Thread: Miscellaneous Hacks - Cyb - Advanced Forum Rules
View Single Post
  #337  
Old 05-10-2011, 07:12 PM
The Realist's Avatar
The Realist The Realist is offline
 
Join Date: Oct 2001
Location: UK
Posts: 842
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Per my above post. My host has carried out a check of the logs and says the following:

Quote:
I scoured your logs to find no indication of an account breach. However, I did pin-point when this occurred by the error logs and have reason to believe your scripts was exploited to allow your files to be deleted.

Here is the log entries (our helpdesk may strip these - see the raw email):


[Tue May 10 03:32:41 2011] [error] [client 94.143.240.103] malformed header from script. Bad header=Fxxxxxxx%2Fpublic_html%2Femail: vbseo.php, referer: http://www. xxxxxxx. co. uk/includes/vba.php?x=ls&d=%2Fhome2%2Fxxxxxxx%2Fpublic_html&so rt=0a
[Tue May 10 03:33:30 2011] [error] [client 94.143.240.103] malformed header from script. Bad header=Fxxxxxxx%2Fpublic_html%2Femail: vbseo.php, referer: http://www. xxxxxxx. co. uk/includes/vba.php?x=ls&d=%2Fhome2%2Fxxxxxxx%2Fpublic_html&so rt=0a
[Tue May 10 03:36:46 2011] [error] [client 94.143.240.103] File does not exist: /home2/xxxxxxx/public_html, referer: http://www. xxxxxxx. co. uk/includes/vba.php?

As you can see, there is a script that was either uploaded through an exploit or it is a script you are using that was exploited. The "hacker" was attempting to view your files and 3 minutes later the file was gone. These logs show the unsuccessful attempts and also show they were reworking the exploit to be successful. So whatever includes/vba.php was/is, it contains a nasty exploit or was a shell that was uploaded through an exploit of your scripts. You may want to ensure vbseo is updated.

While these do not give solid evidence of the exploit as these was logged in the error log, it's almost for certain due to the calls and time frames. Your raw access logs have already rotated, and would have gave us the solid evidence needed as it would have shown the successful attempt, but it's not needed after concluding the above. I'm 99% sure they was trying to list your files to test the exploit. Once they was able to list them, they carried out the intentions by removing all files.

As you already noticed, your database is intact. All you need to do is reupload your files and plug in the DB information. Just be sure to update all scripts and audit your files.
Make sure you have backups because this hack can delete your whole forum.

Regards
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01615 seconds
  • Memory Usage 1,767KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete