The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#32
10-16-2008, 11:53 PM
|
|||
|
|||
I would be curious to see the code they added if you can send me a PM with the encripted code. I am sure it is just an encripted refresh but I will see if I can decript it. I have been studying the enemy for a while and there probably isn't much I can get from the code but I would still like to see it for basic syntax.
You obviously have something they were able to take advantage of to do a sql injection. So, as suggested get the forums upgraded and evaluate your hacks you have added. Also, don't forget to get the automated database backups running as if they did this the hacker could have deleted your entire database as well! 
|
|
#33
10-17-2008, 12:08 AM
|
||||
|
||||
|
Ok, guilty as charged... I skimmed a bit...
Here's what I would do: Make a backup now instead of tinkering w/ the only (although hacked) full version of your database that exist. Make a copy of that and tinker w/ it! Check the FTP or File Manager for recently modified files or folders and review the code. Also make sure however your vewing the files you have it to where it's not hiding any from your view. As for restoring a large DB try bigdump.php or SQLyog Enterprise and give it a shot! S-MAN
|
|
#34
10-17-2008, 12:09 AM
|
|||
|
|||
|
Yes, luckily it wasn't a destructive hack; more of an informative one. I'll send it to you in a sec.
Unfortunately I have to pay $60 to renew to download anything above 3.6.8. I don't think it's feasible for me now.
|
|
#35
10-17-2008, 12:26 AM
|
|||
|
|||
|
Thanks for the code and for your reference you should never send code like that unmodified. For example, if you get encrypted code like that if you modify the start of the encrypted code so it is changed...
From: eval(base64_decode(' To: eval(baNOCODEse64_decNOTode(' The code can not be executed! You really have to be careful with encrypted code like that as you never know everything it does until it is decrypted. Luckily, there are tools out there that can decript stuff pretty darned easily anymore. --------------- Added [DATE]1224207351[/DATE] at [TIME]1224207351[/TIME] --------------- I decripted the code and it was relatively harmless HTML code. There was nothing in there to log passwords as an example. I am posting the code here just for the record and so you can see it. That nonsense of letters and numbers when decoded is the code that follows! PHP Code:
|
|
#37
11-01-2008, 03:50 AM
|
|||
|
|||
|
Quote:
My site got hacked last week and I found a different method to get my templates showing up instead of the hacked version, however i still have a couple of the hacked templates up as I have not had time to change those just yet. Any idea what table name, or what kind of code i should be looking for more exactly?
|
|
#38
11-03-2008, 06:02 PM
|
|||
|
|||
|
There shouldn't be any base 64 scripts in your forums
|
|
#39
11-04-2008, 01:31 AM
|
||||
|
||||
|
how is that even embed? is it a mod badly written?
|
|
#40
11-05-2008, 06:07 AM
|
|||
|
|||
|
Quote:
Search results for "%base64%" at least one of the words: 2 match(es) inside table vb3_datastore 4 match(es) inside table vb3_plugin 2 match(es) inside table vb3_pmtext 4 match(es) inside table vb3_post 3 match(es) inside table vb3_postedithistory 1 match(es) inside table vb3_postparsed 1 match(es) inside table vb3_word Total: 17 Example: Table: vb3_word Code:
Code:
SQL query: SELECT * FROM `***_***`.`vb3_word` WHERE ( `wordid` LIKE '%%base64%%' OR `title` LIKE CONVERT( _utf8 '%%base64%%' USING latin1 ) COLLATE latin1_swedish_ci ) LIMIT 0 , 30 Wordid: 57647 title: base64 Example: table vb3_plugin Code:
