vb.org Archive - Got hacked. What now?

Page 2 of 2

Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)

- - Got hacked. What now? (https://vborg.vbsupport.ru/showthread.php?t=193796)

terracore

11-07-2008 02:58 AM

I was just following this thread and searched my database (I've recently been hacked) and found 2 instances of %base64% IS THIS A PROBLEM?

Hornstar

11-07-2008 04:22 AM

Quote:

Originally Posted by terracore (Post 1660939)

I was just following this thread and searched my database (I've recently been hacked) and found 2 instances of %base64% IS THIS A PROBLEM?

Whoever can answer this can you also provide a solution about what we need to do to clean this up and fix things. thanks.

JayGatz

11-08-2008 07:59 PM

What mods have you added?

Silver_Seagull

11-13-2008 12:48 AM

I got hacked by ab0-salem as well... I am in the process of "sanitizing" my database, but I am new to this: I am not sure where I should "snip" this base64 decode...can anyone help?

Code:

snip...

,\"subscriptions.php\")) {\r\n\r\neval(gzinflate(base64_decode(\'HJ  ...snip...  8A\')));\r\n\r\nexit;\r\n}\r\n\";}',1),   [end of line in file]

PS - I'm also interested in seeing what exactly this is/does, but it decodes to a binary file and that's where I get lost. Any help is appreciated! :)

henlyn

11-13-2008 08:31 AM

Will re post... sorry

snakes1100

11-13-2008 08:36 AM

Please create your own thread.

You need to read the vbulletin manual, it has full descriptions of what you need to do.

If you have a vhost server, you will be stuck with using a script, which arent 100% dependable, you should always dump your db via the command line thru ssh w/mysqldump or in windows via the mysql cmd-line client.

henlyn

11-13-2008 08:41 AM

Right Thanks

Hornstar

11-22-2008 08:55 PM

I found that they have uploaded 2 files called moj.php and sql.php in my downloads folder which was chmod 777 because of the downloadsII mod. I have since changed this to 755 but that mod no longer works with it 755. Both files contained base 64 code (encrypted) so I have a feeling this is where the hacking took place. I am looking elsewhere for any more .php files that should not be uploaded.

Is there something I can search for in SSH to see if there are any files containing base64 code, and is there some sort of setting on my server I should have enabled/disabled to ensure these types of files can not be run etc.

All times are GMT. The time now is 01:37 PM.

Page 2 of 2

Show 40 post(s) from this thread on one page

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01088 seconds Memory Usage 1,728KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_code_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (8)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: