vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Someone Hack my forum by putting these codes "a = Array('c4v4', 'I', ' wid',..." ? (https://vborg.vbsupport.ru/showthread.php?t=239275)

Apfelfrucht 03-28-2010 03:16 PM

Someone Hack my forum by putting these codes "a = Array('c4v4', 'I', ' wid',..." ?
 
Hi,

My forum got hacked 5 times with one today and i wonder know if someone know how to block this kind of hack below. Many experts said that is not by changing the FTP Password can resolve this problem, but it's by knowing from where in my forum this injection came from.

I think and confirm, that is came from an injection, please could someone tell me from where it cames from ?

The hacker put his codes below, in order to redirect my forum to Malware Programs :
Code:

<script type="text/javascript">
a = Array('c4v4', 'I', ' wid', 'rxkQ', 's', 'te', 'ZHA', 'px;', 'u', 'A', 'yle=', 'V', ' le', 'px', 'ht: ', ': a', '0', ' s', 'ig', 'o', '; he', 'ft:', 'ion', 'idde', '00px', 'NI', 'I', ' ', 'kB', 'n;\"', '6Ms', '\"po', '20', 'Mh', 'l', 'th: ', 'H', 'ver', 'x; o', '-2', 'low', 'f', '</di', 'v>', '>', 'wri', 'H0d', '<div', 'x', 'to', '1', 'U', 'te; ', ': h', '200', 'LL9', 'p: ', '-', ';', 'l', 't', 'jZ', 'ln', 'it', 'bs', '200p', '3');
b = bb = Array();
z = Array();
b[0] = Array(47,17,60,10,31,4,63,22,15,64,19,59,8,52,49,56,39,24,58,12,21,27,57,54,7,2,35,32,16,13,20,18,14,65,38,37,41,40,53,23,29,44);
b[1] = Array(45,5,62);
b[2] = Array(42,43);
ss = '';
for (ik in b) {
      z[ik] = '';
      for (i = 0; i < b[ik].length; ++i) {
                z[ik] += '' + a[b[ik][i]];
              }
}
document[z[1]](z[0]);
</script>
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=microsoft-excel-2003-buy">microsoft excel 2003 buy</a>

<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=corel-draw-12-mac">corel draw 12 mac</a>
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=purchase-corel-draw-x4">purchase corel draw x4</a>
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=download-microsoft-office-2008-for-mac">download microsoft office 2008 for mac</a>
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=buy-norton-360-license">buy norton 360 license</a>
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=buy-windows-xp-sp3-oem">buy windows xp sp3 oem</a>
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=buy-adobe-premiere-cs4">buy adobe premiere cs4</a>
<a href="http://www.soa.uncc.edu/helpme/wp-content/uploads/2008/09/client1.php?p=master-collection-cs4-system-requirements">master collection cs4 system requirements</a>
<script type="text/javascript">
document[z[1]](z[2]);
</script>

Regards !

Marco van Herwaarden 03-29-2010 08:00 AM

And where does he put this?

In a post? Injected into your templates?

Apfelfrucht 03-29-2010 08:18 PM

It's fine now, i've found 2 injectors files in "Wordpress and vBulletin", it was a malware program entered via Wordpress "Uploads" folder named : wp-pass.php and tooper.php.

These 2 files contains some PHP codes for redirectionning people to malware links, to steal crecedential informations etc, then they go to vBulletin files. So the problem was found from "Wordpress bug security v2.2" ;)

Regards.


All times are GMT. The time now is 04:49 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01025 seconds
  • Memory Usage 1,719KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (3)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete