PDA

View Full Version : Hacker only accessed plugin.php?


Munch98
09-09-2013, 10:47 PM
Hi guys, I just got some messages from forum members telling me a user has been added to the "Founder" group in my forum, I am the only one with powers to edit a persons group so it is obvious they used something malicious to do it.

I checked what he had done and this is what it shows:
http://i.imgur.com/C7DNTZc.png

It seems he only wanted to add a plugin but I'm not sure what plugin it is that he has added. Does anyone have any idea what to look for specifically?

Zachery
09-09-2013, 10:55 PM
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions

Spangle
09-10-2013, 08:41 AM
I would echo what Zachery says, but you also need to check your public_html file for any files they may have added, I got hacked yesterday and thy tried to hide a couple of files, one was called "mail.php", the other was "passwords.txt"

I have also been notified by Hawkhost that there is a known exploit in Forum runner, so if you are using that it would probably be best to uninstall and delete any files belonging to it as well.