Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #11  
Old 09-30-2013, 09:21 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hopefully that will work, if not report back, and let us know.
Reply With Quote
  #12  
Old 09-30-2013, 10:14 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Revert the forumhome template, chances are they modified that. The blog posts over on vBulletin.com cover fixing this stuff. Very well too.
Reply With Quote
Благодарность от:
CAG CheechDogg
  #13  
Old 10-01-2013, 12:33 PM
seriousrat seriousrat is offline
 
Join Date: May 2012
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I don't know if this helps you guys in anyway, but here are a few of the comments from the two webmasters. Any comments about future protection? We believe we are clean at serious now. I hid their email addresses.

This is 'one' of the hacks we were infected with and the one that's caused the most trouble. They had access to all of our files AND databases and injected code throughout the databases.


http://www.derekfountain.org/security_c99madshell.php

On Mon, Sep 30, 2013 at 8:50 PM, *****wrote:

hmmm... we were told today the server house carried the infection to us,,, and thousands more

we locked our front door until the server is clean



In a message dated 9/30/2013 8:31:08 P.M. Eastern Daylight Time, *****writes:
It's not coming through the site files, I've cleaned all those...it's being injected from the database.



On Mon, Sep 30, 2013 at 8:21 PM, ******* wrote:

go to your .exe file and find this entry >>

1E161D6D.exe

see if you can delete it if it's there


In a message dated 9/30/2013 8:16:56 P.M. Eastern Daylight Time, *****writes:
Yeah....there's a redirect javascript buried in there somewhere. I'm chasing it now. Got rid of everything else though. I'd like to pummel the nerd that put this one together.


On Mon, Sep 30, 2013 at 8:09 PM, ********* wrote:

I just logged on SO and entered my password to look around
my MS virus blocker went apeshit as soon as I clicked on the forum header
8 pings in 3 minutes... quarantined every ping

wow, bad bad bad

btw, this same virus crashed the U of Colorado website and countless others
Reply With Quote
  #14  
Old 10-02-2013, 01:07 PM
Cygnusstudios Cygnusstudios is offline
 
Join Date: Jan 2011
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Mine got hacked on Monday. Everything was corrupted and the only option was pulling the site down completely.

However, I did manage to log the IP:

176.45.4.205
Reply With Quote
  #15  
Old 10-02-2013, 02:15 PM
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Posts: 1,987
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Cool. Now you only have to get SaudiNet to cooperate.
Reply With Quote
  #16  
Old 10-02-2013, 09:54 PM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Cygnusstudios View Post
Mine got hacked on Monday.
Sorry to hear that.
Reply With Quote
  #17  
Old 10-03-2013, 01:10 AM
hhumas's Avatar
hhumas hhumas is offline
 
Join Date: Aug 2010
Posts: 60
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

my site was also hacked ... they put this page ..

Quote:
HTML Code:
<html>
<head>

<style>
.shakeimage{
position:relative
}
</style>

<script language="JavaScript1.2">

/*
Shake image script (onMouseover)- 
? Dynamic Drive (www.dynamicdrive.com)
For full source code, usage terms, and 100's more DHTML scripts, visit http://dynamicdrive.com
*/

//configure shake degree (where larger # equals greater shake)
var rector=3

///////DONE EDITTING///////////
var stopit=0 
var a=1

function init(which){
stopit=0
shake=which
shake.style.left=0
shake.style.top=0
}

function rattleimage(){
if ((!document.all&&!document.getElementById)||stopit==1)
return
if (a==1){
shake.style.top=parseInt(shake.style.top)+rector+"px"
}
else if (a==2){
shake.style.left=parseInt(shake.style.left)+rector+"px"
}
else if (a==3){
shake.style.top=parseInt(shake.style.top)-rector+"px"
}
else{
shake.style.left=parseInt(shake.style.left)-rector+"px"
}
if (a<4)
a++
else
a=1
setTimeout("rattleimage()",50)
}

function stoprattle(which){
stopit=1
which.style.left=0
which.style.top=0
}

</script>


<script>
<!--Seized!
alert ("F1zch3 Was Here!")
//-->

<!--
//Disable right click script
var message="Sorry, right-click has been disabled";
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) 
{
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
// -->
</script> 



<link rel="SHORTCUT ICON" href="http://s12.postimg.org/y202kmsst/16ae35f.png"> 
<title>[+] Strawhat~Fizche Was Here [+]</title>

<center>
<img src="http://img585.imageshack.us/img585/9264/6o6.gif" height="280" width="380" align="middle"> 

<style type="text/css">
body
{
font-family: "courier new";
background-color: black ;
font-size:150%;
color: #28FE14;
background-image: url("http://p1.pichost.me/i/14/1366106.jpg");
}
.xBody
{
width:1600px;
height:1600px;
position:absolute;
z-index: 12;
}
.ssh
{
display:none;
z-index: 14;
}
.sshBox
{
height:350px;
border: 7px solid white;
	-moz-border-radius: 10px;
	-webkit-border-radius: 10px;
	-o-border-radius: 10x;
	-khtml-border-radius: 10px;
	border-radius: 10px;
	z-index: 15;
}
.sshHead
{
margin-bottom: 8px;
color:black;
font-weight: bold;
background-color: black;
height:25px;
z-index: 12;
}
.greenBox
{
padding-left: 5px;
position: absolute;
height:30px;
border: 2px solid #28FE14;
z-index: 10;
}
.picz
{
position: absolute;
width:600px;
height:200%;
display:none;
right:2px;
top:2px;
}
</style>
</head>
</font>
</center>
</body>

