My server was hacked because i have VBET.

THIS IS THE CLUE THAT CONFIRMS IT:

root 27888 1 0 18:26 ? Ss 0:00 /usr/sbin/exim -Mc 1OSBjj-0007Cf-4S SERVER_SIGNATURE=<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www****com Port 80</address>? UNIQUE_ID=TCTYtbylwV0AAEFiMjYAAABQ HTTP_USER_AGENT=Wget/1.10.2 (Red Hat modified) SERVER_PORT=80 HTTP_HOST=www****com DOCUMENT_ROOT=/home/w11s0s3r/public_html SCRIPT_FILENAME=/home/w11s0s3r/public_html/vbenterprisetranslator_seo.php REQUEST_URI=/archive/index.php/f-23.html SCRIPT_NAME=/vbenterprisetranslator_seo.php HTTP_CONNECTION=Keep-Alive REMOTE_PORT=41741 PATH=/bin:/usr/bin PWD=/home/w11s0s3r/public_html SERVER_ADMIN=webmaster****com REDIRECT_UNIQUE_ID=TCTYtbylwV0AAEFiMjYAAABQ REDIRECT_STATUS=200 HTTP_ACCEPT=*/* REMOTE_ADDR=72.55.191.104 SHLVL=1 SERVER_NAME=www***com HTTP_PRAGMA=no-cache SERVER_SOFTWARE=Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 QUERY_STRING= SERVER_ADDR=188.165.193.93 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.0 REDIRECT_URL=/archive/index.php/f-23.html REQUEST_METHOD=HEAD _=/usr/sbin/sendmail
w11s0s3r 27996 27888 1 18:26 ? D 0:00 /usr/sbin/exim -Mc 1OSBjj-0007Cf-4S SERVER_SIGNATURE=<address>Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www***com Port 80</address>? UNIQUE_ID=TCTYtbylwV0AAEFiMjYAAABQ HTTP_USER_AGENT=Wget/1.10.2 (Red Hat modified) SERVER_PORT=80 HTTP_HOST=www****com DOCUMENT_ROOT=/home/w11s0s3r/public_html SCRIPT_FILENAME=/home/w11s0s3r/public_html/vbenterprisetranslato^C


I CAN´T UNINSTALL VBET!!
Please help me my server is sending a lot of SPAM e-mails!
Is being cracked!

HELP Michał Podbielski!

I'm analyzing your message at this moment.

Meantime please tell why you are not able do dissable/uninstal vBET? What happens?

Can you please explain why are you thinking that it is vBET fault? I do not see it.

Also - did you found which code is sending those SPAM emails?

I cannot see your forum - vbenterprisetranslator_seo.php was removed and .htacces rules are still pointing at this file. Admin CP is working as I see.

He are using vbenterprisetranslator_seo.php to inject his XSRIPT to my website.

When I try to unistall product, and deleting vbenterprisetranslator_seo.php from my server My web dont work because i need "vbenterprisetranslator_seo.php" in the FTP :S

How i can unistall "ALL" VBET??

Thanks for reply

UPDATE:
I have error unistalling VBET:
http://img822.imageshack.us/img822/273/errorunistalling.jpg
http://img337.imageshack.us/img337/4927/errorunistalling2.jpg

As I wrote you still have .htaccess rules pointing to vbenterprisetranslator_seo.php - just comment those.

Also you do not have to uninstall vBET - it is enough to just disable it. Especially that I still do not see why do you think that it is vBET issue and it is possible that it is not.

Please tell how your first message determine that someone is using vbenterprisetranslator_seo.php to insert XSCRIPTs which you are writing about. Please note that vbenterprisetranslator_seo.php has no any relevant logic - it is just Front Controller. All requests to your forum are going through this file and after that vbseo.php is used. So if you remove vBET rules, you will see all logs pointing to vbseo.php which will not mean that vbseo.php is responsible for attack.

So at this moment I think that you read your logs wrong and that vbenterprisetranslator_seo.php is NOT responsible for attack. I can be wrong, but if you are so sure, then please describe how it is done (this XSCRIPT insertion by vbenterprisetranslator_seo.php) - we will analyze it.

Please note - it is in our best interest to keep our clients safe. So we will do our best effort to solve issue IF it is caused by vBET. For your own safety - please describe exactly why do you think that it is done by vBET. Otherwise if you are wrong - what I expect, because many people think that everything is done by vbenterprisetranslator_seo.php - which only changes server variables and does nothing more, but all requests go by it, so people get wrong impression - so if you are wrong, then you will just loose all your vBET cache and settings and you will still be attacked, because you did wrong thing (still advise to disable vBET not uninstall).

So please explain why are you thinging that vBET allowed for this attack. Till now you wrote only what are you thinking, but no word what makes you think that.

I have error unistalling VBET:
http://img822.imageshack.us/img822/273/errorunistalling.jpg
http://img337.imageshack.us/img337/4927/errorunistalling2.jpg

About first thing - I will heck it.
About 2nd - you just need to remove from server vBET files. Especially /includes/xml/cpnav_vbenterprisetranslator.xml - this one defines vBET menu.

He are using vbenterprisetranslator_seo.php to inject his XSRIPT to my website.

When I try to unistall product, and deleting vbenterprisetranslator_seo.php from my server My web dont work because i need "vbenterprisetranslator_seo.php" in the FTP :S

How i can unistall "ALL" VBET??

Thanks for reply

UPDATE:
I have error unistalling VBET:
http://img822.imageshack.us/img822/273/errorunistalling.jpg
http://img337.imageshack.us/img337/4927/errorunistalling2.jpg

Reinstall it then try uninstalling it again, then manually delete all vbet uploaded files in this order:

1. reinstall
2. uninstall
3. manually delete all uploaded vbet files

PS. Michael, this must be looked into more deeply because I want to sleep safe at night. :)

For the first thing - it is small vBET bug. I already found solution - it will be included in next release. For quick fix:
1. open vBET product file: do-not-upload/product-vbenterprisetranslator.xml
2. Find:

$vbulletin->db->query_write('DROP TABLE ' . TABLE_PREFIX . 'vbenterprisetranslator_cache_'.$code.);
3. REPLACE by:

$vbulletin->db->query_write('DROP TABLE ' . TABLE_PREFIX . 'vbenterprisetranslator_cache_'.$code);
4. Import product file again
5. Uninstall again

Please remove vBET files after that. If you removed it already - please upload it.

PS. Michael, this must be looked into more deeply because I want to sleep safe at night. :)

Please see here and answer for question: http://www.vbenterprisetranslator.com/forum/troubleshooting/794-serverd-hacked-vbet.html#post3545

No answers. In such case nothing tells that it was vBET fault and file which was called guilty has no logic for page generation so insertion of scripts it not possible there - it is just front controller.

Issue closed.