Right now i have the exactly same problem. Does anyone know how to solve this problem please ? I am running my own dedicated server but since am not good with server management, i do not have any idea about what to do on server side if it's not about a file removing or something like that...
I saw this for the first time on a client's install two or so months ago. None of the vBulletin files were modified and the database was clean so I was stumped at first. It turns out this particular exploit uses vB's plugin/hook system; if you see a strange plugin (note I said plugin, not product), remove it. Then, find out how it got on there. xD
Just read a document on this exploit; bad file permission or upload script setups could allow something like this to happen.
I would recommend vbulletin upgrading / securing the ajax.php asap
You cannot upload files like that with ajax.php unless someone has already compromised you.
What actually happens is they use sql injection via an unsafe modification to install a plugin on the ajax hook, then use that malicious plugin to install the file.
If you forum directory was properly secured as read only (to apache) then that wget would fail to actually save the file.
How would I get rid of this ive been comprimised as well...
Is it in a folder in FTP is it a CODE I can delete etc
Contact your Host and/or hire someone to remove it as this is quite nasty and who knows if you have the same edition (you can modify and add/remove code before uploading a script) and is yours in English or Arabic? I've seen this script in three different languages honestly so long story short if your not experienced in this, it's not ideal for you to try and sort yourself unfortunately .
08-29-2011, 06:53 PM
.
Linear Mode
