How can I find a hacked file in VB
 

So I just installed the Bounced Email handler for VB4 and im getting some strange bounces that have me concerned that someone may be using my hosting to send out spam emails.

I did a Suspect File search and got about 150 files that are not stock VB. Now I do have about 30+ mods installed so thats normal but how do I find a hacked file that may be sending out these spam emails in all those files? And I have no ideal how long they have been doing this and my oldest backup of the files is only about 6 months. But that still will not fix any added files. Also have no ideal how to search the DB for anything embed.

Anyway is theres something Im not looking at or is it just a matter of going over each file manually?

Is there a way to search the DB for what may be causing this?

Thanks for your time...
Daniel

Well if if you think a script is sending spam on your machine, you could search for the mail function in PHP to find the culprit like so on Linux:
That will list all files which contain "mail(".

You can also download the files and then do a text search in all the files using notepadd++...

If you thin you are hacked you can search for debase64 in the files and any of the non vbulletin files you can take a closer look at. Just because some may have it doesn't neccesarily mean they are hacked but it will help you narror things down.

Chances are though if your site is sending out emails it is your server and not your site. Perhaps someone has gotten your smtp passwords. Make sure you have relaying closed or authorization required.

Someone can easily compromised an email form without "hacking" the site as well. It doesn't even have to be from your forum. Do you host other sites or scripts other then your forum? Are you on a dedicated server, if it's shared or a vps they could abuse your site well outside your forum as well.

Good luck

Would I run this in PHPmyAdmin as a query?

I don't know the command but it looks like it would be from a terminal, like a SSH connection with PuTTY.

No, that command has nothing to do with MySQL databases. It's a command you execute through SSH in the terminal.

I figured it was from the forum since the only place that has the Bounce return email address is on my site. All the bounce settings on hosted on VB so wouldn't that make it a corrupt file?

--------------- Added [DATE]1458566796[/DATE] at [TIME]1458566796[/TIME] ---------------

You lost me. Can I do it from my C Panel on the host?

Are you on shared hosting? 99.9% of the time shared hosts do not give you access to SSH, it will not be possible to execute the command in that case.

@Dave

Yes its shared. I'm beginning to think I need a dedicated server but thats crazy expensive. Any suggestions on something reasonable?

SSL is not the same as SSH though.
SSL makes it possible to get HTTPS on your website, SSH allows you to connect to the server and execute commands on the server.

The only advantage of SSL is that the data that's being exchanged between the client and server is encrypted, it will not block any hacks whatsoever.

@Dave

Looks like you read the post before I figured out you said SSH and not SSL and edited it. :D

--------------- Added [DATE]1458570552[/DATE] at [TIME]1458570552[/TIME] ---------------

Well I didn't find anything with debase64. And a search in all those Non VB or edited VB files returned 1200 hits for the keyword "mail"

Any way to narrow down that result?

VPS is not as expensive as a dedicated server though, you can get a decent VPS for around $20/month.

Try looking for "mail(" with the parentheses. Another thing you can look for is "base64_decode" and "popen" for any potential backdoors/PHP shells.

Dave I found 6 results on 6 different PHP scripts for base64_decode. All 6 have what looks like the same line but I also found those same lines of code in the stock VB 4- files. So... I guess thats normal. I didn't find anything looking for "Mail(" or popen. :(

--------------- Added [DATE]1458584124[/DATE] at [TIME]1458584124[/TIME] ---------------

Now Im 100% sure Ive been hacked. I found details on the malware here. http://blog.mxlab.eu/2016/03/21/new-...een-suspended/

I still have no ideal where its coming from. Could this be on my PC?

<a href="https://vborg.vbsupport.ru/showthread.php?t=304190" target="_blank">https://vborg.vbsupport.ru/showthread.php?t=304190</a>

Could be adware on your computer but it can also be a malicious plugin that's installed on your forum. It's hard to say since we don't have access to your server.

Have you taken a look at the original headers for the emails? Like others have said, it isn't necessarily a vB issue if spam emails are being sent out. This could be a NUMBER of things. It can even just be email spoofing.

Ok so I implemented some country wide htaccess IP blocks (see attached files for a text copy) and I'm still getting spam in the Bounced Inbox. I would think the IP blocks would keep anyone in those countries from useing a file on my server but I have no ideal if it would block SQL injections. I still haven't figured out how to check the DB for malicious injected code.

Anyway back to the email headers and the originating IP addresses. From what I can see the bulk is coming from 4 countries with the most coming from Viet Nam, then India, Indonesia and finally Kuwait. The ip's for the most part keep changing.

Here's a few that are sending out the most speam.

Below are the 2 txt files of just the Deny From for the HTaccess. (having all in one file was to big to upload to VB.org)

To me is seems like a massive amount of ip's to check before a page loads and I'm concerned it will cause load issues and delays. Can someone take a look at it and tell me if the size is ok on what once was a busy board before all this happened.