vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   How can I find a hacked file in VB (https://vborg.vbsupport.ru/showthread.php?t=322177)

Scalemotorcars 03-21-2016 01:54 AM

How can I find a hacked file in VB
 
So I just installed the Bounced Email handler for VB4 and im getting some strange bounces that have me concerned that someone may be using my hosting to send out spam emails.

I did a Suspect File search and got about 150 files that are not stock VB. Now I do have about 30+ mods installed so thats normal but how do I find a hacked file that may be sending out these spam emails in all those files? And I have no ideal how long they have been doing this and my oldest backup of the files is only about 6 months. But that still will not fix any added files. Also have no ideal how to search the DB for anything embed.

Anyway is theres something Im not looking at or is it just a matter of going over each file manually?

Is there a way to search the DB for what may be causing this?

Thanks for your time...
Daniel

Dave 03-21-2016 07:55 AM

Well if if you think a script is sending spam on your machine, you could search for the mail function in PHP to find the culprit like so on Linux:
HTML Code:

grep -Ril "mail(" /directory/of/htdocs/
That will list all files which contain "mail(".

RichieBoy67 03-21-2016 09:19 AM

You can also download the files and then do a text search in all the files using notepadd++...

If you thin you are hacked you can search for debase64 in the files and any of the non vbulletin files you can take a closer look at. Just because some may have it doesn't neccesarily mean they are hacked but it will help you narror things down.

Chances are though if your site is sending out emails it is your server and not your site. Perhaps someone has gotten your smtp passwords. Make sure you have relaying closed or authorization required.

Brandon Sheley 03-21-2016 11:56 AM

Someone can easily compromised an email form without "hacking" the site as well. It doesn't even have to be from your forum. Do you host other sites or scripts other then your forum? Are you on a dedicated server, if it's shared or a vps they could abuse your site well outside your forum as well.

Good luck

Scalemotorcars 03-21-2016 11:59 AM

Quote:

Originally Posted by Dave (Post 2567718)
Well if if you think a script is sending spam on your machine, you could search for the mail function in PHP to find the culprit like so on Linux:
HTML Code:

grep -Ril "mail(" /directory/of/htdocs/
That will list all files which contain "mail(".

Would I run this in PHPmyAdmin as a query?

Brandon Sheley 03-21-2016 12:00 PM

Quote:

Originally Posted by Scalemotorcars (Post 2567733)
Would I run this in PHPmyAdmin as a query?

I don't know the command but it looks like it would be from a terminal, like a SSH connection with PuTTY.

Dave 03-21-2016 12:03 PM

Quote:

Originally Posted by Scalemotorcars (Post 2567733)
Would I run this in PHPmyAdmin as a query?

No, that command has nothing to do with MySQL databases. It's a command you execute through SSH in the terminal.

Scalemotorcars 03-21-2016 12:25 PM

Quote:

Originally Posted by Brandon Sheley (Post 2567732)
Someone can easily compromised an email form without "hacking" the site as well. It doesn't even have to be from your forum. Do you host other sites or scripts other then your forum? Are you on a dedicated server, if it's shared or a vps they could abuse your site well outside your forum as well.

Good luck

I figured it was from the forum since the only place that has the Bounce return email address is on my site. All the bounce settings on hosted on VB so wouldn't that make it a corrupt file?

--------------- Added [DATE]1458566796[/DATE] at [TIME]1458566796[/TIME] ---------------

Quote:

Originally Posted by Dave (Post 2567736)
No, that command has nothing to do with MySQL databases. It's a command you execute through SSH in the terminal.

You lost me. Can I do it from my C Panel on the host?

Dave 03-21-2016 12:28 PM

Are you on shared hosting? 99.9% of the time shared hosts do not give you access to SSH, it will not be possible to execute the command in that case.

Scalemotorcars 03-21-2016 12:31 PM

@Dave

Yes its shared. I'm beginning to think I need a dedicated server but thats crazy expensive. Any suggestions on something reasonable?


All times are GMT. The time now is 01:04 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01150 seconds
  • Memory Usage 1,739KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_html_printable
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete