Suspect file in includes?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Simon Lloyd
    Senior Member
    • Apr 2008
    • 610
    • 3.7.x
    #1

    Suspect file in includes?

    Hi can anyone tell me if there should be a file called vbf.php in /includes?

    I downloaded this folder and my AV shows this File name:\includes\vbf.php Threat name: PHP/BackDoor.C99Shell
    Kind regards,
    Simon
    Microsoft Office Discussion
    Tags: None
    • TheNewOne
      Senior Member
      • Aug 2011
      • 1033
      • 4.2.5
      #2
      no php file with that name in that folder

        Comment

        • PossumX
          Senior Member
          • Oct 2006
          • 261
          • 4.1.x
          #3
          Suspect file in includes?

          Like said above, not a vB file, you've been compromised at the server level.

            Comment

            • HMBeaty
              Senior Member
              • Mar 2005
              • 1105
              • 4.2.5
              #4
              Fixes for vbulletin forums hacked by Team Animus | Greg Freeman's Blog
              http://www.keleko.com/2011/fixes-for-vbulletin-forums-hacked-by-team-animus/
              tips & tricks
              "Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time!"
              "It's important to only think about what you desire, not what you fear to achieve your ultimate goal!!"
              "When doors close, tear down the walls. Never give up!"

                Comment

                • Simon Lloyd
                  Senior Member
                  • Apr 2008
                  • 610
                  • 3.7.x
                  #5
                  Thanks all, i knew it didn't exist in the standard package, i thought it belonged to an add on (mod) that someone mights recognise. HMBeaty at least that link narrowed it down to which mod.

                  The infection isn't on my site. What it did to this poor users forum was delete the forumid column from the forum table and you have to rebuild the templates table. Just ALTERing and adding a forumid column isn't much good really as all the forum id's are then wrong and have to be adjusted manually.

                  Reading through the offending script it shows that they pretty much scrape everything from your server and databases, when i say everything i mean EVERYTHING!

                  Don't you just hate folk like that??
                  Kind regards,
                  Simon
                  Microsoft Office Discussion

                    Comment

                    Previous template Next
                    widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                    Working...