Admin account compromised

[sattvhelp]

this morning an admin account was compromised on our forum. They then sent out a mass email stating that the forum was promoting a website (which we do not), made changed to allow uploading of php, and then uploaded a php script, this is the script that was uploaded http://binibrahim.com/shells/godshell.txt

we have removed the files that were uploaded, dealt with the account, and think we have set everything back to normal, but are worried what exactly what this script may have done.

has anybody seen this script before, or can see what its meant to do, as we dont want to have missed any back doors that may have been left behind by it

[Dave]

The script you linked is called a "PHP Shell" or "PHP Backdoor", it allows people to interact with the server/database/any files on the server in any way they want.

Now the question whether there are any backdoors left is hard for us to answer. All it takes is one line of code to act as a backdoor, this can be hidden in any of the thousand(s) of files vBulletin uses.

[TheLastSuperman]

Quote:

Originally Posted by sattvhelp

this morning an admin account was compromised on our forum. They then sent out a mass email stating that the forum was promoting a website (which we do not), made changed to allow uploading of php, and then uploaded a php script, this is the script that was uploaded http://binibrahim.com/shells/godshell.txt

we have removed the files that were uploaded, dealt with the account, and think we have set everything back to normal, but are worried what exactly what this script may have done.

has anybody seen this script before, or can see what its meant to do, as we dont want to have missed any back doors that may have been left behind by it

http://binibrahim.com/shells/godshell.txt

^ Please tell me you've already deleted that file OR that the link above is not your site... IF it is your site delete that file promptly and submit a ticket with your Host asking what assistance they can offer (Maldet scan and/or similar will at least help).

- Replace all default files with 100% fresh new files from a brand new .zip you can acquire via https://members.vbulletin.com then check and see what is left i.e. any new files with recent timestamps around the date of the hacking? *Also look for odd named files, I've seen hackers retain timestamps on files i.e. upload a much older file that you would not assume is bad (i.e. been there long enough) and yet it is.
- Run Suspect File Versions from Maintenance in AdminCP.
- Check the plugin table for any new rogue plugins OR any that contain malicious code. Once you confirm none exist then click to save the active plugins (this will rebuild plugin cache.

http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/artic...vbulletin-site

[sattvhelp]

Thank you for the information. The link shows the file, i found that link after googling part of the file to try and understand what it was. The file was hosted for around 20 minutes before it was located and removed

[TheLastSuperman]

Quote:

Originally Posted by sattvhelp

Thank you for the information. The link shows the file, i found that link after googling part of the file to try and understand what it was. The file was hosted for around 20 minutes before it was located and removed

That file does what Dave mentioned above i.e.

Quote:

Originally Posted by Dave

The script you linked is called a "PHP Shell" or "PHP Backdoor", it allows people to interact with the server/database/any files on the server in any way they want.

Now the question whether there are any backdoors left is hard for us to answer. All it takes is one line of code to act as a backdoor, this can be hidden in any of the thousand(s) of files vBulletin uses.

So be sure to check for files with modified timestamps or new files on the server, Dave is correct about it taking one line of code or also one file to still allow backdoor access into your site if not the entire server so be sure to double, triple check okay?