Can anyone tell me what this file is?

[SloppyGoat]

It infected my 3.8 forum, and I found it through both AV and the file name. I knew it didn't belong. What was strange was, the site worked fine, but the home page would not load. I restored from my backups several times and it would load fine for maybe 24 hours, then the same problem happened over and over, until I finally found and removed it. I lost months of posts, but finally seem to have the forum stable again. What I am wondering is if I have anything else to worry about? Has this file done anything else to my forum? I don't know PHP, and I am really in the dark about what this means. Although, it's obvious that there is some malicious code in it. Especially the part about "Webshell by oRb" and the lines from about 743 - 754.

Can anyone explain to me how this ended up in my web root and what the hell it did (or tried to do) to my forum? I have renamed the extension to txt and it should not be dangerous at all now. That is all I have changed about the file. Any help would be greatly appreciated. I have been running this forum for about 10 years and this is the most serious problem/attack I have ever had. If anyone can help me figure out what happened and/or how to avoid it from happening again, I sure would appreciate it.

[Lynne]

Without going through it line by line, it looks like it gives the person any and all information that they want about your server - the password, open ports, where any config files are located (for php, mysql, apache, etc), privileges, backups... anything they asked for (you can see all that starting around line 75). It looks like it gives the user a form where they may select what to get/do to your server.

[SloppyGoat]

Well, that's just great! How did this happen? Nobody has ever had access to my root folder ever. Nothing seems to have been compromised. What should I do? The file creation dates way back to Jan, and nothing weird happened until recently.

I don't run an Apache server. It appears that may be why it didn't work?

--------------- Added 26 Nov 2011 at 19:24 ---------------

Is my forum safe with the file removed if nothing else has happened? As far as I know, the only thing that went wrong is my home page would not load. Everything else on the forum was working fine. Every other page, link, and feature was entirely accessible and operational. I don't believe any passwords or anything were actually accessed. At least, there are no signs that anyone has been hacked or anything. The only port that was ever open on my server was 80. It looks more like a failed attempt, that just messed with the home page's ability to load.

[Max Taxable]

Quote:

Originally Posted by SloppyGoat

Well, that's just great! How did this happen?

Likely, YOU installed it. When you installed a style, add-on, or plugin. Always check everything carefully you install that isn't native vBulletin. Lots of creeps install back-door and "call home" stuff in the guise of something shiny, nice and new for your board.

Installed anything new lately? Or, corresponding with the date and time this file was installed on your server?

[SloppyGoat]

I haven't installed anything in ages (probably years)...and nothing that was not an official approved (or at least well tested by others) hack, from here. There is no way in hell I would install something unverified like that. I have been running this forum since 2001. I don't really know PHP, but I'm not that stupid. You don't run a practically trouble free, bullet proof server that long by being ignorant.

[Max Taxable]

Quote:

Originally Posted by SloppyGoat

I haven't installed anything in ages (probably years)...and nothing that was not an official approved hack, from here. There is no way in hell I would install something unverified like that. I have been running this forum since 2001. I don't really know PHP, but I'm not that stupid. You don't run a practically trouble free, bullet proof server that long by being ignorant.

Some of the back door stuff, the "call home" stuff, DOES come from here. Just because something is posted here does not make it "official approved." Everything you get from here is strictly use at your own risk.

Of course, no one claimed you were ignorant. I was merely proposing a possibility that William of Occam would approve of.

What date/time was this malicious file installed? Can you give us a live link to your board, for examination?

[SloppyGoat]

I have a link in my signature. The funny thing is, the file was dated Jan/2011. The last hackI'd installed was years ago. Someone somehow got into my root folder. It doesn't even make sense, since the problems didn't start until just this last month. I have no idea when it even started, because I always went to New Posts, instead of the home page.

Once again, nothing had been installed or changed for at least 2 years...probably more.

Don't you think someone would have said something if an officially released hack here was actually a malicious code? I have never installed anything no one else has tried and tested to work...with no bad reports. It's an old version. (3.8.0) I pretty much stopped adding new hacks when I stopped upgrading the board because it's the last update vBulletin offered for my license. 3.8.0 came out a long time ago.

BTW, the only thing that calls anywhere from my forum is the StopForumSpam hack, that checks their database for known spammers upon registration. That's been working fine for years and still works fine.

[Lynne]

The only way to find out how it was installed is to look at server logs from the time it was installed. It seems very unlikely that any of those logs are still available for you to look at.

Also, just a note, none of the modifications offered here are "officially approved". We don't go through any approval process with the modifications. If we hear of any rogue files like the one you found being supplied with the modification, we would remove the modification. I don't recall of ever hearing of any file like the one you found being supplied with any modification here.

Are you on your own server or on a shared server?

[SloppyGoat]

It is my own server, run from my home, behind 2 firewalls. Three now, actually...one SW and two routers. It's not easy to get into. Why anyone would waste their time, I don't know. I have never even been close to the first to install any mods. There has always been plenty before me. I can almost guarantee it has nothing to do with any mods I installed.

Here is a list of the things I have installed years ago. These are things that have kept my forum running flawlessly for so long.
That file was never there after any of these installs. I know my server pretty well after so many years.
I'm listing the links and names, even though it's kind of a pain in the ass to list all of these at all. Most of these seem to go way back to around 2008. I think the last one installed was 2010. Still going to try to convince me it's a bad hack that installed it? One that just never did anything for years??? That makes no sense!

https://vborg.vbsupport.ru/showthread.php?t=172215 - All Albums
https://vborg.vbsupport.ru/showthread.php?t=201156 - Automatic Thread Tagger
https://vborg.vbsupport.ru/showthread.php?t=177928 - Cyb - Attention Zero-Posters
https://vborg.vbsupport.ru/showthread.php?t=122997 - Cyb - PayPal Donate
https://vborg.vbsupport.ru/misc.php?...paulm_20051015 - FlashChat Integration
https://vborg.vbsupport.ru/forumdisplay.php?f=170 - ibProArcade for vBulletin
https://vborg.vbsupport.ru/misc.php?...paulm_20050629 - Members who are using flashchat
https://vborg.vbsupport.ru/showthread.php?t=125790 - Mini Navbar
https://vborg.vbsupport.ru/showthread.php?t=121886 - Miserable Users
https://vborg.vbsupport.ru/showthread.php?t=183329 - NoSpam!
https://vborg.vbsupport.ru/misc.php?...d=paulm_pdp_38 - Prevent DoublePosts
https://vborg.vbsupport.ru/misc.php?...ditor_improver - Quick Editor Improver
https://vborg.vbsupport.ru/misc.php?...d=paulm_ptr_38 - Real ip detection
https://vborg.vbsupport.ru/misc.php?...=users_cleanup - Users Cleanup
https://vborg.vbsupport.ru/showthread.php?p=1536681 - vB Spell
https://vborg.vbsupport.ru/misc.php?...bstopforumspam - vbStopForumSpam

There are only two that don't have links to this forum...

Un-Activated User Management v.3
and
Usergroup Allow HTML v.3.5 (This was probably one of the first I ever installed, and I am and have always been the only one with this privilege.)

Those two hacks are very old, as are all of them. I think the anti spam hack could be the last one I ever installed, back when we were all fighting spam registrations. Most have dates on the release page, and it appears only the ibproArcade link doesn't exist anymore. No matter, that has been installed for years...since I upgraded to 3.8, and we all know how long ago that's been now, right?

It's hard to keep track of all of these, but I am doing my best to list them all and provide links to the original threads. Most of them appear to be from at least 2008, except for the one that is dated 2010.

[Lynne]

Like I said before, I have never known of any mod from here having some script like that included with it. I would guess the file got there some other way. But, without looking at your logs, then you wouldn't know how.