Hi,

Its been 2,3 times that my forum mainpage has been hacked, before i deleted the index.php page and uploaded it again but this time its not working....after hacking the main page somehow hackers are making IDs with full Admin Power......

Has anyone got a clue whats happening?? i really need help with this issue

146347

Delete the /install directory.

Here is a interesting article TheLastSuperman wrote, it way help, http://www.vbulletin.com/forum/blogs/michael-miller/3934768-recovering-a-hacked-vbulletin-site

If none of that helps, ask your host to reload your most recent backup, then you would still need to delete the install directory.

Thanks for your reply mate

But the thing is only the main page has been hacked if i run a backup it will probably take a week posts thread and that....

So is there any solution just to restore my home page please....

Read the article, and follow the suggestions there.

First thing you have to do is reset all the passwords, that means anyone signing in has to change their password.

Secondly you need to go through the files and see if there are any there that shouldn't be.

The only way to restore things as they were id by running a backup, and to be honest it shouldn't take that long, once you get it from your host, I know it's too late, but you should really be downloading a back at least every other day yourself, not relying on the host.

If it's only the front page that they have hacked, ( I'm assuming it's a portal) alter your .htaccess to forum.php, then at least your members can get into the site.

Hi,

Its been 2,3 times that my forum mainpage has been hacked, before i deleted the index.php page and uploaded it again but this time its not working....after hacking the main page somehow hackers are making IDs with full Admin Power......

Has anyone got a clue whats happening?? i really need help with this issue

146347

Its not that simple, he could of added his code in numerous ways, as the install security hole allowed a sql injection, that is why you have new admins.

He could of used any one of these to inject the change on your home page:
base64 code in the db, in the datastore, template or style tables.
iframe code in the db, in the datastore, template or style tables.

You simply need to remove the code, but first you have to find it, there are a few articles out lining ways to find it in the db & one hack to search for certain things i nthe datastore, which will remove it & rebuild your datastore for you.

First thing you have to do is reset all the passwords, that means anyone signing in has to change their password.

Secondly you need to go through the files and see if there are any there that shouldn't be.

The only way to restore things as they were id by running a backup, and to be honest it shouldn't take that long, once you get it from your host, I know it's too late, but you should really be downloading a back at least every other day yourself, not relying on the host.

If it's only the front page that they have hacked, ( I'm assuming it's a portal) alter your .htaccess to forum.php, then at least your members can get into the site.

I do have backup of 2 days before.....but i have contacted my host so lets see what they will say....waiting for their reply if not then i will restore the backup then......

one more thing is that i only backup my database and the size of the database backup is around 300 so am not even sure its thats the right backup.....but i download it from my control panel....

--------------- Added 1378674505 at 1378674505 ---------------

Its not that simple, he could of added his code in numerous ways, as the install security hole allowed a sql injection, that is why you have new admins.

He could of used any one of these to inject the change on your home page:
base64 code in the db, in the datastore, template or style tables.
iframe code in the db, in the datastore, template or style tables.

You simply need to remove the code, but first you have to find it, there are a few articles out lining ways to find it in the db & one hack to search for certain things i nthe datastore, which will remove it & rebuild your datastore for you.

how do i find that code please tell me....is there any way to find it and remove it please let me know...

Did you follow the steps in the article I linked you to? It tells you in there.
Run the following Queries in phpMyAdmin:SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%'; SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

Then you could also try this mod, https://vborg.vbsupport.ru/showthread.php?t=281080

please contact me i will help you.....thanks

You could always hire Securi (http://affl.sucuri.net/?)--

They'll clean your site and monitor it for the next year. They do a great job.


.

Hi Guys

Thanks everyone for your help.....i had problem in my forumhome template......i reverted that template now its working fine....

If it's the Syrian Army whatchamacallit, they apparently found a way to add themselves as administrators even getting past user moderation/approval (unless someone on my team approved an odd account without telling me).

They hacked NOTICE.PHP and embedded a meta-refresh in the PHRASE table. I don't that it will stop them but I have added the following to my .htaccess

# Block Syrian Army IP Addresses
deny from 5.0.0.0/16
deny from 31.9.0.0/16
deny from 82.137.192.0/20
deny from 91.144.0.0/20
deny from 178.253.64.0/20

These IP addresses are all assigned to a Syrian government ISP (and sharing this list here may tip them off that I have identified which network they came in from).

I am using VB 4.something (still uploading a backup of the actual VBulletin files so my forum is offline at the moment). ADDED ON EDIT: Vbulletin 4.1.5 Patch 1

I don't think changing passwords is going to help with this. They found a flaw in the VBulletin script. I show three actions by the hacker's user account in the ADMINLOG. They are:

ADD action with "notice.php"
UPDATE action with "notice.php"
MODIFY action with "notice.php"

He used a HOTMAIL.IT email address (according to the user account).

He apparently deleted his IP address from the USER record (or when he injected it the IP address wasn't recorded). The ADMINLOG shows the IP address, though.

I'll post more info when I find it.

If anyone knows how they managed to create an admin user account without being approved, I'll be glad to hear about that. Please spare me the "they cracked your password" explanation as that dog won't hunt.

Al souweqah street, Damascus seems to be there going by their ip but I am sure none of the ips are even his real ones. I did see a plugin here that blocks citys or something like that. If anyone has a link plz post it

The IP address is real. The hack started at 19 minutes after the hour and was finished within 9 minutes.

He hit an old thread from 2006 that looks pretty innocuous to me.

It looks like he then hit the upgrade script in the install directory (I know -- I should not have left that there, but I get busy with a lot of tasks on this server).

After hitting the upgrade.php a couple of times and firing off some Javascript he got into the AdminCp.

Once in he executed the newsproxy.php script.

Then he hit the notice.php script.

And then he was done.

--------------- Added 1378745307 at 1378745307 ---------------

I doubt I can shed any more light on this. He got in through an UPGRADE hack and that is all my fault.

I have reverted my forum home template, deleted the install directory and removed the two admin accounts that were created.

Should I be okay after this?

There are no guarantees in life but deleting the accounts and the scripts they used to hack in will certainly make it harder for them to do any more damage.

I also pruned all users awaiting email confirmation, only out of spite, because they were also all obvious forum spammers.

--------------- Added 1378747182 at 1378747182 ---------------

For what it's worth, I had my admins change their passwords but I don't think that was necessary on this one occasion.

That said, the main admin account's password cannot be changed because I blocked that in the INCLUDES/CONFIG.PHP script. That is a prudent measure to take because when they do get in and create an admin account, they can change passwords all over the place. This is the section to update:

// ****** UNDELETABLE / UNALTERABLE USERS ******
// The users specified here will not be deletable or alterable from the control panel by any users.
// To specify more than one user, separate userids with commas.
$config['SpecialUsers']['undeletableusers'] = '';


Of course, if they could hack into the server account itself they could try to change this script so it's not a perfect protection but it at least serves as a firewall between your legitimate admin passwords and anyone who wants to block you from getting back in.

OK, I'm hacked the same way.
I upgraded all files to 4.2.2.
I deleted the /install directory.
I've searched, and the ONLY two Admin accounts are those of myself and our Editor ...

Still hacked - not sure what else to do? It redirects to the Syrian army thing as soon as you login to the forums or click a thread.

In my case the hacker embedded an HTTP meta refresh directive in new NOTICE.

xenite - can you explain a little more detail - where is that located, and how can I clear it out? I've replaced ALL the forum files on the server, so assume this must be injected into the mySQL?

Login to ADMINCP.

Scroll down to NOTICES (FAQ should be just above it, ANNOUNCEMENTS should be just below it).

Click into NOTICES MANAGER.

If they loaded a notice, you will see it there.

boom-that was it. deleted both of them, upgraded to 4.2.1 and removed /install directory. Should that tighten things up?

Zachary, one of the support staff here, has shared this info:
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions

It's kind of generic but that is the best place to start. There are lots of other measures you MAY be able to take.

For example, I run a dedicated server and I have managed to lock it down in a lot of ways. I was simply not aware of this new INSTALL directory hack (Vbulletin for some reason can't allow me to change my email address for my membership so every time I turn off the old one I miss all their notices).

Anyway, you can lock down a server by using a firewall to block IP addresses that participate in brute force dictionary attacks (they try to log in to forums, blogs, and servers with random user names and passwords). You can disable FTP and SSH services when you are not using them (but if you run an HTTPS site you need to keep SSH active).

In VBulletin you can prevent people from changing your admin password but only if they cannot hack into your server (or server account on a shared server).

Passwords are harder to crack if they are 11 characters long (forget all the funky special characters -- they don't offer any additional protection).

If you can "salt" your passwords (by adding 2 or more characters to the passwords when they are stored in the database) you should.

However, if hackers can get into your server and download the encrypted password file they can crack all the passwords in a matter of hours or days (depending on how long the passwords are).

It really comes down to being prudent and diligent. You cannot always keep them out. There are a lot more of them out there trying to hack your site than there is of you (if that makes sense).

Yesterday or the day before my homepage got hacked. Arabic writing. I was on vB 4.1.12. I upgraded to 4.2.1, and FTP'd the files and then used the vB upgrade process. It worked. I then deleted the Install file from the FTP.

This should have solved the issue, but today, got hacked again. Gonna try the same process to see if I can get my forum back, but this time I cannot even access the Admin CP panel, a hacked page comes up :(

Hacked by: ?l S?ni?r?? M?my

--------------- Added 1381269071 at 1381269071 ---------------

Turns out there were several Admin accounts I knew nothing of. Now those accounts, one of which was cleverly named vbsupport, have been deleted. Hopefully this solves the problem but if not, I am happy to share.