Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
  #1  
Old 08-13-2008, 01:41 AM
Bilderback's Avatar
Bilderback Bilderback is offline
 
Join Date: Sep 2007
Location: Illinois
Posts: 214
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default vbulletin hacked

I was recently called in to recover a friends vbulletin after it was hacked by ViRuS_HiMa,
a well known and fairly experienced hacker at turk-h.org
Since cpanel logging was not enabled, I do not know how he has entered the site but his technique was rewriting the spacer_open template in all styles with an eval(base64)
I would like very much to decode the eval(base64) so I can see if its simple html or if there is additional executions being made that I need to be aware of.
If anyone can assist with the decoding, please contact me.
Again, I do not know the point of entry (probably a Mod).

If anyone else has their forum hacked by ViRuS_HiMa, and it seems that no matter what you try,
it always shows the defacement, check your spacer_open templates in the database for eval(base64) encrypted text.

Thanks
Reply With Quote
  #2  
Old 08-13-2008, 07:02 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What is the URL to your friends board?
Reply With Quote
  #3  
Old 08-14-2008, 03:27 PM
Bilderback's Avatar
Bilderback Bilderback is offline
 
Join Date: Sep 2007
Location: Illinois
Posts: 214
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I sent it via pm since the site exploit has not yet been found.
Reply With Quote
  #4  
Old 08-15-2008, 06:20 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I don't see anything obvious at this time on the site.

This could have been done in many different ways: vulnerable modification, access to the database, etc..
Reply With Quote
  #5  
Old 08-15-2008, 08:12 PM
fattony69 fattony69 is offline
 
Join Date: Jun 2007
Location: Philly
Posts: 353
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It happened again, the sites uses all non-beta mods, only two people have access to the database, and no mods that are known to be vulnerable. I believe it was the mysmiles mod, but I have no proof.
Reply With Quote
  #6  
Old 08-15-2008, 08:38 PM
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Location: Indianapolis
Posts: 2,451
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Make a database backup, clean everything off your server.

Reset everything up, run your database thru the impex to ensure no extra tables or permissions or anything have been added. and reupload vBulletin.

That will ensure no files have been left behind from the hacker
Reply With Quote
  #7  
Old 08-15-2008, 08:51 PM
fattony69 fattony69 is offline
 
Join Date: Jun 2007
Location: Philly
Posts: 353
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by FRDS View Post
Make a database backup, clean everything off your server.

Reset everything up, run your database thru the impex to ensure no extra tables or permissions or anything have been added. and reupload vBulletin.

That will ensure no files have been left behind from the hacker
Last time, Bilderback removed it and we didn't have logs. This time we do. So I can see what it was. He changed the database and inserted something.
Reply With Quote
  #8  
Old 08-16-2008, 01:09 AM
Bilderback's Avatar
Bilderback Bilderback is offline
 
Join Date: Sep 2007
Location: Illinois
Posts: 214
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm still going through logs but all I can find right now is as follows:

