vBulletin hacked forums: Clean Up Time
Step 11. Even with all the previous steps, you may not completely find all infections from my experience. There are other places where hackers may have embedded malicious malware files on your server. Such as php shells and back doors embedded in your user uploadable directories where you choose to save within filesystem instead of within database such uploads. These directories include:
- customavatars
- customgroupicons
- customprofilepics
- signaturepics
- attachments
For these directories, it maybe wise to place a .htaccess file within them to prevent public web access to *.php extension based files as these listed directories shouldn’t have php files within them to begin with.
Order Allow,Deny Deny from all
Here are some examples of malicious .htaccess and php and js files while searching the server for .htaccess files.
For customavatars directories
/home/username/public_html/forum1/customavatars/r00t/hosts/.htaccess /home/username/public_html/forum1/customavatars/r00t/.htaccess /home/username/public_html/forum1/customavatars/r00t1/hosts/.htaccess /home/username/public_html/forum1/customavatars/r00t1/.htaccess /home/username/public_html/forum1/customavatars/r00t-vleech/hosts/.htaccess /home/username/public_html/forum1/customavatars/r00t-vleech/.htaccess
Directory contents
ls -lah /home/username/public_html/forum1/customavatars/r00t total 292K d--------- 5 root root 4.0K Sep 24 11:51 ./ drwxrwxrwx 6 username username 12K Sep 27 11:52 ../ ---------- 1 root root 498 Sep 24 11:51 .htaccess ---------- 1 root root 6.6K Sep 16 18:23 account.php ---------- 1 root root 28K Jun 16 14:15 add.php ---------- 1 root root 13K Jul 8 07:23 ajax.js ---------- 1 root root 98K Jun 16 14:15 checkaccount.php ---------- 1 root root 52K Sep 17 19:14 class.php ---------- 1 root root 3.9K Sep 17 19:14 config.php d--------- 5 root root 4.0K Sep 24 15:20 data/ ---------- 1 root root 1.5K Sep 25 05:48 error_log ---------- 1 root root 1.8K Jun 16 14:15 genystyle.css d--------- 2 root root 4.0K Sep 24 11:49 hosts/ d--------- 2 root root 4.0K Sep 24 11:49 images/ ---------- 1 root root 13K Sep 16 18:21 index.php ---------- 1 root root 5.3K Jun 16 14:15 languages.php ---------- 1 root root 1.8K Jun 16 14:15 login.php ---------- 1 root root 5.2K Jun 16 14:15 rl_style_pm.css
For attachments directories – this vB forum owner made the mistake of saving attachments in filesystem directory which is web accessible. You should never do that, instead save to directory one directory level above web root instead i.e. /home/username/attachments would be one level above web root at /home/username/public_html.
/home/username/public_html/forum3/attachments/r00t/hosts/sendspace_com.php /home/username/public_html/forum3/attachments/r00t/hosts/bayfiles_com.php /home/username/public_html/forum3/attachments/r00t/hosts/oron_com.php /home/username/public_html/forum3/attachments/r00t/hosts/zippyshare_com.php /home/username/public_html/forum3/attachments/r00t/hosts/rapidgator_net.php /home/username/public_html/forum3/attachments/r00t/hosts/ryushare_com.php /home/username/public_html/forum3/attachments/r00t/hosts/bitshare_com.php /home/username/public_html/forum3/attachments/r00t/hosts/depfile_com.php /home/username/public_html/forum3/attachments/r00t/hosts/jumbofiles_com.php /home/username/public_html/forum3/attachments/r00t/hosts/fshare_vn.php /home/username/public_html/forum3/attachments/r00t/hosts/linksnappy_com.php /home/username/public_html/forum3/attachments/r00t/hosts/filejungle_com.php /home/username/public_html/forum3/attachments/r00t/hosts/rpnet_biz.php /home/username/public_html/forum3/attachments/r00t/hosts/depositfiles_com.php /home/username/public_html/forum3/attachments/r00t/hosts/gigasize_com.php /home/username/public_html/forum3/attachments/r00t/hosts/hosts.php /home/username/public_html/forum3/attachments/r00t/hosts/uploading_com.php /home/username/public_html/forum3/attachments/r00t/hosts/fp_io.php /home/username/public_html/forum3/attachments/r00t/hosts/fileflyer_com.php /home/username/public_html/forum3/attachments/r00t/hosts/uploaded_to.php /home/username/public_html/forum3/attachments/r00t/hosts/alldebrid_com.php /home/username/public_html/forum3/attachments/r00t/hosts/lumfile_com.php /home/username/public_html/forum3/attachments/r00t/hosts/simply-debrid_com.php /home/username/public_html/forum3/attachments/r00t/hosts/fileserve_com.php /home/username/public_html/forum3/attachments/r00t/hosts/enterupload_com.php /home/username/public_html/forum3/attachments/r00t/hosts/filefactory_com.php /home/username/public_html/forum3/attachments/r00t/hosts/uploaded_net.php /home/username/public_html/forum3/attachments/r00t/hosts/hotfile_com.php /home/username/public_html/forum3/attachments/r00t/hosts/share-online_biz.php /home/username/public_html/forum3/attachments/r00t/hosts/shragle_com.php /home/username/public_html/forum3/attachments/r00t/hosts/megashares_com.php /home/username/public_html/forum3/attachments/r00t/hosts/ul_to.php /home/username/public_html/forum3/attachments/r00t/hosts/crocko_com.php /home/username/public_html/forum3/attachments/r00t/hosts/premiumize_me.php /home/username/public_html/forum3/attachments/r00t/hosts/youtube_com.php /home/username/public_html/forum3/attachments/r00t/hosts/netload_in.php /home/username/public_html/forum3/attachments/r00t/hosts/filesmonster_com.php /home/username/public_html/forum3/attachments/r00t/hosts/fileape_com.php /home/username/public_html/forum3/attachments/r00t/hosts/wupload.php /home/username/public_html/forum3/attachments/r00t/hosts/easy-share_com.php /home/username/public_html/forum3/attachments/r00t/hosts/fast-debrid_com.php /home/username/public_html/forum3/attachments/r00t/hosts/cloudnator_com.php /home/username/public_html/forum3/attachments/r00t/hosts/multi-debrid_com.php /home/username/public_html/forum3/attachments/r00t/hosts/real-debrid_com.php /home/username/public_html/forum3/attachments/r00t/hosts/filepost_com.php /home/username/public_html/forum3/attachments/r00t/hosts/rehost_to.php /home/username/public_html/forum3/attachments/r00t/hosts/letitbit_net.php /home/username/public_html/forum3/attachments/r00t/hosts/uploadstation_com.php /home/username/public_html/forum3/attachments/r00t/hosts/debridmax_com.php /home/username/public_html/forum3/attachments/r00t/hosts/4shared_com.php /home/username/public_html/forum3/attachments/r00t/hosts/mediafire_com.php /home/username/public_html/forum3/attachments/r00t/hosts/i-filez_com.php /home/username/public_html/forum3/attachments/r00t/hosts/extabit_com.php /home/username/public_html/forum3/attachments/r00t/hosts/4share_vn.php /home/username/public_html/forum3/attachments/r00t/hosts/filesonic.php /home/username/public_html/forum3/attachments/r00t/hosts/conexaomega_com.php /home/username/public_html/forum3/attachments/r00t/hosts/freakshare_com.php /home/username/public_html/forum3/attachments/r00t/hosts/superlinksbr_com.php /home/username/public_html/forum3/attachments/r00t/hosts/rapidshare_com.php /home/username/public_html/forum3/attachments/r00t/hosts/filevelocity_com.php /home/username/public_html/forum3/attachments/r00t/hosts/hipfile_com.php /home/username/public_html/forum3/attachments/r00t/hosts/turbobit_net.php /home/username/public_html/forum3/attachments/r00t/checkaccount.php /home/username/public_html/forum3/attachments/r00t/index.php /home/username/public_html/forum3/attachments/r00t/languages.php /home/username/public_html/forum3/attachments/r00t/account.php /home/username/public_html/forum3/attachments/r00t/data/cookie.php /home/username/public_html/forum3/attachments/r00t/data/index.php /home/username/public_html/forum3/attachments/r00t/data/files/index.php /home/username/public_html/forum3/attachments/r00t/login.php /home/username/public_html/forum3/attachments/r00t/add.php /home/username/public_html/forum3/attachments/r00t/class.php /home/username/public_html/forum3/attachments/r00t/config.php /home/username/public_html/forum3/attachments/5/vleech/me.php /home/username/public_html/forum3/attachments/me.php /home/username/public_html/forum2/attachments/5/signature.php
Removing malware files
To find directories with *.php files by scanning for php files (with find command) then get the base directory name and then output ready made delete directory commands (rm -rf dirname).
Did it this way so to be 100% sure not deleting actually used vB directories. So manually run each outputted command to remove the directories. If you already made a full infected forum file backup from Stage 0, then you it’s okay to proceed. If you haven’t made a backup, do so just in case you delete more than just the malware files.
The actual command used for customavatars directory – replace /home/username/public_html/*/customavatars with your specific path. I used a wildcard as there was more than one vB forum installed:
for d in $(find /home/username/public_html/*/customavatars -type f -name "*.php" -print); do dir=$(dirname $d); echo "rm -rf $dir"; done | sort -u
Resulting output from that command are ready made commands you can run manually to delete the directories.
rm -rf /home/username/public_html/forum1/customavatars/r00t rm -rf /home/username/public_html/forum1/customavatars/r00t-vleech rm -rf /home/username/public_html/forum1/customavatars/r00t-vleech/data rm -rf /home/username/public_html/forum1/customavatars/r00t-vleech/data/files rm -rf /home/username/public_html/forum1/customavatars/r00t-vleech/hosts rm -rf /home/username/public_html/forum1/customavatars/r00t/data rm -rf /home/username/public_html/forum1/customavatars/r00t/data/files rm -rf /home/username/public_html/forum1/customavatars/r00t/hosts rm -rf /home/username/public_html/forum1/customavatars/r00t1/data/files
For attachments directories, I had to remove some files for top level attachment directory manually before doing find command further below, so I don’t mistakenly delete the actual attachments directory and it’s structure itself !
rm -rf /home/username/public_html/forum3/attachments/me.php rm -rf /home/username/public_html/forum2/attachments/5/signature.php rm -rf /home/username/public_html/forum3/attachments/9/8/511.php
Then let’s do the same thing with attachments as we did with customavatars. Replace /home/username/public_html/*/attachments with your specific attachments directory path.
for d in $(find /home/username/public_html/*/attachments -type f -name "*.php" -print); do dir=$(dirname $d); echo "rm -rf $dir"; done | sort -u
Resulting output from that command are ready made commands you can run manually to delete the directories.
rm -rf /home/username/public_html/forum3/attachments/5/vleech rm -rf /home/username/public_html/forum3/attachments/r00t rm -rf /home/username/public_html/forum3/attachments/r00t/data rm -rf /home/username/public_html/forum3/attachments/r00t/data/files rm -rf /home/username/public_html/forum3/attachments/r00t/hosts
