How can I find a hacked file in VB

[Dave]

SSL is not the same as SSH though.
SSL makes it possible to get HTTPS on your website, SSH allows you to connect to the server and execute commands on the server.

The only advantage of SSL is that the data that's being exchanged between the client and server is encrypted, it will not block any hacks whatsoever.

[Scalemotorcars]

@Dave

Looks like you read the post before I figured out you said SSH and not SSL and edited it.

--------------- Added [DATE]1458570552[/DATE] at [TIME]1458570552[/TIME] ---------------

Quote:

Originally Posted by RichieBoy67

You can also download the files and then do a text search in all the files using notepadd++...

If you thin you are hacked you can search for debase64 in the files and any of the non vbulletin files you can take a closer look at. Just because some may have it doesn't neccesarily mean they are hacked but it will help you narror things down.

Chances are though if your site is sending out emails it is your server and not your site. Perhaps someone has gotten your smtp passwords. Make sure you have relaying closed or authorization required.

Well I didn't find anything with debase64. And a search in all those Non VB or edited VB files returned 1200 hits for the keyword "mail"

Any way to narrow down that result?

[Dave]

VPS is not as expensive as a dedicated server though, you can get a decent VPS for around $20/month.

Try looking for "mail(" with the parentheses. Another thing you can look for is "base64_decode" and "popen" for any potential backdoors/PHP shells.

[Scalemotorcars]

Dave I found 6 results on 6 different PHP scripts for base64_decode. All 6 have what looks like the same line but I also found those same lines of code in the stock VB 4- files. So... I guess thats normal. I didn't find anything looking for "Mail(" or popen.

--------------- Added [DATE]1458584124[/DATE] at [TIME]1458584124[/TIME] ---------------

Now Im 100% sure Ive been hacked. I found details on the malware here. http://blog.mxlab.eu/2016/03/21/new-...een-suspended/

I still have no ideal where its coming from. Could this be on my PC?

[ForceHSS]

<a href="https://vborg.vbsupport.ru/showthread.php?t=304190" target="_blank">https://vborg.vbsupport.ru/showthread.php?t=304190</a>

[Dave]

Could be adware on your computer but it can also be a malicious plugin that's installed on your forum. It's hard to say since we don't have access to your server.

[Gio~Logist]

Have you taken a look at the original headers for the emails? Like others have said, it isn't necessarily a vB issue if spam emails are being sent out. This could be a NUMBER of things. It can even just be email spoofing.

[Scalemotorcars]

Ok so I implemented some country wide htaccess IP blocks (see attached files for a text copy) and I'm still getting spam in the Bounced Inbox. I would think the IP blocks would keep anyone in those countries from useing a file on my server but I have no ideal if it would block SQL injections. I still haven't figured out how to check the DB for malicious injected code.

Anyway back to the email headers and the originating IP addresses. From what I can see the bulk is coming from 4 countries with the most coming from Viet Nam, then India, Indonesia and finally Kuwait. The ip's for the most part keep changing.

Here's a few that are sending out the most speam.

Quote:

118.69.31.201 Viet Nam
103.210.48.155 India
117.253.185.12 India
37.38.205.61 Kuwait
42.116.211.84 Viet Nam
36.84.226.31 Indonesia

Below are the 2 txt files of just the Deny From for the HTaccess. (having all in one file was to big to upload to VB.org)

To me is seems like a massive amount of ip's to check before a page loads and I'm concerned it will cause load issues and delays. Can someone take a look at it and tell me if the size is ok on what once was a busy board before all this happened.