SQL query: SELECT * FROM `***_***`.`vb3_plugin` WHERE ( `pluginid` LIKE '%%base64%%' OR `title` LIKE CONVERT( _utf8 '%%base64%%' USING latin1 ) COLLATE latin1_swedish_ci OR `hookname` LIKE CONVERT( _utf8 '%%base64%%' USING latin1 ) COLLATE latin1_swedish_ci OR `phpcode` LIKE CONVERT( _utf8 '%%base64%%' USING latin1 ) COLLATE latin1_swedish_ci OR `product` LIKE CONVERT( _utf8 '%%base64%%' USING latin1 ) COLLATE latin1_swedish_ci OR `devkey` LIKE CONVERT( _utf8 '%%base64%%' USING latin1 ) COLLATE latin1_swedish_ci OR `active` LIKE '%%base64%%' OR `executionorder` LIKE '%%base64%%' ) LIMIT 0 , 30 Code:
$attachpatch_patchfirstpost = array ();
global $foruminfo, $vbulletin;
if (!empty ($vbulletin->options['attachpatch_patchfirstpost'])) {
$attachpatch_patchfirstpost = preg_replace ('/[^0-9,]*/', '', $vbulletin->options['attachpatch_patchfirstpost']);
$attachpatch_patchfirstpost = explode (',', $attachpatch_patchfirstpost);
}
if
(
$vbulletin->options['attachpatch_enable']
AND
(
in_array($foruminfo['forumid'], $attachpatch_patchfirstpost)
OR
$vbulletin->options['attachpatch_patchfirstpost'] == -1
)
AND
$post['parentid'] == 0
)
{
if (!isset ($attachpatchinfo))
{
// initialize my variables
$attachpatchinfo = array ();
$attachpatchinfo['mycounter'] = 0; // counts loop iterations
$attachpatchinfo['combinedfilesize'] = 0;
$attachpatchinfo['moderatedattachments'] = '';
$attachpatchinfo['showmoderatedattachments'] = false;
$attachpatchinfo['visibleattachments'] = false;
$attachpatchinfo['attachmentids'] = array ();
$attachpatchinfo['dateline'] = 0;
$attachpatchinfo['counter'] = 0; // this is the vB download counter for the attachment
}
// count attachments to know the last time we go thru the loop
++$attachpatchinfo['mycounter'];
if ($attachment['visible'])
{
// do the necessary stuff from the original loop in the function
// skip the various built-in vb templates (image/thumbnail etc)
if (THIS_SCRIPT == 'external')
{
$attachment['counter'] = $vbphrase['n_a'];
$show['views'] = false;
}
else
{
$show['views'] = true;
}
// remember that there is at least one visible (not moderated) attachment
$attachpatchinfo['visibleattachments'] = true;
// add up total filesize of non-moderated attachmentes
$attachpatchinfo['combinedfilesize'] += $attachment['filesize_real'];
// save the attachment ids, dateline & counter to output in the template
$attachpatchinfo['attachmentids'][] = $attachment['attachmentid'];
$attachpatchinfo['dateline'] = $attachment['dateline']; // dateline & counter will end up being that of the
$attachpatchinfo['counter'] = $attachment['counter']; // last attachment, but that should suffice.
}
else
{
// do default vb moderated attachments (but save 'em to our variable)
eval('$attachpatchinfo[\'moderatedattachments\'] .= "' . fetch_template('postbit_attachmentmoderated') . '";');
$attachpatchinfo['showmoderatedattachments'] = true;
}
// set to false so that the vB original loop does less
// it does a moderated attachment instead of the real ones.
// which will have to be erased later.
$attachment['visible'] = false;
// last time thru the loop, save the info for later.
if ($attachpatchinfo['mycounter'] == $attachcount)
{
// format the filesize nicely
$attachpatchinfo['combinedfilesizepretty'] = vb_number_format($attachpatchinfo['combinedfilesize'], 1, true);
// save the whole she-bang for the next plugin.
$this->post['attachpatchinfo'] = $attachpatchinfo;
// we know there's at least on visible (not moderated) attachment
if ($attachpatchinfo['visibleattachments'])
{
$attachpatchinfo['attachmentids'] = implode(',', $attachpatchinfo['attachmentids']);
global $threadinfo;
$attachpatchinfo['encodedthreadtitle'] = urlencode(base64_encode($threadinfo['title']));
// process all attachments thru the postbit_attachmentszippedtogether template
// do it here at the end, so it only gets done once.
eval('$this->post[\'otherattachments\'] .= "' . fetch_template('postbit_attachmentszippedtogether') . '";');
$show['otherattachment'] = true;
}
}
}
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 03:04 AM.