Announcement

Collapse
No announcement yet.

Ready to throw VB4 in the trash bin - Sending Spam Out

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ready to throw VB4 in the trash bin - Sending Spam Out

    I have seen this before and we thought it was resolved. Then it happens again and again and again. I have the most current version of VB 4. I keep getting a file added to my root dir or admincp usually named a7*.html and the one today is statisticskJ9j.php. You can see a small snippet below. The first time I sent out 35,000 emails. I setup some alerts this time and stopped it after a few thousand. However I use a mail service and I pay for email. I did not want it on my server so I hosted it elsewhere. I do not want to pay for some a$$holes porn emails.

    I have looked and I am the only admin. I just changed servers recently so all new server and db passwords. I have debated on wiping my forum dir and doing a fresh install and the other part of me is just thinking about dumping vb completely.

    So I thought as a last resort I would see if anyone has had this exploit and what they did to resolve?

    Thanks for the help!


    Code:
    echo PHP_OS.chr(50).chr(48).'+'.md5(0987654321)."+$vb4a88417\n"; } }
    function ne667da76($v957b527b){ return
    preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9
    ]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $v957b527b); }
    function na73fa8bd($vb45cffe0, $v11a95b8a = 0, $v7fa1b685="=\r\n",
    $v92f21a0f = 0, $v3303c65a = false) { $vf5a8e923 = strlen($vb45cffe0);

  • #2
    If someone is adding files to your system, then they either have shell, or ftp access.

    In your plugin list in the plugin manager, are there any plugins listed assigned to the vBulletin product? If so did you yourself put them there?

    Comment


    • #3
      there are two "ajax" titles assigned to "ajax_complete". The other is VSA Chatbox. I removed everything else. The ajax one alarm me.

      Comment


      • #4
        You'll need to disable or delete those plugins. Are you positive, and I mean positive that the contents are legit?

        Comment


        • #5
          at this point I reinstalled vb4 in a new database. I will probably copy over a bunch of the tables from the old to the new. I could just put the old config.php back in but I am not sure which is the best way to go.

          Appreciate your help Zachery

          Comment


          • #6
            You can't do that, it won't work. You need to cleanup the current DB if you want your old content.

            Comment


            • #7
              Zachery thanks again for the help. I dumped all pluggins, renamed my old forum dir and installed a new vb forum into the the same dir. I reloaded the skin and then copied the old config.php into the new forum. The were no pluggins created when I was done.

              So I have been monitoring it and sometime today, there were 3 new pluggins created. 2 were with the ajax_complete that I mentioned before. So obviously someone has been able to get into this. I looked at the db and there are no extra admins. Obviously I still have an issue but I have no idea where.

              Suggestions?

              Thanks

              Comment


              • #8
                Originally posted by xDazedx View Post
                Zachery thanks again for the help. I dumped all pluggins, renamed my old forum dir and installed a new vb forum into the the same dir. I reloaded the skin and then copied the old config.php into the new forum. The were no pluggins created when I was done.

                So I have been monitoring it and sometime today, there were 3 new pluggins created. 2 were with the ajax_complete that I mentioned before. So obviously someone has been able to get into this. I looked at the db and there are no extra admins. Obviously I still have an issue but I have no idea where.

                Suggestions?

                Thanks
                I am having this same issue. Everything is secure, updated, etc

                There must be a new vulnerability the VB team is not aware of? Frustration ><

                Comment


                • #9
                  You've removed your install directory, based on our recent announcements?

                  You've password protected your AdminCP and other sensitive folders?

                  Comment


                  • #10
                    Originally posted by krazeguy View Post

                    I am having this same issue. Everything is secure, updated, etc

                    There must be a new vulnerability the VB team is not aware of? Frustration ><

                    The plugin method is actually old and was fixed in a 4.1.3 patch level. That doesn't mean it hasn't set dormant until now on your site. You should delete all plugins that you're not sure what they do. Delete all extra files on your server and .htaccess protect your admincp directory.

                    There was a similar exploit via vBSEO about a year ago where a plugin would be inserted everytime the user accessed their vBSEO admincp.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API

                    Comment


                    • #11
                      Originally posted by Zachery View Post
                      You've removed your install directory, based on our recent announcements?

                      You've password protected your AdminCP and other sensitive folders?
                      I removed the install directory. What's the best way to password protect the AdminCP folder?

                      Comment


                      • #12
                        Thanks for the help guys. As mentioned I removed the original dir, reinstalled and then changed every password. That seems to have helped. I think one of my admins passwords was compromised to be honest but I have no proof. So far so good. I did not have the install dir in either the old or new.

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...
                        X