<br>

<center>
<font style="tahoma" color="yellow" size="5">
We Are Str4wHat Pirates!<br>
</font>
<br>

<center>
<font style="tahoma" color="yellow" size="2">
Security Breach!<br><br><font color="yellow">
Hello Admin,are you surprised?<font color="red"> <br><font color="blue">
We hack this site to <font color="yellow">inform you about the vulnerab<font color="red">ility of your site.<br><font color="blue">
Your site <font color="yellow">is vulnerable and easy to<font color="red"> pentest. <br><br><font color="blue">
<font color="yellow">Strawhat~Fizch<font color="yellow">e!<br><font color="blue">
PLEASE <font color="yellow">PATCH YOUR SECU<font color="red">RITY!
</font>
</center>


<br>
<center>
<font style="tahoma" color="blue" size="2">
Strawhat <font color="yellow">Pirates <font color="red">Crew:<br><br><font color="blue">
|| Strawhat Luffy || Strawhat 4ce ||<font color="red"> Strawhat Chopp3r || Strawhat Zyber ||<br><font color="blue">
|| Strawhat bro0k || Strawhat Fizche || Silen<font color="red">t_Haxor || Strawhat Red || Strawhat Zorro ||

</font>
</center>
<br>

<center>
<font style="tahoma" color="blue" size="2">
Gre<font color="red">ets: <br><br><font color="blue">
|| Bisayan Hackers || COD3x Cyber Army || Pak Cyber Ea<font color="red">glez || Phantom Hackers.Ph || Philippine Cyber Crew ||<br><font color="blue">
|| #pR.is0n3r || Hitman || pv.Dr3inuS || pv-eld3put@ || pv~d3Sp |<font color="red">| ThinkTwic3 || RedX || Pr3-H4ck3r || kh4lifax || Silent Haxor || <br><font color="blue">
|| Nefarious  || Sizzling Soul || An0nK@p |<font color="red">| An0n3m00$ || and To all Pinoy Hackers || <br>
</font>
</center>
<br>


<center>
<font style="tahoma" color="blue" size="2">
Like Us On<font color="red"> Facebook:<br><font color="blue">
https://www.facebook.com/Str4w<font color="red">hatPiratesRecruitmentZone.gov/<br><br><font color="blue">
Join<font color="red"> Us:<br><font color="blue">
https://www.facebook.com/groups/St<font color="red">r4whatPiratesRecruitmentZone.gov/<br>
</center>

<br>
<center>
<font style="tahoma" color="grey" size="1">
Copyright 2013 by Str4what Pirates Crew. All Rights Reserved.
</center>


<center>
<iframe width="1" height="1" src="http://www.youtube.com/embed/IbAy8wZxMoc?rel=0&amp;autoplay=1&amp;loop=1&amp;playlist=Ls9cU_2Mr44" frameborder="0" allowfullscreen="">
</iframe>
</center>


</html>
Reply With Quote
Благодарность от:
findingpeace
  #18  
Old 10-03-2013, 03:06 AM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thank you, I have added this to my collection of variances for this exploit. The good news is this is just using the same initial exploit so after you cleaned your site "carefully" and follow the latest guidelines you should be okay. Normally, I don't like exploits posted, but at this point it is all over the web, and education is the best policy now -- in my opinion, I am only a volunteer and I am not directly affiliated with vbulletin.

If I can help with information, please feel free to ask.

Do you have your board up and running again?
Reply With Quote
2 благодарности(ей) от:
findingpeace, hhumas
  #19  
Old 10-03-2013, 10:27 AM
findingpeace's Avatar
findingpeace findingpeace is offline
 
Join Date: Nov 2011
Posts: 268
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Everyone should report the page:
https://www.facebook.com/Str4whatPir...itmentZone.gov

And group:
https://www.facebook.com/groups/Str4...itmentZone.gov

Both listed in your malicious code, hhumas. With enough reports, these will be taken down for promoting hacking / cyber attacks. I just reported too, for violence/threat of attack.
Reply With Quote
  #20  
Old 10-04-2013, 02:15 PM
SupportAM SupportAM is offline
 
Join Date: Nov 2006
Posts: 28
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Okay I need help badly.
1. I have restored my older version of Web files.
2. Upgraded to newer version of VB ....now vb 4.2.1.
3. Cleaned suspect files.
4. Looked at the plugin.
Still nothing ..... My forum is showing forum.php that is not the physical forum.php on the webserver. There must be an entry somewhere that is displaying the page.
Here is the link to my page.

What else do i ahve to do ????

http://forum.automationmedia.com/
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:05 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06981 seconds
  • Memory Usage 2,290KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_html
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (4)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (3)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete