I got hacked by ab0-salem as well... I am in the process of "sanitizing" my database, but I am new to this: I am not sure where I should "snip" this base64 decode...can anyone help?
Code:
snip...
,\"subscriptions.php\")) {\r\n\r\neval(gzinflate(base64_decode(\'HJ ...snip... 8A\')));\r\n\r\nexit;\r\n}\r\n\";}',1), [end of line in file]
PS - I'm also interested in seeing what exactly this is/does, but it decodes to a binary file and that's where I get lost. Any help is appreciated!
You need to read the vbulletin manual, it has full descriptions of what you need to do.
If you have a vhost server, you will be stuck with using a script, which arent 100% dependable, you should always dump your db via the command line thru ssh w/mysqldump or in windows via the mysql cmd-line client.
I found that they have uploaded 2 files called moj.php and sql.php in my downloads folder which was chmod 777 because of the downloadsII mod. I have since changed this to 755 but that mod no longer works with it 755. Both files contained base 64 code (encrypted) so I have a feeling this is where the hacking took place. I am looking elsewhere for any more .php files that should not be uploaded.
Is there something I can search for in SSH to see if there are any files containing base64 code, and is there some sort of setting on my server I should have enabled/disabled to ensure these types of files can not be run etc.
11-07-2008, 04:22 AM
Linear Mode
