vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Got hacked by "C99madShell v. 2.0 madnet edition" (https://vborg.vbsupport.ru/showthread.php?t=301727)

Milobil 08-30-2013 11:15 PM

Got hacked by "C99madShell v. 2.0 madnet edition"
 
Hello,

Recently, my forum got hacked, the hacker used the "C99madShell v. 2.0 madnet edition" and changed my paypal adresses to get the membership donations. He also created some new administrators accounts.

So i just noticed that today by going on the paid subscriptions options on the admincp :

https://vborg.vbsupport.ru/external/2013/08/4.png

So if you know how can i fix it and how can i do to avoid this again.

EDIT : I just used the Suspect File Versions in Maintenance in the admincp and i found 3 files that the hack seems to has uploaded : 3 php files (which one was a config of the shell) and when i deleted one of the php file, it also deleted another file : "mine.tar.gz" which is without doubts the file that the hacker has uploaded on my ftp to run the shell script.

Cordially

Przemoo 09-09-2013 09:05 PM

Same here, I cant find that files, could you send me a PM with the files you've deleted ?
I did 5-6 from HERE and subscriptions.php seems to be fine now but I still need to delete some files probably.

Zachery 09-09-2013 09:30 PM

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

Evoklub 09-26-2013 03:03 PM

Same problem here, my site was hacked too.

Did everything as on the links above, but the linkbucks redrection is still there, and in the admin CP -> Paid subscriptions, same shit as above.

How can I remove both? Thanks.

--------------- Added [DATE]1380211877[/DATE] at [TIME]1380211877[/TIME] ---------------

madshell removed - i found a plugin called vBulletin, which did it. Removed it, and now the Paid Subscriptions menu is the original again.

But how to remove the linkbucks redirection?

The Vegan Forum 10-02-2013 06:25 PM

We have the same problem now. Where did you find that plugin, Evoklub?

Zachery 10-02-2013 06:40 PM

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

The Vegan Forum 10-02-2013 06:47 PM

There's a lot of work and quite some patience and knowledge in performing all these steps. Does vBulletin offer some kind of service/help in getting these things done?

Zachery 10-02-2013 06:50 PM

Work yes, however everything outlined is very doable if you've been admining a forum and using ftp

The Vegan Forum 10-02-2013 06:51 PM

I can of course upgrade from 4.2.0 Patch Level 3 to 4.2.1, but usually such updates come with their issues, and sometimes require needing to spend some time on fixing problems which occur with our skins etc. The problems occurred just before I upgraded to the latest patch level, by the way. And in addition to that, the server company restored the forum from a database, but also did that again after I had been upgrading to patch level 3, which may be one of the reasons behind the various problems we've had after that.

--------------- Added [DATE]1380744147[/DATE] at [TIME]1380744147[/TIME] ---------------

Quote:

very doable
I have never used PhPMyAdmin, and never used FTP for other than uploading files.
According to the diagnostics function, the forum also contain a lot of files which probably shouldn't be there now (some of them are most likely harmless leftovers from plugins I now have deinstalled or disabled).

And, btw, I did empty the install folders, but it now contains an Include folder with class_upgrade_420a1.php in it.

These files are listed as potential suspects:

ajaxthreads.php File not recognized as part of vBulletin
blog_search.php File not recognized as part of vBulletin
confdon.php File not recognized as part of vBulletin
index.php File does not contain expected contents
init.php File not recognized as part of vBulletin
mysql-schema.php File not recognized as part of vBulletin
vbdonate.php File not recognized as part of vBulletin
wog_qqoute.js File not recognized as part of vBulletin
Scanned 84 files./admincp
100.php File not recognized as part of vBulletin
ajaxthreads.php File not recognized as part of vBulletin
album.php File not recognized as part of vBulletin
backup.php File not recognized as part of vBulletin
buildinfo.php File not recognized as part of vBulletin
evbs_sstabs.php File not recognized as part of vBulletin
glowhostspamomatic.php File not recognized as part of vBulletin
sa.php File not recognized as part of vBulletin
vbdonate_banner.php File not recognized as part of vBulletin
verify_new.php File not recognized as part of vBulletin
Scanned 3 files./archive
Scanned 107 files./clientscript
cms_textedit.js File not recognized as part of vBulletin
vbulletin-forumhome.js File not recognized as part of vBulletin
vbulletin-read-marker.js File not recognized as part of vBulletin
vbulletin-threadbit.js File not recognized as part of vBulletin
vbulletin_ajax_namesugg.js File not recognized as part of vBulletin
vbulletin_ajax_reputation.js File not recognized as part of vBulletin
vbulletin_ajax_tagsugg.js File not recognized as part of vBulletin
vbulletin_ajax_threadslist.js File not recognized as part of vBulletin
vbulletin_global.js File not recognized as part of vBulletin
wog_qqoute.js File not recognized as part of vBulletin

Scanned 21 files./clientscript/jquery
jquery-1.3.min.js File not recognized as part of vBulletin
jquery-1.4.4.min.js File not recognized as part of vBulletin
jquery-1.6.1.js File not recognized as part of vBulletin
jquery-1.6.1.min.js File not recognized as part of vBulletin
Scanned 5 files./clientscript/yui
connection.js File not recognized as part of vBulletin
dev-readme.txt File not recognized as part of vBulletin
yahoo-dom-event.js File not recognized as part of vBulletin

Scanned 12 files./forumrunner
INSTALL.txt File not recognized as part of vBulletin
license.txt File not recognized as part of vBulletin
product-forumrunner.xml File not recognized as part of vBulletin
sitekey.php File not recognized as part of vBulletin

Scanned 205 files./includes
adminfunctions.php File does not contain expected contents
adminfunctions_backup.php File not recognized as part of vBulletin
class_blog_search.php File not recognized as part of vBulletin
class_dm_picture.php File not recognized as part of vBulletin
class_dm_threadpost.php File does not contain expected contents
class_editor_override.php File not recognized as part of vBulletin
class_floodcheck.php File does not contain expected contents
class_modpm_checker.php File not recognized as part of vBulletin
functions_ghsom.php File not recognized as part of vBulletin
functions_modpm.php File not recognized as part of vBulletin
functions_wysiwyg.php File not recognized as part of vBulletin
Scanned 7 files./includes/api
commonwhitelist.php File not recognized as part of vBulletin


Scanned 8 files./includes/block
dbtech_vbdonate.php File not recognized as part of vBulletin
Scanned 28 files./includes/cron
vbcms_dailycleanup.php File not recognized as part of vBulletin
Scanned 3 files./includes/facebook
Scanned 8 files./includes/paymentapi
Scanned 41 files./includes/xml
bitfield_dbtech_ajaxthreads.xml File not recognized as part of vBulletin
bitfield_dbtech_vbdonate.xml File not recognized as part of vBulletin
cpnav_bfspmstoper.xml File not recognized as part of vBulletin
cpnav_dbtech_ajaxthreads.xml File not recognized as part of vBulletin
cpnav_dbtech_vbdonate.xml File not recognized as part of vBulletin
cpnav_evbs_sstab.xml File not recognized as part of vBulletin
cpnav_glowhostspamomatic.xml File not recognized as part of vBulletin
cssrollup_digitalpoint_css.xml File not recognized as part of vBulletin
hooks_dbtech_ajaxthreads.xml File not recognized as part of vBulletin
product-dbtech_ajaxthreads.xml File not recognized as part of vBulletin


class_upgrade_420a1.php File does not contain expected contents


wysiwyghtmlparser.php File not recognized as part of vBulletin
Scanned 2 files./packages/vbcms/attach
Scanned 3 files./packages/vbcms/bbcode
wysiwyg.php File not recognized as part of vBulletin
Scanned 4 files./packages/vbcms/collection
Scanned 6 files./packages/vbcms/collection/content
statichtml.php File not recognized as part of vBulletin
Scanned 6 files./packages/vbcms/content
statichtml.php File not recognized as part of vBulletin
Scanned 7 files./packages/vbcms/controller
editor.php File not recognized as part of vBulletin
Scanned 8 files./packages/vbcms/dm
statichtml.php File not recognized as part of vBulletin
Scanned 2 files./packages/vbcms/exception
Scanned 5 files./packages/vbcms/item
Scanned 6 files./packages/vbcms/item/content
statichtml.php File not recognized as part of vBulletin
Scanned 25 files./packages/vbcms/item/widget
sectionnav.php File not recognized as part of vBulletin
staticbb.php File not recognized as part of vBulletin
Scanned 5 files./packages/vbcms/route
editor.php File not recognized as part of vBulletin
Scanned 5 files./packages/vbcms/search/indexcontroller
cmscomment.php File not recognized as part of vBulletin
statichtml.php File not recognized as part of vBulletin
Scanned 6 files./packages/vbcms/search/result
cmscomment.php File not recognized as part of vBulletin
statichtml.php File not recognized as part of vBulletin
Scanned 6 files./packages/vbcms/search/searchcontroller
newcmscomment.php File not recognized as part of vBulletin
newstatichtml.php File not recognized as part of vBulletin
Scanned 5 files./packages/vbcms/search/type
cmscomment.php File not recognized as part of vBulletin
statichtml.php File not recognized as part of vBulletin
Scanned 2 files./packages/vbcms/taggablecontent
Scanned 6 files./packages/vbcms/view
page.php File not recognized as part of vBulletin
Scanned 25 files./packages/vbcms/widget
sectionnav.php File not recognized as part of vBulletin
staticbb.php File not recognized as part of vBulletin

CouponWCents 10-03-2013 08:37 PM

We have the linkbucks redirection too. You can clear it out of your footer template manually but it keeps coming back every other day


All times are GMT. The time now is 05:48 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01149 seconds
  • Memory Usage 1,778KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete