Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
  #1  
Old 08-25-2015, 11:06 AM
XYZ500 XYZ500 is offline
 
Join Date: Aug 2014
Posts: 171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default C99madShell v. 2.0 madnet edition - How to get rid of this?

In my admincp > paid subscriptions > subscription manager, I see this shell "C99madShell v. 2.0 madnet edition".

It is showing all the files on the server. Looks like any file on the server can be accessed from here. I believe this is causing a vulnerability which is enabling someone to hack my forum.

I upgraded from 4.2.2 to 4.2.3 in hopes to get rid of this when all new files will be uploaded. But it's still there.

How do I get rid of this?
Please help.
Reply With Quote
  #2  
Old 08-25-2015, 12:18 PM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, you have been hacked. I just fixed a site like this not long ago. Too much to go into here.

For starters search your plug ins and delete the ones that do not belong! You will see debase 64 code and they will be running upon start up usually... and the your files..over write them with fresh vbulletin files! Upgrade your Vbulletin now to the latest 4! I am willing to bet you are using an older version.
Reply With Quote
  #3  
Old 08-25-2015, 01:07 PM
XYZ500 XYZ500 is offline
 
Join Date: Aug 2014
Posts: 171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by RichieBoy67 View Post
Yes, you have been hacked. I just fixed a site like this not long ago. Too much to go into here.

For starters search your plug ins and delete the ones that do not belong! You will see debase 64 code and they will be running upon start up usually... and the your files..over write them with fresh vbulletin files! Upgrade your Vbulletin now to the latest 4! I am willing to bet you are using an older version.
As mentioned in my first post, I already did all this.

Checked the plugins.
Upgraded to version 4.2.3.
Overwritten all previous files with fresh 4.2.3 files.

It's still there.
Reply With Quote
  #4  
Old 08-25-2015, 01:11 PM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Disable your plug ins globally using config. I am sure you are missing a plug in. If possible find the plug in search mod and use it to search for the debase code.

Any you did not mention in your post anything about plug ins. I am telling you there is one there or more. Not in your product manager, in the plug ins.

Also use your diagnostics in the admincp to look for files that do not belong. I usually download the files and do a filewide search.
Reply With Quote
  #5  
Old 08-25-2015, 01:14 PM
XYZ500 XYZ500 is offline
 
Join Date: Aug 2014
Posts: 171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by RichieBoy67 View Post
Disable your plug ins globally using config. I am sure you are missing a plug in. If possible find the plug in search mod and use it to search for the debase code.

Any you did not mention in your post anything about plug ins. I am telling you there is one there or more. Not in your product manager, in the plug ins.

Also use your diagnostics in the admincp to look for files that do not belong.
Found it.
It was named 'vBulletin' so I didn't suspect it before.
Deleted it now and subscription page is normal.

Is there anything else I need to do to secure site and server?
Reply With Quote
  #6  
Old 08-25-2015, 01:21 PM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, check your files and database again.. Change admin log ins, database, etc..server ftp..change all those log ins and tighten things up if you know how.
Reply With Quote
  #7  
Old 08-25-2015, 01:33 PM
XYZ500 XYZ500 is offline
 
Join Date: Aug 2014
Posts: 171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

"check your files and database again"

What do you mean by this?
Reply With Quote
  #8  
Old 08-25-2015, 01:37 PM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well look at your diagnostics to see if you have files that should not be there. Take into account your plug ins and be sure those files are clean.

Also, none of this can guarantee that someone did not get further into your server.
Reply With Quote
  #9  
Old 08-25-2015, 03:02 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Another easy way to find suspicious files is by logging into the FTP of your server and by sorting all files and folders by last modification date. From there see if you can find any suspicious files.
Reply With Quote
Благодарность от:
RichieBoy67
  #10  
Old 08-25-2015, 03:12 PM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dave View Post
Another easy way to find suspicious files is by logging into the FTP of your server and by sorting all files and folders by last modification date. From there see if you can find any suspicious files.
Yeah Dave, great tip. I was going to mention that as well but he had mentioned that he did the upgrade in which he uploaded all the Vbulletin files. It could be useful though to find anything else possibly.

I usually use the diagnostics and download the files that seem suspicious and do a filewide search using Notepad++. Ofcouse if there is anything on the server files or in the database he will still be in trouble.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:30 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05827 seconds
  • Memory Usage 2,244KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete