The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
||||
|
||||
vbulletin hacked
I was recently called in to recover a friends vbulletin after it was hacked by ViRuS_HiMa,
a well known and fairly experienced hacker at turk-h.org Since cpanel logging was not enabled, I do not know how he has entered the site but his technique was rewriting the spacer_open template in all styles with an eval(base64) I would like very much to decode the eval(base64) so I can see if its simple html or if there is additional executions being made that I need to be aware of. If anyone can assist with the decoding, please contact me. Again, I do not know the point of entry (probably a Mod). If anyone else has their forum hacked by ViRuS_HiMa, and it seems that no matter what you try, it always shows the defacement, check your spacer_open templates in the database for eval(base64) encrypted text. Thanks |
#2
|
|||
|
|||
What is the URL to your friends board?
|
#3
|
||||
|
||||
I sent it via pm since the site exploit has not yet been found.
|
#4
|
|||
|
|||
I don't see anything obvious at this time on the site.
This could have been done in many different ways: vulnerable modification, access to the database, etc.. |
#5
|
|||
|
|||
It happened again, the sites uses all non-beta mods, only two people have access to the database, and no mods that are known to be vulnerable. I believe it was the mysmiles mod, but I have no proof.
|
#6
|
||||
|
||||
Make a database backup, clean everything off your server.
Reset everything up, run your database thru the impex to ensure no extra tables or permissions or anything have been added. and reupload vBulletin. That will ensure no files have been left behind from the hacker |
#7
|
|||
|
|||
Quote:
|
#8
|
||||
|
||||
I'm still going through logs but all I can find right now is as follows:
Code:
82.201.250.97 - - [15/Aug/2008:14:28:23 -0600] "GET /clientscript/vbulletin_important.css?v=372 HTTP/1.1" 200 2077 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:21 -0600] "GET / HTTP/1.1" 200 16830 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:23 -0600] "GET /clientscript/yui/yahoo-dom-event/yahoo-dom-event.js?v=372 HTTP/1.1" 200 31508 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:29 -0600] "GET /clientscript/yui/connection/connection-min.js?v=372 HTTP/1.1" 200 14756 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:30 -0600] "GET /clientscript/vbulletin_global.js?v=372 HTTP/1.1" 200 25464 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:32 -0600] "GET /clientscript/vbulletin_menu.js?v=372 HTTP/1.1" 200 9808 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:35 -0600] "GET /clientscript/overlib/overlib.js HTTP/1.1" 200 49636 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:46 -0600] "GET /clientscript/ncode_imageresizer.js?v=1.0.2 HTTP/1.1" 200 9585 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /morbid_orange/morbid_o/bgimg.gif HTTP/1.1" 200 1107 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /clientscript/vbulletin_md5.js?v=372 HTTP/1.1" 200 5871 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /morbid_orange/misc/navbits_start.gif HTTP/1.1" 200 1395 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/misc/menu_open.gif HTTP/1.1" 200 668 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/gradients/gradient_thead.gif HTTP/1.1" 200 492 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/buttons/collapse_tcat.gif HTTP/1.1" 200 607 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/gradients/gradient_tcat.gif HTTP/1.1" 200 789 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/misc/poll_posticon.gif HTTP/1.1" 200 1418 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /images/icons/icon1.gif HTTP/1.1" 200 1423 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:48 -0600] "GET /morbid_orange/statusicon/forum_old.gif HTTP/1.1" 200 1875 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:49 -0600] "GET /morbid_orange/buttons/lastpost.gif HTTP/1.1" 200 1354 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:49 -0600] "GET /morbid_orange/statusicon/forum_link.gif HTTP/1.1" 200 1379 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:49 -0600] "GET /clientscript/vbulletin_read_marker.js?v=372 HTTP/1.1" 200 3813 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/rating/rating_5.gif HTTP/1.1" 200 1670 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /images/statusicon/post_old.gif HTTP/1.1" 200 911 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /avatars/aka-beasttt.gif HTTP/1.1" 200 372 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/buttons/collapse_thead.gif HTTP/1.1" 200 565 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/misc/whos_online.gif HTTP/1.1" 200 1417 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/misc/stats.gif HTTP/1.1" 200 1375 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:50 -0600] "GET /morbid_orange/statusicon/forum_new.gif HTTP/1.1" 200 2141 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:47 -0600] "GET /morbid_orange/morbid_o/logo.gif HTTP/1.1" 200 45734 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:28:57 -0600] "GET /favicon.ico HTTP/1.1" 200 10529 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:30:53 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:30:57 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:31:32 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:31:33 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:31:45 -0600] "GET /rezora.jpg HTTP/1.1" 404 349 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:31:53 -0600] "GET / HTTP/1.1" 200 6660 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:31:57 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:32:29 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:32:30 -0600] "GET /rezora.jpg HTTP/1.1" 404 350 "http://thebestforumever.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:36:38 -0600] "GET / HTTP/1.1" 200 6661 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:47:18 -0600] "GET / HTTP/1.1" 200 6744 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" 82.201.250.97 - - [15/Aug/2008:14:56:03 -0600] "GET / HTTP/1.1" 200 6744 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1" I also found a vbulletin_textedit.js file within the Photoplog images directory. Still looking into that one. |
#9
|
|||
|
|||
can you list hack you have install please.
|
#10
|
||||
|
||||
Auto Move Closed Threads 1.1.1
Automatically Added Friend 1.0.1 Casino .92 Cyb - Advanced Forum Statistics 5.8.1 Cyb - PayPal Donate 4.7 Friends "Facebook style" 1.0.0 Gifts System 0.6 GTPrivate Message Quickreply 3.7.0.1 GTUserCP - Enhanced USERCP Interface + USERCP Menu 3.7 gXboxLive 2.1.9 HS - Signature of the Week 1.0.0 ibProArcade for vBulletin 2.6.7 Inactive User Reminder Emails 1.1.3 Members who have Visited 3.7.003 Miserable Users 3.7.002 . Mobile Device Detection 1.0.0 Multiple Login Detector 1.03 MySmilies VB 3.7.004 passiveVid 1.1.2 PhotoPlog Pro 2.1.4.8 Report Bad PM 1.0.5 Separate Sticky and Normal Threads 2.0.0 SocialForums 1.4.2 TCattd - The Image Resizer 1.2.6 Usergroup Color Bar 1.0.0 vBadvanced Links Directory 3.0 RC1 vBCredits 1.4 vBCredits with ibProArcade 1.2 vBSEO 3.2.0 vBSEO :: Sitemap Generator 2.2 Welcome Headers 5.0.2 |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|