Go Back   vb.org Archive > Community Discussions > Forum and Server Management
  #41  
Old 11-07-2008, 02:58 AM
terracore terracore is offline
 
Join Date: Dec 2007
Posts: 35
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I was just following this thread and searched my database (I've recently been hacked) and found 2 instances of %base64% IS THIS A PROBLEM?
Reply With Quote
  #42  
Old 11-07-2008, 04:22 AM
Hornstar Hornstar is offline
 
Join Date: Jun 2005
Location: Australia
Posts: 2,469
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by terracore View Post
I was just following this thread and searched my database (I've recently been hacked) and found 2 instances of %base64% IS THIS A PROBLEM?
Whoever can answer this can you also provide a solution about what we need to do to clean this up and fix things. thanks.
Reply With Quote
  #43  
Old 11-08-2008, 07:59 PM
JayGatz JayGatz is offline
 
Join Date: Dec 2007
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What mods have you added?
Reply With Quote
  #44  
Old 11-13-2008, 12:48 AM
Silver_Seagull Silver_Seagull is offline
 
Join Date: May 2006
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I got hacked by ab0-salem as well... I am in the process of "sanitizing" my database, but I am new to this: I am not sure where I should "snip" this base64 decode...can anyone help?

Code:
snip...
,\"subscriptions.php\")) {\r\n\r\neval(gzinflate(base64_decode(\'HJ  ...snip...  8A\')));\r\n\r\nexit;\r\n}\r\n\";}',1),   [end of line in file]
PS - I'm also interested in seeing what exactly this is/does, but it decodes to a binary file and that's where I get lost. Any help is appreciated!
Reply With Quote
  #45  
Old 11-13-2008, 08:31 AM
henlyn henlyn is offline
 
Join Date: Dec 2007
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Will re post... sorry
Reply With Quote
  #46  
Old 11-13-2008, 08:36 AM
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Location: Michigan
Posts: 3,733
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Please create your own thread.

You need to read the vbulletin manual, it has full descriptions of what you need to do.

If you have a vhost server, you will be stuck with using a script, which arent 100% dependable, you should always dump your db via the command line thru ssh w/mysqldump or in windows via the mysql cmd-line client.
Reply With Quote
  #47  
Old 11-13-2008, 08:41 AM
henlyn henlyn is offline
 
Join Date: Dec 2007
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Right Thanks
Reply With Quote
  #48  
Old 11-22-2008, 08:55 PM
Hornstar Hornstar is offline
 
Join Date: Jun 2005
Location: Australia
Posts: 2,469
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I found that they have uploaded 2 files called moj.php and sql.php in my downloads folder which was chmod 777 because of the downloadsII mod. I have since changed this to 755 but that mod no longer works with it 755. Both files contained base 64 code (encrypted) so I have a feeling this is where the hacking took place. I am looking elsewhere for any more .php files that should not be uploaded.

Is there something I can search for in SSH to see if there are any files containing base64 code, and is there some sort of setting on my server I should have enabled/disabled to ensure these types of files can not be run etc.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:22 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04539 seconds
  • Memory Usage 2,239KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete