Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page How can I find a hacked file in VB
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 03-21-2016, 01:54 AM
Scalemotorcars's Avatar
Scalemotorcars Scalemotorcars is offline
 
Join Date: Mar 2006
Location: NC
Posts: 619
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default How can I find a hacked file in VB
So I just installed the Bounced Email handler for VB4 and im getting some strange bounces that have me concerned that someone may be using my hosting to send out spam emails.

I did a Suspect File search and got about 150 files that are not stock VB. Now I do have about 30+ mods installed so thats normal but how do I find a hacked file that may be sending out these spam emails in all those files? And I have no ideal how long they have been doing this and my oldest backup of the files is only about 6 months. But that still will not fix any added files. Also have no ideal how to search the DB for anything embed.

Anyway is theres something Im not looking at or is it just a matter of going over each file manually?

Is there a way to search the DB for what may be causing this?

Thanks for your time...
Daniel
Reply With Quote
  #2  
Old 03-21-2016, 07:55 AM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Well if if you think a script is sending spam on your machine, you could search for the mail function in PHP to find the culprit like so on Linux:
HTML Code:
grep -Ril "mail(" /directory/of/htdocs/
That will list all files which contain "mail(".
Reply With Quote
Благодарность от:
Brandon Sheley
  #3  
Old 03-21-2016, 09:19 AM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
You can also download the files and then do a text search in all the files using notepadd++...

If you thin you are hacked you can search for debase64 in the files and any of the non vbulletin files you can take a closer look at. Just because some may have it doesn't neccesarily mean they are hacked but it will help you narror things down.

Chances are though if your site is sending out emails it is your server and not your site. Perhaps someone has gotten your smtp passwords. Make sure you have relaying closed or authorization required.
Reply With Quote
Благодарность от:
Brandon Sheley
  #4  
Old 03-21-2016, 11:56 AM
Brandon Sheley's Avatar
Brandon Sheley Brandon Sheley is offline
 
Join Date: Mar 2005
Location: Google Kansas
Posts: 4,678
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Someone can easily compromised an email form without "hacking" the site as well. It doesn't even have to be from your forum. Do you host other sites or scripts other then your forum? Are you on a dedicated server, if it's shared or a vps they could abuse your site well outside your forum as well.

Good luck
Reply With Quote
  #5  
Old 03-21-2016, 11:59 AM
Scalemotorcars's Avatar
Scalemotorcars Scalemotorcars is offline
 
Join Date: Mar 2006
Location: NC
Posts: 619
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Dave View Post
Well if if you think a script is sending spam on your machine, you could search for the mail function in PHP to find the culprit like so on Linux:
HTML Code:
grep -Ril "mail(" /directory/of/htdocs/
That will list all files which contain "mail(".
Would I run this in PHPmyAdmin as a query?
Reply With Quote
  #6  
Old 03-21-2016, 12:00 PM
Brandon Sheley's Avatar
Brandon Sheley Brandon Sheley is offline
 
Join Date: Mar 2005
Location: Google Kansas
Posts: 4,678
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Scalemotorcars View Post
Would I run this in PHPmyAdmin as a query?
I don't know the command but it looks like it would be from a terminal, like a SSH connection with PuTTY.
Reply With Quote
  #7  
Old 03-21-2016, 12:03 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Scalemotorcars View Post
Would I run this in PHPmyAdmin as a query?
No, that command has nothing to do with MySQL databases. It's a command you execute through SSH in the terminal.
Reply With Quote
  #8  
Old 03-21-2016, 12:25 PM
Scalemotorcars's Avatar
Scalemotorcars Scalemotorcars is offline
 
Join Date: Mar 2006
Location: NC
Posts: 619
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Brandon Sheley View Post
Someone can easily compromised an email form without "hacking" the site as well. It doesn't even have to be from your forum. Do you host other sites or scripts other then your forum? Are you on a dedicated server, if it's shared or a vps they could abuse your site well outside your forum as well.

Good luck
I figured it was from the forum since the only place that has the Bounce return email address is on my site. All the bounce settings on hosted on VB so wouldn't that make it a corrupt file?

--------------- Added [DATE]1458566796[/DATE] at [TIME]1458566796[/TIME] ---------------

Quote:
Originally Posted by Dave View Post
No, that command has nothing to do with MySQL databases. It's a command you execute through SSH in the terminal.
You lost me. Can I do it from my C Panel on the host?
Reply With Quote
  #9  
Old 03-21-2016, 12:28 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Are you on shared hosting? 99.9% of the time shared hosts do not give you access to SSH, it will not be possible to execute the command in that case.
Reply With Quote
  #10  
Old 03-21-2016, 12:31 PM
Scalemotorcars's Avatar
Scalemotorcars Scalemotorcars is offline
 
Join Date: Mar 2006
Location: NC
Posts: 619
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
@Dave

Yes its shared. I'm beginning to think I need a dedicated server but thats crazy expensive. Any suggestions on something reasonable?
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 01:53 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08448 seconds
  • Memory Usage 2,279KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_html
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (2)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete