vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=252)
-   -   Need Help about hacking (https://vborg.vbsupport.ru/showthread.php?t=323056)

tanzeelniazi 07-19-2016 05:08 AM
Need Help about hacking
 
Hello all i have a problem today i got so many email about database errors
i think someone try to hack but fail not complete sure
i got this emails

Code:
Database error in vBulletin 4.2.0:

Invalid SQL:

                SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
                        thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
                FROM post AS post
                LEFT JOIN thread AS thread USING (threadid)
                WHERE postid IN (1) AND 81 44 AND (7397=7397);

MySQL Error  : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '44 AND (7397=7397)' at line 5
Error Number  : 1064
Request Date  : Monday, July 18th 2016 @ 07:03:58 PM
Error Date    : Monday, July 18th 2016 @ 07:03:58 PM
Script        : http://www.XXXXXX.com/forumrunner/request.php
Referrer      :
IP Address    : 18*.6*.1**.**9
Username      : Unregistered
Classname    : **_******_MySQLi
MySQL Version :

Code:
Database error in vBulletin 4.2.0:

Invalid SQL:

                SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
                        thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
                FROM post AS post
                LEFT JOIN thread AS thread USING (threadid)
                WHERE postid IN (1) AND (SELECT CHAR(122)||CHAR(107)||CHAR(75)||CHAR(66) FROM INFORMATION_SCHEMA.SYSTEM_USERS)=CHAR(122)||CHAR(107)||CHAR(75)||CHAR(66) AND (7852=7852);

MySQL Error  : Unknown table 'SYSTEM_USERS' in information_schema
Error Number  : 1109
Request Date  : Monday, July 18th 2016 @ 07:04:18 PM
Error Date    : Monday, July 18th 2016 @ 07:04:19 PM
Script        : http://www.XXXXX.com/forumrunner/request.php
Referrer      :
IP Address    : 18*.6*.1**.**9
Username      : Unregistered
Classname    : **_******_MySQLi
MySQL Version :
Code:
Database error in vBulletin 4.2.0:

Invalid SQL:

                SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
                        thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
                FROM post AS post
                LEFT JOIN thread AS thread USING (threadid)
                WHERE postid IN (1) AND (SELECT CHAR(122)||CHAR(107)||CHAR(75)||CHAR(66) FROM INFORMATION_SCHEMA.SYSTEM_USERS)=CHAR(122)||CHAR(107)||CHAR(75)||CHAR(66) AND (7852=7852);

MySQL Error  : Unknown table 'SYSTEM_USERS' in information_schema
Error Number  : 1109
Request Date  : Monday, July 18th 2016 @ 07:04:18 PM
Error Date    : Monday, July 18th 2016 @ 07:04:19 PM
Script        : http://www.XXXXXX.com/forumrunner/request.php
Referrer      :
IP Address    : 18*.6*.1**.**9
Username      : Unregistered
Classname    : **_******_MySQLi
MySQL Version :
and some other types of database errors
Some one try to hack me ?
Someone got my database ?
any help

Kane@airrifle 07-19-2016 07:13 AM
You had better update and patch ASAP: http://www.vbulletin.com/forum/forum...or-vbulletin-4

z3r0 07-19-2016 08:59 AM
Check for a new plugin added named "vbulletin" in the hook location "init_startup" containing a load of base64 encoded stuff, if it's there you have been hacked and you should disable/remove it and have a check for any files uploaded to your forum (left menu -> maintenance -> diagnostics -> suspect file versions)

tanzeelniazi 07-19-2016 10:58 AM
how i check in "vbulletin" in the hook location "init_startup" containing a load of base64 encoded stuff ???

z3r0 07-19-2016 11:43 AM
From the admincp go to plugin manager in the left column then check for a product titled "vbulletin" that has the hook location "init_startup", click edit and if in contains the word base64 and a load of random text then you need to disable it.

RichieBoy67 07-19-2016 12:04 PM
If you need help let me know.. Definitely follow the above advice asap. Also disable forumrunner until you upodate.

Dave 07-19-2016 12:14 PM
Delete the forumrunner directory or rename it to something random asap in case you haven't patched it yet.

Paul M 07-19-2016 03:53 PM
Quote:
Originally Posted by RichieBoy67 (Post 2573440)
If you need help let me know.. Definitely follow the above advice asap. Also disable forumrunner until you upodate.
Disabling Forumrunner will have no effect on the issue, you must either patch it, or remove it.

TheLastSuperman 07-19-2016 09:19 PM
Quote:
Originally Posted by z3r0 (Post 2573431)
Check for a new plugin added named "vbulletin" in the hook location "init_startup" containing a load of base64 encoded stuff, if it's there you have been hacked and you should disable/remove it and have a check for any files uploaded to your forum (left menu -> maintenance -> diagnostics -> suspect file versions)
Actually, it's best to check the datastore table, (Edit: well truth be told check regular plugins via admincp, the plugin table as well PLUS the datastore table, check them all!) then look in the pluginlist (there are two, pluginlist and pluginlistadmin so be sure to check both, typically malicious cade is only in pluginlist though) because code added to the bottom of this will not show in one single/particular "plugin" via the admincp because this contains all the plugins in one list not a single view per say ;). You can also scroll the entire contents of pluginlist to see a complete list of plugins installed on your site, be careful if editing out malicious code and once done go to your admincp then into plugin manager and save the active status (to reset datastore/plugins) otherwise changes may not show immediately and/or could cause display issues.

What some have been doing is injecting their base64 code at the very bottom (scroll to find, they add tons of white space so you won't notice right off the bat unless you scroll down, i.e. if a scrollbar exist when viewing via phpmyadmin, scroll scroll scroll :cool:) and more so we see this with myfilestore than any other type of exploit (also if you're dealing with that in particular, myfilestore redirect then also check the file datastore_cache.php which is located in /includes/datastore/ for any mal code).

RichieBoy67 07-19-2016 09:23 PM
There is a good chance that debase64 code was already added to all of the files as well at this point.

--------------- Added [DATE]1468970657[/DATE] at [TIME]1468970657[/TIME] ---------------

Quote:
Originally Posted by Paul M (Post 2573451)
Disabling Forumrunner will have no effect on the issue, you must either patch it, or remove it.
Yes, correct. Thank you Paul for the correction. :up: That is why you get the big bucks! :D

tanzeelniazi 07-20-2016 06:21 AM
Quote:
Originally Posted by z3r0 (Post 2573439)
From the admincp go to plugin manager in the left column then check for a product titled "vbulletin" that has the hook location "init_startup", click edit and if in contains the word base64 and a load of random text then you need to disable it.
In Product Vbulletin i have no init_startup
https://vborg.vbsupport.ru/external/2016/07/7.png
@RichiBoy67'
Already disable Forumrunner can i delete all forumrunner files ?
https://vborg.vbsupport.ru/external/2016/07/8.png

--------------- Added [DATE]1469003640[/DATE] at [TIME]1469003640[/TIME] ---------------

Superman, i really dont know what you say because you write so many words and my english is not good and i am little confuse please give me the perfect idea :(
Can i delete forumrunner files ? or install the patch because i dont want to upgrade my VB version at this time i have 4.2.0 and many addons working fine, if i update my VB after some addons are not working so need a help for my confusion

socialteenz 07-20-2016 08:14 AM
@tanzeelniazi

Yes, you can go ahead & delete forumrunner directory. You won't break any add on by upgrading to 4.2.0 to the latest. Make sure your on php5.4.0 or greater.

Always have a backup before upgrading.

tanzeelniazi 07-20-2016 09:35 AM
I see some addons are not update for 4.2.2 etc so i can not upgrade my VB.
If i remove forumrunner directory after my problem will be solved ?

--------------- Added [DATE]1469016443[/DATE] at [TIME]1469016443[/TIME] ---------------

Now delete forumrunner dir
Now i safe ?

Paul M 07-20-2016 11:54 AM
Quote:
Originally Posted by tanzeelniazi (Post 2573481)
Now delete forumrunner dir
Now i safe ?
Safe ? From that specific FR issue, yes.
However, since you are running vB 4.2.0, you are not safe, it has other security holes, patched in later versions.

RichieBoy67 07-20-2016 01:02 PM
You need to upgrade and if they added a plug in or injected any debase64 code into your files you still have an issue..

tanzeelniazi 07-22-2016 04:26 AM
my forum is safe from other methods but now i get 1 more error
yesterday i delete forumrunner directory but today 1 more error is coming

Code:
Database error in vBulletin 4.2.0:

Invalid SQL:

                SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
                        thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
                FROM post AS post
                LEFT JOIN thread AS thread USING (threadid)
                WHERE postid IN (*);

MySQL Error  : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '*)' at line 5
Error Number  : 1064
Request Date  : Thursday, July 21st 2016 @ 08:57:35 AM
Error Date    : Thursday, July 21st 2016 @ 08:57:35 AM
Script        : http://xxxxxxx.com/forumrunner/request.php?d=1&cmd=get_spam_data&postids=*
Referrer      : https://xxxxxxxx.com/forumrunner/request.php?d=1&cmd=get_spam_data&postids=*
IP Address    : 1xx.xx.1xx.2xx
Username      : Unregistered
Classname    : XC_xxxxxx_MySQLi
MySQL Version :

ForceHSS 07-22-2016 08:09 AM
Quote:
Originally Posted by tanzeelniazi (Post 2573619)
my forum is safe from other methods but now i get 1 more error
yesterday i delete forumrunner directory but today 1 more error is coming

Code:
Database error in vBulletin 4.2.0:

Invalid SQL:

                SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
                        thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
                FROM post AS post
                LEFT JOIN thread AS thread USING (threadid)
                WHERE postid IN (*);

MySQL Error  : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '*)' at line 5
Error Number  : 1064
Request Date  : Thursday, July 21st 2016 @ 08:57:35 AM
Error Date    : Thursday, July 21st 2016 @ 08:57:35 AM
Script        : http://xxxxxxx.com/forumrunner/request.php?d=1&cmd=get_spam_data&postids=*
Referrer      : https://xxxxxxxx.com/forumrunner/request.php?d=1&cmd=get_spam_data&postids=*
IP Address    : 1xx.xx.1xx.2xx
Username      : Unregistered
Classname    : XC_xxxxxx_MySQLi
MySQL Version :
Make sure you also delete all files that belong to forum runner that are still in your ftp

tanzeelniazi 07-22-2016 08:44 AM
I just delete forumrunner folder from cpanel, i think its the only 1 folder name is forumrunner so already delete

RichieBoy67 07-22-2016 12:25 PM
Did you uninstall the plug in before removing the files?

tanzeelniazi 07-23-2016 06:04 AM
No i just disable after remove forumrunner folder, its mean first i uninstall then remove ?

RichieBoy67 07-23-2016 06:34 AM
Exactly. :)

kerrghann 07-30-2016 04:47 PM
I use this piece of PHP code to find base64 and other uglies that might have been injected or placed on my server.

Note: This will not look through your hooks, this looks through all the PHP files on your server.

It'll most likely bring up a large list, so I recommend skimming through the list and finding anything that mentions base64_decode()

Then open up that file and find the base64 string in it and decode it yourself with an online decoder or using the php base64_decode($string)

Place this in your forum root and then navigate to it ( http://www.yourforumhere.com/base64-check.php
best of luck:

base64-check.php
PHP Code:
<html><head><title>Find String</title></head><body>
<?php
find_files('.');
function find_files($seed)
{
if(! is_dir($seed)) return false;
$files = array();
$dirs = array($seed);
while(NULL !== ($dir array_pop($dirs)))
{
if($dh opendir($dir))
{
while( false !== ($file readdir($dh)))
{
if($file == '.' || $file == '..') continue;
$path $dir '/' $file;
if(is_dir($path)) { $dirs[] = $path; }
else { if(preg_match('/^.*\.(php[\d]?|js|txt)$/i'$path)) { check_files($path); }}
}
closedir($dh);
}}} function check_files($this_file)
{
$str_to_find[]='base64_decode';
$str_to_find[]='edoced_46esab';
$str_to_find[]='preg_replace';
$str_to_find[]='HTTP_REFERER';
$str_to_find[]='HTTP_USER_AGENT';
$str_to_find[]='assert('$str_to_find[]='create_function('$str_to_find[]='$_REQUEST['; if(!($content file_get_contents($this_file)))
{ echo("<p>Could not check $this_file You should check the contents manually!</p>\n"); }
else
{
while(list(,$value)=each($str_to_find))
{
if (stripos($content$value) !== false)
{
echo("<p>$this_file -> contains $value</p>\n");
}
}
}
unset($content);
}?>
</body></html>


All times are GMT. The time now is 07:42 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01286 seconds
  • Memory Usage 1,818KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (5)bbcode_code_printable
  • (1)bbcode_php_printable
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (22)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete