was working fine. Every other page, link, and feature was entirely accessible and operational. :confused: I don't believe any passwords or anything were actually accessed. At least, there are no signs that anyone has been hacked or anything. The only port that was ever open on my server was 80. It looks more like a failed attempt, that just messed with the home page's ability to load.

Well, that's just great! How did this happen? Likely, YOU installed it. When you installed a style, add-on, or plugin. Always check everything carefully you install that isn't native vBulletin. Lots of creeps install back-door and "call home" stuff in the guise of something shiny, nice and new for your board.

Installed anything new lately? Or, corresponding with the date and time this file was installed on your server?

I haven't installed anything in ages (probably years)...and nothing that was not an official approved (or at least well tested by others) hack, from here. There is no way in hell I would install something unverified like that. I have been running this forum since 2001. I don't really know PHP, but I'm not that stupid. You don't run a practically trouble free, bullet proof server that long by being ignorant.

I haven't installed anything in ages (probably years)...and nothing that was not an official approved hack, from here. There is no way in hell I would install something unverified like that. I have been running this forum since 2001. I don't really know PHP, but I'm not that stupid. You don't run a practically trouble free, bullet proof server that long by being ignorant.Some of the back door stuff, the "call home" stuff, DOES come from here. Just because something is posted here does not make it "official approved." Everything you get from here is strictly use at your own risk.

Of course, no one claimed you were ignorant. I was merely proposing a possibility that William of Occam would approve of.

What date/time was this malicious file installed? Can you give us a live link to your board, for examination?

I have a link in my signature. The funny thing is, the file was dated Jan/2011. The last hackI'd installed was years ago. Someone somehow got into my root folder. It doesn't even make sense, since the problems didn't start until just this last month. I have no idea when it even started, because I always went to New Posts, instead of the home page.

Once again, nothing had been installed or changed for at least 2 years...probably more.

Don't you think someone would have said something if an officially released hack here was actually a malicious code? I have never installed anything no one else has tried and tested to work...with no bad reports. It's an old version. (3.8.0) I pretty much stopped adding new hacks when I stopped upgrading the board because it's the last update vBulletin offered for my license. 3.8.0 came out a long time ago.

BTW, the only thing that calls anywhere from my forum is the StopForumSpam hack, that checks their database for known spammers upon registration. That's been working fine for years and still works fine.

The only way to find out how it was installed is to look at server logs from the time it was installed. It seems very unlikely that any of those logs are still available for you to look at.

Also, just a note, none of the modifications offered here are "officially approved". We don't go through any approval process with the modifications. If we hear of any rogue files like the one you found being supplied with the modification, we would remove the modification. I don't recall of ever hearing of any file like the one you found being supplied with any modification here.

Are you on your own server or on a shared server?

It is my own server, run from my home, behind 2 firewalls. Three now, actually...one SW and two routers. It's not easy to get into. Why anyone would waste their time, I don't know. I have never even been close to the first to install any mods. There has always been plenty before me. I can almost guarantee it has nothing to do with any mods I installed.

Here is a list of the things I have installed years ago. These are things that have kept my forum running flawlessly for so long.
That file was never there after any of these installs. I know my server pretty well after so many years.
I'm listing the links and names, even though it's kind of a pain in the ass to list all of these at all. Most of these seem to go way back to around 2008. I think the last one installed was 2010. Still going to try to convince me it's a bad hack that installed it? One that just never did anything for years??? That makes no sense!

https://vborg.vbsupport.ru/showthread.php?t=172215 - All Albums (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=abe1_all_albums)
https://vborg.vbsupport.ru/showthread.php?t=201156 - Automatic Thread Tagger (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=autotag38)
https://vborg.vbsupport.ru/showthread.php?t=177928 - Cyb - Attention Zero-Posters (https://vborg.vbsupport.ru/showthread.php?t=177928)
https://vborg.vbsupport.ru/showthread.php?t=122997 - Cyb - PayPal Donate (https://vborg.vbsupport.ru/showthread.php?t=122997)
https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=paulm_20051015 - FlashChat Integration (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=paulm_20051015)
https://vborg.vbsupport.ru/forumdisplay.php?f=170 - ibProArcade for vBulletin (https://vborg.vbsupport.ru/forumdisplay.php?f=170)
https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=paulm_20050629 - Members who are using flashchat (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=paulm_20050629)
https://vborg.vbsupport.ru/showthread.php?t=125790 - Mini Navbar (https://vborg.vbsupport.ru/showthread.php?t=125790)
https://vborg.vbsupport.ru/showthread.php?t=121886 - Miserable Users (https://vborg.vbsupport.ru/showthread.php?t=121886)
https://vborg.vbsupport.ru/showthread.php?t=183329 - NoSpam! (https://vborg.vbsupport.ru/showthread.php?t=183329)
https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=paulm_pdp_38 - Prevent DoublePosts (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=paulm_pdp_38)
https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=quickeditor_improver - Quick Editor Improver (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=quickeditor_improver)
https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=paulm_ptr_38 - Real ip detection (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=paulm_ptr_38)
https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=users_cleanup - Users Cleanup (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=users_cleanup)
https://vborg.vbsupport.ru/showthread.php?p=1536681 - vB Spell (https://vborg.vbsupport.ru/showthread.php?p=1536681)
https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=vbstopforumspam - vbStopForumSpam (https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=vbstopforumspam)

There are only two that don't have links to this forum...

Un-Activated User Management v.3
and
Usergroup Allow HTML v.3.5 (This was probably one of the first I ever installed, and I am and have always been the only one with this privilege.)

Those two hacks are very old, as are all of them. I think the anti spam hack could be the last one I ever installed, back when we were all fighting spam registrations. Most have dates on the release page, and it appears only the ibproArcade link doesn't exist anymore. No matter, that has been installed for years...since I upgraded to 3.8, and we all know how long ago that's been now, right?

It's hard to keep track of all of these, but I am doing my best to list them all and provide links to the original threads. Most of them appear to be from at least 2008, except for the one that is dated 2010.

Like I said before, I have never known of any mod from here having some script like that included with it. I would guess the file got there some other way. But, without looking at your logs, then you wouldn't know how.

Which logs are you referring to? The files creation date was Jan 26, 2011.

Server access logs.

You mean the IIS log files? I don't run Apache, remember? I still have all the log files, but have no idea what to look for, or even where to start, since I really don't know when the problem even started...as I believe I mentioned above.

Don't you think someone would have said something if an officially released hack here was actually a malicious code?This is what you might not understand - Even though vB.org is the "Official Modifications Site" for vBulletin, they do not (that I know of) themselves officially release any modifications, and do not inspect the ones which are posted here.

The community sometimes catches malicious code in some of the Mods that get posted here. Some others no doubt, escape any scrutiny.

I know that. vBulletin refuses to support hacked boards at all. But as mentioned, I have not installed any hacks since 2010, and before that one, 2008. (Which is probably the last time I updated. It would've been whenever 3.8.0 was released.) What you're insinuating makes no sense, since the creation date of the file is Jan/2011. I appreciate any help or ideas, but please don't sidetrack the topic. All hacks were installed and running smoothly LOOOOOONG before this problem existed.

Find out who has FTP access to your server and start from there.

I know that. vBulletin refuses to support hacked boards at all. But as mentioned, I have not installed any hacks since 2010, and before that one, 2008. (Which is probably the last time I updated. It would've been whenever 3.8.0 was released.) What you're insinuating makes no sense, since the creation date of the file is Jan/2011. I appreciate any help or ideas, but please don't sidetrack the topic. All hacks were installed and running smoothly LOOOOOONG before this problem existed.I understand all of this.

I brought up styles because I do know of one that did have such a malicious file in it, that stayed dormant for months before going active. Wasn't saying definitely that such a malicious file existed in any of your mods or skins, or even insinuating it - was just, again, applying Occam's Razor. Spitballing.

Find out who has FTP access to your server and start from there.
I host my own server from my home. Nobody has any access to anything except the forum itself. There is no need for FTP when your server is right beside you. Direct access here only. All ports closed except 80, and I am behind two routers and a SW FW. That is about as secure as it gets, wouldn't you think?

Is that Jim Morrison in your avatar? Man, I love MR. MOJO RISIN!!!
--------------- Added 27 Nov 2011 at 13:40 ---------------

I understand all of this.

I brought up styles because I do know of one that did have such a malicious file in it, that stayed dormant for months before going active. Wasn't saying definitely that such a malicious file existed in any of your mods or skins, or even insinuating it - was just, again, applying Occam's Razor. Spitballing.

I see. I only have two styles (not counting vB default), and nobody uses the one that I don't have set to default. It's been that way since day 1. I created my own style and did install some, but never got them the way I wanted, so got rid of all of them. But that too was a very long time ago. At the time, there were not even updated styles for the version.