Code:
82.201.250.97 - - [15/Aug/2008:14:28:23 -0600] "GET /clientscript/vbulletin_important.css?v=372 HTTP/1.1" 200 2077 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:21 -0600] "GET / HTTP/1.1" 200 16830 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:23 -0600] "GET /clientscript/yui/yahoo-dom-event/yahoo-dom-event.js?v=372 HTTP/1.1" 200 31508 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:29 -0600] "GET /clientscript/yui/connection/connection-min.js?v=372 HTTP/1.1" 200 14756 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:30 -0600] "GET /clientscript/vbulletin_global.js?v=372 HTTP/1.1" 200 25464 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:32 -0600] "GET /clientscript/vbulletin_menu.js?v=372 HTTP/1.1" 200 9808 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:35 -0600] "GET /clientscript/overlib/overlib.js HTTP/1.1" 200 49636 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:46 -0600] "GET /clientscript/ncode_imageresizer.js?v=1.0.2 HTTP/1.1" 200 9585 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /morbid_orange/morbid_o/bgimg.gif HTTP/1.1" 200 1107 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /clientscript/vbulletin_md5.js?v=372 HTTP/1.1" 200 5871 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /morbid_orange/misc/navbits_start.gif HTTP/1.1" 200 1395 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/misc/menu_open.gif HTTP/1.1" 200 668 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/gradients/gradient_thead.gif HTTP/1.1" 200 492 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/buttons/collapse_tcat.gif HTTP/1.1" 200 607 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/gradients/gradient_tcat.gif HTTP/1.1" 200 789 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/misc/poll_posticon.gif HTTP/1.1" 200 1418 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /images/icons/icon1.gif HTTP/1.1" 200 1423 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/statusicon/forum_old.gif HTTP/1.1" 200 1875 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:49 -0600] "GET /morbid_orange/buttons/lastpost.gif HTTP/1.1" 200 1354 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:49 -0600] "GET /morbid_orange/statusicon/forum_link.gif HTTP/1.1" 200 1379 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:49 -0600] "GET /clientscript/vbulletin_read_marker.js?v=372 HTTP/1.1" 200 3813 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/rating/rating_5.gif HTTP/1.1" 200 1670 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /images/statusicon/post_old.gif HTTP/1.1" 200 911 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /avatars/aka-beasttt.gif HTTP/1.1" 200 372 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/buttons/collapse_thead.gif HTTP/1.1" 200 565 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/misc/whos_online.gif HTTP/1.1" 200 1417 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/misc/stats.gif HTTP/1.1" 200 1375 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/statusicon/forum_new.gif HTTP/1.1" 200 2141 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /morbid_orange/morbid_o/logo.gif HTTP/1.1" 200 45734 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:28:57 -0600] "GET /favicon.ico HTTP/1.1" 200 10529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:30:53 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:30:57 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:31:32 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:31:33 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:31:45 -0600] "GET /rezora.jpg HTTP/1.1" 404 349 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:31:53 -0600] "GET / HTTP/1.1" 200 6660 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:31:57 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:32:29 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:32:30 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:36:38 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:47:18 -0600] "GET / HTTP/1.1" 200 6744 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
82.201.250.97 - - [15/Aug/2008:14:56:03 -0600] "GET / HTTP/1.1" 200 6744 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1"
The spacer_open always end with a </textarea> just after his eval code
I also found a vbulletin_textedit.js file within the Photoplog images directory.
Still looking into that one.
Reply With Quote
  #9  
Old 08-16-2008, 05:17 AM
dtv100 dtv100 is offline
 
Join Date: Apr 2007
Location: in the south of the north
Posts: 307
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

can you list hack you have install please.
Reply With Quote
  #10  
Old 08-16-2008, 01:53 PM
Bilderback's Avatar
Bilderback Bilderback is offline
 
Join Date: Sep 2007
Location: Illinois
Posts: 214
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Auto Move Closed Threads 1.1.1
Automatically Added Friend 1.0.1
Casino .92
Cyb - Advanced Forum Statistics 5.8.1
Cyb - PayPal Donate 4.7
Friends "Facebook style" 1.0.0
Gifts System 0.6
GTPrivate Message Quickreply 3.7.0.1
GTUserCP - Enhanced USERCP Interface + USERCP Menu 3.7
gXboxLive 2.1.9
HS - Signature of the Week 1.0.0
ibProArcade for vBulletin 2.6.7
Inactive User Reminder Emails 1.1.3
Members who have Visited 3.7.003
Miserable Users 3.7.002 .
Mobile Device Detection 1.0.0
Multiple Login Detector 1.03
MySmilies VB 3.7.004
passiveVid 1.1.2
PhotoPlog Pro 2.1.4.8
Report Bad PM 1.0.5
Separate Sticky and Normal Threads 2.0.0
SocialForums 1.4.2
TCattd - The Image Resizer 1.2.6
Usergroup Color Bar 1.0.0
vBadvanced Links Directory 3.0 RC1
vBCredits 1.4
vBCredits with ibProArcade 1.2
vBSEO 3.2.0
vBSEO :: Sitemap Generator 2.2
Welcome Headers 5.0.2
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:23 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04578 seconds
  • Memory Usage 2,284KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete