vb.org Archive
Page 1 of 5 1 23 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   vbulletin hacked (https://vborg.vbsupport.ru/showthread.php?t=187974)

Bilderback 08-13-2008 01:41 AM
vbulletin hacked
 
I was recently called in to recover a friends vbulletin after it was hacked by ViRuS_HiMa,
a well known and fairly experienced hacker at turk-h.org
Since cpanel logging was not enabled, I do not know how he has entered the site but his technique was rewriting the spacer_open template in all styles with an eval(base64)
I would like very much to decode the eval(base64) so I can see if its simple html or if there is additional executions being made that I need to be aware of.
If anyone can assist with the decoding, please contact me.
Again, I do not know the point of entry (probably a Mod).

If anyone else has their forum hacked by ViRuS_HiMa, and it seems that no matter what you try,
it always shows the defacement, check your spacer_open templates in the database for eval(base64) encrypted text.

Thanks

Marco van Herwaarden 08-13-2008 07:02 AM
What is the URL to your friends board?

Bilderback 08-14-2008 03:27 PM
I sent it via pm since the site exploit has not yet been found.

Marco van Herwaarden 08-15-2008 06:20 AM
I don't see anything obvious at this time on the site.

This could have been done in many different ways: vulnerable modification, access to the database, etc..

fattony69 08-15-2008 08:12 PM
It happened again, the sites uses all non-beta mods, only two people have access to the database, and no mods that are known to be vulnerable. I believe it was the mysmiles mod, but I have no proof.

SEOvB 08-15-2008 08:38 PM
Make a database backup, clean everything off your server.

Reset everything up, run your database thru the impex to ensure no extra tables or permissions or anything have been added. and reupload vBulletin.

That will ensure no files have been left behind from the hacker

fattony69 08-15-2008 08:51 PM
Quote:
Originally Posted by FRDS (Post 1599532)
Make a database backup, clean everything off your server.

Reset everything up, run your database thru the impex to ensure no extra tables or permissions or anything have been added. and reupload vBulletin.

That will ensure no files have been left behind from the hacker
Last time, Bilderback removed it and we didn't have logs. This time we do. So I can see what it was. He changed the database and inserted something.

Bilderback 08-16-2008 01:09 AM
I'm still going through logs but all I can find right now is as follows:

Code:
82.201.250.97 - - [15/Aug/2008:14:28:23 -0600] "GET /clientscript/vbulletin_important.css?v=372 HTTP/1.1" 200 2077 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:21 -0600] "GET / HTTP/1.1" 200 16830 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:23 -0600] "GET /clientscript/yui/yahoo-dom-event/yahoo-dom-event.js?v=372 HTTP/1.1" 200 31508 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:29 -0600] "GET /clientscript/yui/connection/connection-min.js?v=372 HTTP/1.1" 200 14756 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:30 -0600] "GET /clientscript/vbulletin_global.js?v=372 HTTP/1.1" 200 25464 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:32 -0600] "GET /clientscript/vbulletin_menu.js?v=372 HTTP/1.1" 200 9808 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:35 -0600] "GET /clientscript/overlib/overlib.js HTTP/1.1" 200 49636 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:46 -0600] "GET /clientscript/ncode_imageresizer.js?v=1.0.2 HTTP/1.1" 200 9585 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /morbid_orange/morbid_o/bgimg.gif HTTP/1.1" 200 1107 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /clientscript/vbulletin_md5.js?v=372 HTTP/1.1" 200 5871 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /morbid_orange/misc/navbits_start.gif HTTP/1.1" 200 1395 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/misc/menu_open.gif HTTP/1.1" 200 668 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/gradients/gradient_thead.gif HTTP/1.1" 200 492 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/buttons/collapse_tcat.gif HTTP/1.1" 200 607 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/gradients/gradient_tcat.gif HTTP/1.1" 200 789 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/misc/poll_posticon.gif HTTP/1.1" 200 1418 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /images/icons/icon1.gif HTTP/1.1" 200 1423 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/statusicon/forum_old.gif HTTP/1.1" 200 1875 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:49 -0600] "GET /morbid_orange/buttons/lastpost.gif HTTP/1.1" 200 1354 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:49 -0600] "GET /morbid_orange/statusicon/forum_link.gif HTTP/1.1" 200 1379 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:49 -0600] "GET /clientscript/vbulletin_read_marker.js?v=372 HTTP/1.1" 200 3813 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/rating/rating_5.gif HTTP/1.1" 200 1670 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /images/statusicon/post_old.gif HTTP/1.1" 200 911 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /avatars/aka-beasttt.gif HTTP/1.1" 200 372 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/buttons/collapse_thead.gif HTTP/1.1" 200 565 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/misc/whos_online.gif HTTP/1.1" 200 1417 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/misc/stats.gif HTTP/1.1" 200 1375 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/statusicon/forum_new.gif HTTP/1.1" 200 2141 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /morbid_orange/morbid_o/logo.gif HTTP/1.1" 200 45734 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:57 -0600] "GET /favicon.ico HTTP/1.1" 200 10529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:30:53 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:30:57 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:31:32 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:31:33 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:31:45 -0600] "GET /rezora.jpg HTTP/1.1" 404 349 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:31:53 -0600] "GET / HTTP/1.1" 200 6660 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:31:57 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:32:29 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:32:30 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:36:38 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:47:18 -0600] "GET / HTTP/1.1" 200 6744 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:56:03 -0600] "GET / HTTP/1.1" 200 6744 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
The spacer_open always end with a </textarea> just after his eval code
I also found a vbulletin_textedit.js file within the Photoplog images directory.
Still looking into that one.

dtv100 08-16-2008 05:17 AM
can you list hack you have install please.

Bilderback 08-16-2008 01:53 PM
Auto Move Closed Threads 1.1.1
Automatically Added Friend 1.0.1
Casino .92
Cyb - Advanced Forum Statistics 5.8.1
Cyb - PayPal Donate 4.7
Friends "Facebook style" 1.0.0
Gifts System 0.6
GTPrivate Message Quickreply 3.7.0.1
GTUserCP - Enhanced USERCP Interface + USERCP Menu 3.7
gXboxLive 2.1.9
HS - Signature of the Week 1.0.0
ibProArcade for vBulletin 2.6.7
Inactive User Reminder Emails 1.1.3
Members who have Visited 3.7.003
Miserable Users 3.7.002 .
Mobile Device Detection 1.0.0
Multiple Login Detector 1.03
MySmilies VB 3.7.004
passiveVid 1.1.2
PhotoPlog Pro 2.1.4.8
Report Bad PM 1.0.5
Separate Sticky and Normal Threads 2.0.0
SocialForums 1.4.2
TCattd - The Image Resizer 1.2.6
Usergroup Color Bar 1.0.0
vBadvanced Links Directory 3.0 RC1
vBCredits 1.4
vBCredits with ibProArcade 1.2
vBSEO 3.2.0
vBSEO :: Sitemap Generator 2.2
Welcome Headers 5.0.2


All times are GMT. The time now is 01:27 PM.
Page 1 of 5 1 23 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01094 seconds
  • Memory Usage 1,794KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete