View Full Version : Hacked again! 2nd time in 2 weeks! Cannot access ACP.
obglobal.net
09-17-2013, 12:51 PM
This is ridiculous.
I don't know how to handle this kind of stuff! I can't even access my ACP to delete this dude.
Hacked by Ari Tiga Angka Enam.
Why is vBulletin so easy to hack? Someone please guide me through what to do via cPanel.
I lost about 50 posts last time because I reverted to a backup.
So over it.:down:
TheLastSuperman
09-17-2013, 01:37 PM
Moved to vB4 General Discussion. I would guess that you overlooked something the first time around... a plugin was still present, the datastore table had a plugin within... a shell script on your server... any number of things honestly be sure to check using these links and be VERY THOROUGH grab a cup of coffee, do it right and above all else do not become frustrated that is the #1 thing many do and assume that since it started working after they uploaded files that its fine, no you need to be very in-depth after being hacked not only for your safety but for the safety of all your community members.
http://www.vbulletin.com/forum/blogs/michael-miller/3934768-recovering-a-hacked-vbulletin-site
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
socialteenz
09-17-2013, 01:41 PM
Did you remove the install directory? Check for all the users with admin privilege & change all your admin passwords.
obglobal.net
09-17-2013, 02:02 PM
Moved to vB4 General Discussion. I would guess that you overlooked something the first time around... a plugin was still present, the datastore table had a plugin within... a shell script on your server... any number of things honestly be sure to check using these links and be VERY THOROUGH grab a cup of coffee, do it right and above all else do not become frustrated that is the #1 thing many do and assume that since it started working after they uploaded files that its fine, no you need to be very in-depth after being hacked not only for your safety but for the safety of all your community members.
http://www.vbulletin.com/forum/blogs/michael-miller/3934768-recovering-a-hacked-vbulletin-site
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
I got this from my hosting service:
I have checked your site and found the following suspicious files:
Code:
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/plugin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/help.php
[HEX]php_nested_base64_510 : [15/09/13] /home/obglobal/public_html/admincp/nsuser.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/index.php
[HEX]php_nested_base64_510 : [17/09/13] /home/obglobal/public_html/admincp/black.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/admin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/forum.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/index.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/showthread.php
Can someone PLEASE tell me how to clean these out? I really have no idea what to do and I'm desperate.
--------------- Added 1379430244 at 1379430244 ---------------
Did you remove the install directory? Check for all the users with admin privilege & change all your admin passwords.
Yeah, I did.
Can I change my passwprds via cPanel, do you know?
Spangle
09-17-2013, 03:34 PM
I got this from my hosting service:
I have checked your site and found the following suspicious files:
Code:
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/plugin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/help.php
[HEX]php_nested_base64_510 : [15/09/13] /home/obglobal/public_html/admincp/nsuser.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/index.php
[HEX]php_nested_base64_510 : [17/09/13] /home/obglobal/public_html/admincp/black.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/admin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/forum.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/index.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/showthread.php
Can someone PLEASE tell me how to clean these out? I really have no idea what to do and I'm desperate.
--------------- Added 1379430244 at 1379430244 ---------------
Yeah, I did.
Can I change my passwprds via cPanel, do you know?
Firstly I would check all those files, check them against what is uploaded when you do an install, then check them against what is those folders for each plugin.
Delete any that you cannot find.
off the top of my head this one looks a bit suspicious
/home/obglobal/public_html/admincp/black.php
socialteenz
09-17-2013, 04:36 PM
I got this from my hosting service:
I have checked your site and found the following suspicious files:
Code:
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/plugin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/help.php
[HEX]php_nested_base64_510 : [15/09/13] /home/obglobal/public_html/admincp/nsuser.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/index.php
[HEX]php_nested_base64_510 : [17/09/13] /home/obglobal/public_html/admincp/black.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/admin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/forum.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/index.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/showthread.php
Can someone PLEASE tell me how to clean these out? I really have no idea what to do and I'm desperate.
--------------- Added 17 Sep 2013 at 15:04 ---------------
Yeah, I did.
Can I change my passwprds via cPanel, do you know?
Yes, you can change the passwords via admincp.
Seems like you need to upload all vbulletin files again.
Check for vulnerable plug-in's too.
My bad, seems like superman summed it up nicely. Check his links.
Steve-Hoog
09-17-2013, 05:06 PM
obglobal.net
Sounds like you got very close to the same thing I got. Our entire vB software was destroyed.
Basically I had to hire someone to clear out all files, reload the vB software, and then re introduce the database. And I can only thank God our database was not destroyed.
You definitely have a different hacker than I had; but I went by your URL and from what you posted in here I think you are screwed just like I was.
Steve
vBulletin® v3.8.12 by vBS, Copyright ©2000-2025, vBulletin Solutions Inc.