PDA

View Full Version : HACKED vBulletin 4.2.0 Patch Level 3

Divvy
09-11-2013, 01:39 PM
Hello guys,

Maybe someone can help me...
Today morning my vBulletin 4.2.0 Patch Level 3 was hacked by what it seems a brasilian hacker that leaved this message:

Desculpe o transtorno estamos invadindo seu site
Sabe por que? porque eu quis.

@Nega_cabelo_duro

Im trying to discover how to solve the problem, but cant find the file that he modified. Can someone please help me or give a clue?

I have vBa CMPS installed in the root of the forum and the index is working fine, only when we go to forum.php is redirecting to this page:
http://i.imgur.com/JingJTM.png

The source code of that page is:
http://paste2.org/YeFAjz9m

Any ideas guys? Please?

Thanks!

Best regards,
Tim

--------------- Added 1378910715 at 1378910715 ---------------

Ok, I have found this in my forumhome template:
http://paste2.org/Mw7snpxK

I also have found a new admin in the administrators group:
ID: 136733
username: polter
email: pulodentrodurio@hotmail.com
join and last activity date: 11-09-2013

Could he modified anything more?
Zachery
09-11-2013, 02:05 PM
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions
Brandon Sheley
09-11-2013, 02:09 PM
Did you have the install folder in place?

Remove it, remove the new admins, remove or revert the compromised templates, enjoy a cold beer.
squidsk
09-11-2013, 02:15 PM
See https://vborg.vbsupport.ru/showthread.php?t=301904
Divvy
09-11-2013, 02:16 PM
Thank you guys for your help!

Does someone know exactly what the hacker changed?
Until now only found:

1- a new admin (already deleted)
2- forumhome templatechanged (already reverted)

I already deleted the install folder also like Wayne Luke said here:
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5

Anymore changes that anyone have notice?

Best regards
Zachery
09-11-2013, 02:19 PM
Did you read over: http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked ?
Divvy
09-11-2013, 02:21 PM
Thank you squidsk,

Just a quick note. I saw the logs on
And found what he did:
http://i.imgur.com/pJRBdfi.png

So, If I am right, he only modified template files right?
Is possible to know if was only forumhome or more?

Thanks!

--------------- Added 1378915535 at 1378915535 ---------------

UPDATE: I have checked all template files one by one in the Last edited information and the only template file that was edit by the hacker was FORUMHOME in all templates that I have installed.
It says: Last edited September 11 2013 at 05:51 by polter

UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video
It says: Last edited September 11 2013 at 05:49 by
Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME
My bbcode_video file code: http://paste2.org/5bP0w05b

UPDATE3: Just cant find the template file that he inserted on style 2 (default):
http://i.imgur.com/pJRBdfi.png
I saw the files one by one and cant find the today date...
dimobr
09-11-2013, 05:31 PM
Same problem here!
To resolve I did a restore from my DB (earliest possible before the attack)
Also deleted the install folder.

Now everything seems to be ok!
... It is advisable to change passwords ..