The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
|||||||
|
#1
09-27-2008, 09:34 PM
|
|||
|
|||
Hacked, Found these Files
So, I was hackedlast night and was going through the files and found these in the forum/signatures directory. My question is how they actually got into this directory and how can I keep this from happening again?
They all seem to be hacking files. 2008.sct.php Treasury.php update.php pass_c_pannel.php I've attached them so you guys can take a look at them but now they are gone. 
|
|
#2
09-27-2008, 10:17 PM
|
|||
|
|||
|
These should not be posted here. I will share what they do after they are removed!
Thanks for removing those! You have a PM with my best guess from what I got from quickly looking at the code. Note that my antivirus software indicated that two of the four were not even safe to have on a PC so anybody that downloaded those be careful with those as there was special characters and code so if you open those with the wrong software you could have a nasty surprise! EDIT: OK, I looked at the file more on my junker computer and the special characters look to be Russian Characters or something of the sort. Still, some alarming script in there and while it should not be posted in a site like this I may well try to write a script that can look for some of these code tricks in an uploaded script.
|
|
#4
09-27-2008, 10:34 PM
|
|||
|
|||
|
Hmmm I wish how people could upload that kinda stuff to your site so I can make sure it doesn't happen to me.
|
|
#5
09-27-2008, 10:52 PM
|
|||
|
|||
|
Only thing I could thinkof at the moment was to remove the ability to upload a signature picture.
The one thing I noticed was when I went to backup my forum, it wouldn't allow me to download those files, and only those.
|
|
#6
09-27-2008, 11:42 PM
|
|||
|
|||
|
They could have been uploaded by using a Local File Inclusion (LFI) exploit , this is where basically a user embeds $wget someshell.php in the exif data of an image, uploads it and then opens the url on a vulnerable script ( I believe vBA Portal is vulnerable to this type of attack )
The files you found where most likely PHP RATs, basically gives the user who opens them in there browser, pretty much full access to your accounts directory and possibly the /home/ directory + other accounts on server if they aren't CHMODed correctly. You can install a server sided anti virus what will automatically detect and delete shells like that or alternately implement an Apache script like mod_security. Want to find out who did it and how, you should check your raw access logs and do a CTRL+F and enter any of them .php files, then get the IP what accessed them and look what other pages they accessed, most likely you will find there exploit.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 03:05 PM.