urgent help wanted

[ghaidaa]

hello
i keep finding this page all of my clients especially those who have vBulletin forums

a picture attached to this thread please check and inform me how to prevent these files from being uploaded to my server
the picture is in arabic but i think it is clear
it has most on SSH commands

[sirotex]

hello
i keep finding this page all of my clients especially those who have vBulletin forums

a picture attached to this thread please check and inform me how to prevent these files from being uploaded to my server
the picture is in arabic but i think it is clear
it has most on SSH commands

Hello,

You what?

This is nothing to do with CPanel..

[Infopro]

hello
i keep finding this page all of my clients especially those who have vBulletin forums

a picture attached to this thread please check and inform me how to prevent these files from being uploaded to my server
the picture is in arabic but i think it is clear
it has most on SSH commands

This does not look good. Especially if you're finding it all over.

Personally I'd lock down any account I found that on and then start worrying that my entire server was compromised. At the very least you have some sort of script that has been compromised, surely.

Moving to apache2.x with suphp and mod_security would help some, making sure every single script (vbulletin, Joomla, *.nuke and so on) are up to date or locked down, would help as well.

Don't ignore this.

[sirotex]

It still isn't a CPanel issue, talk to Vbulletin about it..

Also, it is _probably_ a vbulletin module, if you ask Vbulletin they will tell you.

I don't see how this is a "security risk", seen as it is indeed in the Admin Panel..

Are you out just to cause worry?

[Infopro]

If you don't recognize it, you'll just have to trust me that that image posted above is not a vbulletin module and is not safe to have on your server.

[proclan]

I've seen that hack in English and it's usually used on php sites like nuke. They normally use it to upload scripts to the hacked account. It's not a server hack. But I cant remember the name of it. I would also check all of the folders on that account for any unusual files and folders and remove them. Then tell the client to update any software they are using.

[AndyReed]

i keep finding this page all of my clients especially those who have vBulletin forums

a picture attached to this thread please check and inform me how to prevent these files from being uploaded to my server

From the image attached to your posting, it looks like a phpshell script such as c99 or r57. Make sure your server is not compromised.

HowTo secure vBulletin from being hacked: http://servertune.com/kbase/entry/339/

[ghaidaa]

thank you verymuch for your help
i know its not a Cpanel issue or a VBulletin script but i thoghut i could find help in a trusted place and I did
yes its true the picture shows a shell called C99 and it is the same as C75

i found somthing today that can prevent uploading that kind of shell to the VB
its called "CrackerTracker" you can download it from here
www.traidnt.net/vb/attachment.php?attachmentid=108055&d=1171067073
and more info at
CrackerTracker - A Protection System from http://www.cback.de
i sent an email to all my clients to update their forums and scripts and asked them to use the hack
i will try it and inform you later
i accept more assistance