PDA

View Full Version : Forum Hacked


xhells21
09-11-2013, 06:35 PM
Hello,
I have recently been hacked and some1 has messed up my forum.
I need help please.
My forum appears as a blank page unless i disable hooks in config.php
Please tell me how i can fix the forum as i tried to restore the 4.2.1 forum with an upgrade.php but i am not sure what files the hackers might have accessed or created.
This is the admin log i found of the people who managed to make them selfs admins on the forum :

37609 N/A 14:30, 10th Sep 2013 subscriptions.php 180.191.124.181
37608 N/A 14:30, 10th Sep 2013 plugin.php 180.191.124.181
37607 N/A 14:30, 10th Sep 2013 plugin.php doimport 180.191.124.181
37606 N/A 14:30, 10th Sep 2013 plugin.php files 180.191.124.181
37605 N/A 14:23, 10th Sep 2013 plugin.php 180.191.124.181
37604 N/A 14:23, 10th Sep 2013 plugin.php doimport 180.191.124.181
37603 N/A 14:23, 10th Sep 2013 plugin.php files 180.191.124.181
37602 N/A 14:22, 10th Sep 2013 plugin.php product 180.191.124.181
37601 N/A 14:22, 10th Sep 2013 replacement.php modify 180.191.124.181
37600 N/A 14:22, 10th Sep 2013 skimlinks.php advanced 180.191.124.181
37599 N/A 14:22, 10th Sep 2013 ad.php 180.191.124.181
37598 N/A 14:21, 10th Sep 2013 language.php edit Language ID = 1 180.191.124.181
37597 N/A 14:21, 10th Sep 2013 language.php modify 180.191.124.181
37596 N/A 14:18, 10th Sep 2013 template.php modify 180.191.124.181
37595 N/A 14:18, 10th Sep 2013 template.php upload 180.191.124.181
37594 N/A 14:15, 10th Sep 2013 template.php upload 180.191.124.181
37593 N/A 14:15, 10th Sep 2013 template.php files 180.191.124.181
37592 N/A 14:09, 10th Sep 2013 template.php edit style id = 0 180.191.124.181
37591 N/A 14:08, 10th Sep 2013 template.php updatetemplate style id = 3 180.191.124.181
37590 N/A 14:08, 10th Sep 2013 template.php edit style id = 0 180.191.124.181
37589 N/A 14:08, 10th Sep 2013 template.php modify 180.191.124.181
37588 N/A 14:07, 10th Sep 2013 template.php modify 180.191.124.181
37587 N/A 14:07, 10th Sep 2013 template.php modify 180.191.124.181
37586 N/A 14:07, 10th Sep 2013 template.php modify 180.191.124.181
37585 N/A 14:06, 10th Sep 2013 plugin.php 180.191.124.181
37584 N/A 14:06, 10th Sep 2013 plugin.php doimport 180.191.124.181
37583 N/A 14:06, 10th Sep 2013 plugin.php files 180.191.124.181
37582 N/A 14:05, 10th Sep 2013 plugin.php 180.191.124.181
37581 N/A 14:05, 10th Sep 2013 plugin.php doimport 180.191.124.181
37580 N/A 14:05, 10th Sep 2013 plugin.php files 180.191.124.181
37579 N/A 14:05, 10th Sep 2013 plugin.php add 180.191.124.181
37578 N/A 14:05, 10th Sep 2013 plugin.php add 180.191.124.181
37577 N/A 14:05, 10th Sep 2013 plugin.php updateactive 180.191.124.181
37576 N/A 14:03, 10th Sep 2013 plugin.php 180.191.124.181
37575 N/A 14:03, 10th Sep 2013 plugin.php update 180.191.124.181
37574 N/A 14:03, 10th Sep 2013 plugin.php update 180.191.124.181
37573 N/A 14:03, 10th Sep 2013 plugin.php add 180.191.124.181
37572 N/A 14:03, 10th Sep 2013 plugin.php files 180.191.124.181
37571 N/A 14:02, 10th Sep 2013 admincalendar.php modify 180.191.124.181
37570 N/A 14:01, 10th Sep 2013 template.php modify 180.191.124.181
37569 N/A 14:00, 10th Sep 2013 template.php edit style id = 0 180.191.124.181
37568 N/A 13:59, 10th Sep 2013 template.php modify 180.191.124.181
37567 N/A 13:59, 10th Sep 2013 template.php modify 180.191.124.181
37566 N/A 13:58, 10th Sep 2013 plugin.php files 180.191.124.181
37565 N/A 13:57, 10th Sep 2013 template.php modify 180.191.124.181
37564 N/A 13:57, 10th Sep 2013 template.php add style id = 1 180.191.124.181
37563 N/A 13:57, 10th Sep 2013 template.php modify 180.191.124.181
37562 N/A 13:57, 10th Sep 2013 template.php modify 180.191.124.181
37561 N/A 13:57, 10th Sep 2013 template.php modify 180.191.124.181
37560 N/A 13:56, 10th Sep 2013 template.php edit style id = 0 180.191.124.181
37559 N/A 13:56, 10th Sep 2013 template.php modify 180.191.124.181
37558 N/A 13:56, 10th Sep 2013 template.php modify 180.191.124.181
37557 N/A 13:56, 10th Sep 2013 template.php modify 180.191.124.181
37556 N/A 13:56, 10th Sep 2013 template.php edit style id = 0 180.191.124.181
37555 N/A 13:55, 10th Sep 2013 template.php modify 180.191.124.181

7554 N/A 13:55, 10th Sep 2013 template.php modify 180.191.124.181
37553 N/A 13:55, 10th Sep 2013 template.php modify 180.191.124.181
37552 N/A 13:55, 10th Sep 2013 template.php modify 180.191.124.181
37551 N/A 13:55, 10th Sep 2013 plugin.php 180.191.124.181
37550 N/A 13:54, 10th Sep 2013 plugin.php update 180.191.124.181
37549 N/A 13:54, 10th Sep 2013 plugin.php add 180.191.124.181
37548 N/A 13:53, 10th Sep 2013 plugin.php edit plugin id = 1586 180.191.124.181
37547 N/A 13:53, 10th Sep 2013 plugin.php update plugin id = 1586 180.191.124.181
37546 N/A 13:46, 10th Sep 2013 plugin.php edit plugin id = 1586 180.191.124.181
37545 N/A 13:46, 10th Sep 2013 plugin.php update 180.191.124.181
37544 N/A 13:45, 10th Sep 2013 plugin.php add 180.191.124.181
37543 N/A 13:44, 10th Sep 2013 template.php add style id = 3 180.191.124.181
37542 N/A 13:44, 10th Sep 2013 template.php modify 180.191.124.181
37541 N/A 13:43, 10th Sep 2013 template.php modify 180.191.124.181
37540 N/A 13:43, 10th Sep 2013 template.php modify 180.191.124.181
37539 N/A 13:41, 10th Sep 2013 plugin.php 180.191.124.181
37538 N/A 13:40, 10th Sep 2013 plugin.php doimport 180.191.124.181
37537 N/A 13:40, 10th Sep 2013 plugin.php files 180.191.124.181
37536 N/A 13:37, 10th Sep 2013 plugin.php files 180.191.124.181
37535 N/A 11:08, 10th Sep 2013 plugin.php 112.204.145.208
37534 N/A 11:08, 10th Sep 2013 plugin.php doimport 112.204.145.208
37533 N/A 11:08, 10th Sep 2013 plugin.php files 112.204.145.208
37532 N/A 11:07, 10th Sep 2013 plugin.php 112.204.145.208
37531 N/A 11:07, 10th Sep 2013 plugin.php kill plugin id = 1583 112.204.145.208
37530 N/A 11:07, 10th Sep 2013 plugin.php delete plugin id = 1583 112.204.145.208
37529 N/A 11:07, 10th Sep 2013 plugin.php modify 112.204.145.208
37528 N/A 11:07, 10th Sep 2013 subscriptions.php modify 112.204.145.208
37527 N/A 11:07, 10th Sep 2013 plugin.php 112.204.145.208
37526 N/A 11:07, 10th Sep 2013 plugin.php doimport 112.204.145.208
37525 N/A 11:07, 10th Sep 2013 plugin.php files 112.204.145.208
37524 N/A 11:07, 10th Sep 2013 plugin.php 112.204.145.208
37523 N/A 11:07, 10th Sep 2013 plugin.php kill plugin id = 1582 112.204.145.208
37522 N/A 11:06, 10th Sep 2013 plugin.php delete plugin id = 1582 112.204.145.208
37521 N/A 11:06, 10th Sep 2013 plugin.php modify 112.204.145.208
37520 N/A 11:05, 10th Sep 2013 subscriptions.php modify 112.204.145.208
37519 N/A 11:05, 10th Sep 2013 plugin.php 112.204.145.208
37518 N/A 11:05, 10th Sep 2013 plugin.php doimport 112.204.145.208
37517 N/A 11:05, 10th Sep 2013 plugin.php files 112.204.145.208
37516 N/A 11:05, 10th Sep 2013 plugin.php 112.204.145.208
37515 N/A 11:05, 10th Sep 2013 plugin.php kill plugin id = 1581 112.204.145.208
37514 N/A 11:05, 10th Sep 2013 plugin.php delete plugin id = 1581 112.204.145.208
37513 N/A 11:05, 10th Sep 2013 plugin.php modify 112.204.145.208
37512 N/A 11:04, 10th Sep 2013 plugin.php 112.204.145.208
37511 N/A 11:04, 10th Sep 2013 plugin.php doimport 112.204.145.208
37510 N/A 11:04, 10th Sep 2013 plugin.php files 112.204.145.208
37509 N/A 11:04, 10th Sep 2013 plugin.php 112.204.145.208
37508 N/A 11:04, 10th Sep 2013 plugin.php kill plugin id = 1580 112.204.145.208
37507 N/A 11:04, 10th Sep 2013 plugin.php delete plugin id = 1580 112.204.145.208
37506 N/A 11:04, 10th Sep 2013 plugin.php modify 112.204.145.208
37505 N/A 11:03, 10th Sep 2013 plugin.php edit plugin id = 1580 112.204.145.208
37504 N/A 11:03, 10th Sep 2013 plugin.php modify 112.204.145.208
37503 N/A 11:01, 10th Sep 2013 subscriptions.php modify 112.204.145.208
37502 N/A 11:01, 10th Sep 2013 plugin.php 112.204.145.208
37501 N/A 11:01, 10th Sep 2013 plugin.php doimport 112.204.145.208
37500 N/A 11:01, 10th Sep 2013 plugin.php files 112.204.145.208
37499 N/A 11:01, 10th Sep 2013 plugin.php 112.204.145.208
37498 N/A 11:01, 10th Sep 2013 plugin.php kill plugin id = 1579 112.204.145.208
37497 N/A 11:01, 10th Sep 2013 plugin.php delete plugin id = 1579 112.204.145.208
37496 N/A 11:00, 10th Sep 2013 plugin.php modify 112.204.145.208
37495 N/A 11:00, 10th Sep 2013 plugin.php edit plugin id = 1579 112.204.145.208
37494 N/A 11:00, 10th Sep 2013 plugin.php modify 112.204.145.208
37493 N/A 10:58, 10th Sep 2013 plugin.php 112.204.145.208
37492 N/A 10:58, 10th Sep 2013 plugin.php doimport 112.204.145.208
37491 N/A 10:58, 10th Sep 2013 plugin.php files 112.204.145.208

Zachery
09-11-2013, 06:43 PM
General advice post:

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions