vb.org Archive - How can I find a hacked file in VB

Page 1 of 2

Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)

- - How can I find a hacked file in VB (https://vborg.vbsupport.ru/showthread.php?t=322177)

Scalemotorcars

03-21-2016 01:54 AM

How can I find a hacked file in VB

So I just installed the Bounced Email handler for VB4 and im getting some strange bounces that have me concerned that someone may be using my hosting to send out spam emails.

I did a Suspect File search and got about 150 files that are not stock VB. Now I do have about 30+ mods installed so thats normal but how do I find a hacked file that may be sending out these spam emails in all those files? And I have no ideal how long they have been doing this and my oldest backup of the files is only about 6 months. But that still will not fix any added files. Also have no ideal how to search the DB for anything embed.

Anyway is theres something Im not looking at or is it just a matter of going over each file manually?

Is there a way to search the DB for what may be causing this?

Thanks for your time...
Daniel

Dave	03-21-2016 07:55 AM

Well if if you think a script is sending spam on your machine, you could search for the mail function in PHP to find the culprit like so on Linux:

HTML Code:

grep -Ril "mail(" /directory/of/htdocs/

That will list all files which contain "mail(".

RichieBoy67

03-21-2016 09:19 AM

You can also download the files and then do a text search in all the files using notepadd++...

If you thin you are hacked you can search for debase64 in the files and any of the non vbulletin files you can take a closer look at. Just because some may have it doesn't neccesarily mean they are hacked but it will help you narror things down.

Chances are though if your site is sending out emails it is your server and not your site. Perhaps someone has gotten your smtp passwords. Make sure you have relaying closed or authorization required.

Brandon Sheley

03-21-2016 11:56 AM

Someone can easily compromised an email form without "hacking" the site as well. It doesn't even have to be from your forum. Do you host other sites or scripts other then your forum? Are you on a dedicated server, if it's shared or a vps they could abuse your site well outside your forum as well.

Good luck

Scalemotorcars

03-21-2016 11:59 AM

Quote:

Originally Posted by Dave (Post 2567718)

Well if if you think a script is sending spam on your machine, you could search for the mail function in PHP to find the culprit like so on Linux:

HTML Code:

grep -Ril "mail(" /directory/of/htdocs/

That will list all files which contain "mail(".

Would I run this in PHPmyAdmin as a query?

Brandon Sheley

03-21-2016 12:00 PM

Quote:

Originally Posted by Scalemotorcars (Post 2567733)

Would I run this in PHPmyAdmin as a query?

I don't know the command but it looks like it would be from a terminal, like a SSH connection with PuTTY.

Dave	03-21-2016 12:03 PM

Quote:

Originally Posted by Scalemotorcars (Post 2567733)

Would I run this in PHPmyAdmin as a query?

No, that command has nothing to do with MySQL databases. It's a command you execute through SSH in the terminal.

Scalemotorcars

03-21-2016 12:25 PM

Quote:

Originally Posted by Brandon Sheley (Post 2567732)

I figured it was from the forum since the only place that has the Bounce return email address is on my site. All the bounce settings on hosted on VB so wouldn't that make it a corrupt file?

--------------- Added [DATE]1458566796[/DATE] at [TIME]1458566796[/TIME] ---------------

Quote:

Originally Posted by Dave (Post 2567736)

No, that command has nothing to do with MySQL databases. It's a command you execute through SSH in the terminal.

You lost me. Can I do it from my C Panel on the host?

Dave	03-21-2016 12:28 PM

Are you on shared hosting? 99.9% of the time shared hosts do not give you access to SSH, it will not be possible to execute the command in that case.

Scalemotorcars

03-21-2016 12:31 PM

@Dave

Yes its shared. I'm beginning to think I need a dedicated server but thats crazy expensive. Any suggestions on something reasonable?

All times are GMT. The time now is 01:04 PM.

Page 1 of 2

Show 40 post(s) from this thread on one page

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01150 seconds Memory Usage 1,739KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_html_printable (5)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: