My Site Is Under Attack!! Please Help

[richy96]

Hi folks

I woke up this morning to find my site was down and errors on every page sayimg $GLOBAL '_ty_' was already defined - or something like that

It turned out there was a line of code on just about every php fle on my site, at the start of the file just after <?php

The line was

Code:

eva l(base 64_ decode("CmV2YW blah blah blah Owo="));
phpinfo();

The funny thing is that non of the 'file modified' dates had changed to the current date/time - though some of them strangely enough had changed to 26-11-11

I spoke to my web host 1and1 internet. My site runs on two dedicated servers, one for the webserver and the other for the media server (webcams etc). Of these two my webserver is a 'managed' server and the media server is a root server.

Anyway the guy on tech support could offer no explanation to how most of my php files had been altered but suggested I restored if I had a backup

He said possibly sql injection but could not explain how that could edit php files. Other than that he said 'brute force attack'

Now ee did have a peculiar episode going on a few weeks ago where we had like 2300 guest crawling around the site - this went on for about 24 hrs and gradually petered out. Could this be related?


So basically to get the site back up and running, I overwrote all the php files from a full backup I just happen to make on 26th December. This was the php files I replaced, not the restore the database.

I do have a datbase backup but it is 8 days old and my site gets 100-150 new member signups most days, plus lot's of member activity so this would not really be a good backup to use


OK so my site is back up and running. I then copied everything back off the server and used a program I have to search through all the files and I found three more instances of this eval(base 64_ decode junk

The problem I then had is two instances of this hack were in new php files in my 'logs' folder called info.php and info.php5 which I don't have permissions to delete (I could read them) as that folder is owned by root! And this is a managed server!!

OK so a call to 1and1 supprt got those rogue files deleted but how could they have been put in a folder owned by root??? Again no real help from 1and1 support

OK so now I have my site up and running but I am very worried

First any idea's how my site could have got hacked?

Secondly my logs folder went from 10Mb to 500Mb since 26th December! A lot of the logs seem to be to do with email with lines like these

Code:

2013-12-15 23:44:31 uxxxxxxxxx 0Y2Xpc-1WD0jw37t1-00O1SO |< REMOTE=208.115.111.72 SCRIPT=/forums/forumdisplay.php -- /usr/sbin/sendmail -t -i
2013-12-15 23:44:31 uxxxxxxxxx 0Y2Xpc-1WD0jw37t1-00O1SO <= S=admin@swapscene.com SZ=1752 D=0 SID=3xxxxxxx5
2013-12-15 23:44:31 uxxxxxxxxxx 0Y2Xpc-1WD0jw37t1-00O1SO => some-site-memberr@yahoo.co.uk localhost[127.0.0.1] 250 OK id=1VsKQJ-0000hP-OU

There are thousands of these and some come from scripts on different files eg SCRIPT=/forums/showthread.php

Also the REMOTE= IP address comes in blocks of the same one but then changes to a different one. There are hundreds or even thousands remote IPs in these logs I think

Can anyone tell me if that is supposed to be an emailsupposedly being sent by admin to one of our members - or an email containing one of our members address being sent to a third party?

There also seems to have been an ftp attack going on trying different usernames


I don't believe that succeeded though

I have however asked all mods/admins to change their site password


I had a look at that ev al(base 64_ decode("CmV2YW blah blah blah Owo=")); code

Basically I base 64 decoded it and echoed the output - which contained a gzipped and base 64 encoded string

So I decoded that and found three encoded eval statements

So I decoded those and found an array of encoded data field and an encoded function

So I decoded al the array and the function and eventually ended up with some sort of crazy function that looks like it was comparing globals to see if a user was logged in and running round and round in a while loop with mad 'if' statements and I thnk it eventually would exit if a certain condition was met, and return some encoded value

Now I don't really know what this code does - is it OK to post it all here what I found so some experts can look at it and tell me what this code was doing?


Also is it possible to run that line of code on my test site (server on my lan) and if I did something like

Code:

$string=eval(base 64_ decode("CmV2YW blah blah blah Owo="));

echo 'string' would it give some info as to what it is doing, or would that be dangerous to try?

Sorry this has been a long post

To recap:
Any ideas how my site got hacked

Did I do enough to secure the site? What else should I do to try and make it more secure?

Is it OK to post up the source of that crazy function code I decoded so someone can tell me what it actually does or is attempting to do?

Can I run that function on my test site to find out what data it outputs?

What was my email server doing with members email addresses?

Thanks for your time and assistance
Rich

--------------- Added [DATE]1389382764[/DATE] at [TIME]1389382764[/TIME] ---------------

Sorry had to include a few spurious spaces in that base 64 decode thng as this site would not let me post this thread here for some reason!

[Zachery]

First you need to follow our advisory about deleting the install folder off your forums.
Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

Close the hole...
This has three subparts in this instance.
1. Delete your install folder
2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

Fill the Hole...
There are seven subparts in this instance.
1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
2. Delete any Suspect Files.
3. Replace any files marked as "Does not contain expected contents"
4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
6. Update your Addon Products.
7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

Secure the Hole
Parts of this were done by closing the hole but there are still things to do here.
1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
3. Create a lower permission Administrator for every day use.
4. Review your permissions in the system.
5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
6. Move your attachments outside the forum root directory.
7. Create a complete backup of your site. Make database backups weekly.

Vigilance
You need to keep active on the security of the site.
1. Give out the fewest permissions necessary for anyone to do their job
2. Make sure your hosting provider updates the software.
3. Update to the latest vBulletin when it is released.
4. Make sure your addons are always up to date.

[richy96]

Oh I forgot to mention my site is 3.7.0

Does your advice still apply the same?

I do have the install folder on the server but not tools.php

Rich

--------------- Added [DATE]1389383974[/DATE] at [TIME]1389383974[/TIME] ---------------

Oh I forgot to mention my site is 3.7.0

Does your advice still apply the same?

I do have the install folder on the server but not tools.php

Rich

[Zachery]

Not the security announcements, but the other stuff. I'd update to 3.8.7 if you can.