PDA

View Full Version : Cleaning after hack

Skivey
10-25-2013, 11:49 AM
Ive just deleted about 15 'new' administrators

Any idea what these are?

http://postimg.org/image/5fd9xpgu5/

Matt

--------------- Added 1382705488 at 1382705488 ---------------

this is the contents

http://postimg.org/image/dlzo3jwc7/

--------------- Added 1382711311 at 1382711311 ---------------

I cant seem to see administrator log?

Where should I find this? I can see Moderator Log but not administrator?
borbole
10-25-2013, 05:47 PM
Those that make use of the init_startup hook locations are all malicious. Delete them.
ForceHSS
10-25-2013, 06:40 PM
Delete all them and the hacker admins then check admin logs see what they have changed I have fixed many forums and have seen them change files in templates and in skimlinks as well
Skivey
10-26-2013, 08:13 AM
I reuploaded all the forum files so they are now original flles.

As well as this I have deleted all of the above hooks, deleted admins, changed the database name and password, changed the admin and mod cp links. Changed the ftp password, deleted anything 'install'.

Is there anything else I need to do? Do I need to reset users passwords? if so what is the query used to do this?

Regards

Matt

--------------- Added 1382779442 at 1382779442 ---------------

I also notice a few php and html files that I dont recognise..... is there a way of checking all files and folders? Im going to keep the forum down till I get all this sorted....

--------------- Added 1382779857 at 1382779857 ---------------

zdberr9cd964b2da2e416c43c2b2cc5d64ac18.dat
ozzy47
10-26-2013, 09:35 AM
I would do the following, to ensure everything is clean.

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked (http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked)

http://www.vbulletin.com/forum/blogs...vbulletin-site (http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site)

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5)
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions)