Recently I started finding new admin users that appear to be injected into my database. They don't have any associated IP addresses. So far they have not been able to do anything in admincp, presumably because I have the directory password protected. I did an extensive file check and nothing seems to be out of the ordinary.

What can I search for in raw access logs to determine how this is happening?

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked (http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked)
http://www.vbulletin.com/forum/blogs...vbulletin-site (http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site)
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5)
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions)

Thanks ozzy. I'm familiar with those (and also this (http://vbtechsupport.com/2355/)) but didn't find (or maybe I missed) what to search for in the access logs.

I have already taken all steps in the guide "Fixing your site after you have been hacked" several times, but continue to get admin users injected in my database.

Any help with searching raw access logs to determine how it's being done would be appreciated.

It sounds like there is still a backdoor somewhere. Remember that they probably can't access the admincp, but they can still insert data via whatever method they are using to get in. It could be something appended to a plugin or template. I would install the plugin search mod (https://vborg.vbsupport.ru/showthread.php?t=265976) and search plugins and templates for things like base64 and display:none (which is actually used in some templates)

Make sure you look carefully at Maintenance > Diagnostics > Suspect file versions for unexpected contents.

You should update to 4.2.2 pl1.

Also, if you have wordpress installed - I recently restored a hacked vbulletin and found that their WP install even had things inserted into the files/templates. Make sure to take a close look at WP or any other software packages if you have them.

I'm assuming you already removed the install directory...

Thanks tpearl5. Yes, install dir was already removed.

I also suspect there is a backdoor somewhere, or a file that is vulnerable to sql injection. I'm wondering if there are some strings I can search my apache raw access logs for to identify the culprit.

I thoroughly checked all files identified in Maintenance > Diagnostics > Suspect file versions. I found and removed a number of files that were left over from previous versions of VB and old/uninstalled mods. All the files left (current mods I am using) seem to be ok, I didn't see anything unusual in them. I replaced all VB core files with freshly downloaded copies.

VB 4.2.1 PL1 is not known to have security vulnerabilities as far as I am aware. I'll probably upgrade to 4.2.2 anyway, but I'm not sure it will fix this.

If you have a backdoor somewhere, upgrading will not fix it.

Did you happen to check for any unknown plugins?

I've been keeping an eye on plugins and don't see anything unusual.

Then it has to be a file in the folders, a vulnerability in a mod, or a security issue on the server.

Do you happen to have vBSEO installed?

I did have VBSEO installed the first time this happened. I suspected it might be the culprit so I switched to DBSEO and removed VBSEO and all it's files. Unfortunately it continued after removing VBSEO.

Then there might be something lurking around from when you had vBSEO installed.

What other modifications have you got installed?
And are all the modifications from official vB sites?

Check admincp/Plugins & Products/Plugin Manager many people don't look in there so its always over loooked

I installed Search Plugins (https://vborg.vbsupport.ru/showthread.php?t=265976) and ran a few searches including base64, nothing turned up. Any other terms I should search for?

With the exception of Tapatalk, all mods I am using are from vbulletin.org and DB Tech. They are:

https://vborg.vbsupport.ru/showthread.php?t=228825
https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=chgtpowner4
https://vborg.vbsupport.ru/showthread.php?t=256383
https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=forumtags_vb4
https://vborg.vbsupport.ru/misc.php?do=producthelp&pid=ms_fwsfut_40
https://vborg.vbsupport.ru/showthread.php?t=248042
https://vborg.vbsupport.ru/showthread.php?t=237650&page=10
https://vborg.vbsupport.ru/showthread.php?t=235841
https://vborg.vbsupport.ru/showthread.php?t=236127
https://vborg.vbsupport.ru/showthread.php?t=233309

http://www.dragonbyte-tech.com/product.php?dbtech_thanks
http://www.dragonbyte-tech.com/product.php?dbtech_usertag
http://www.dragonbyte-tech.com/product.php?dbtech_ajaxthreads
http://www.dragonbyte-tech.com/product.php?dbtech_copyright
http://www.dragonbyte-tech.com/product.php?dbtech_ajaxthreads
http://www.dragonbyte-tech.com/product.php?dbtech_dbseo

--------------- Added 1407698059 at 1407698059 ---------------

Thanks ForceHSS, I did check in plugin manager and don't see anything unusual.

Hmmm, none of those mods have any issues that I have ever heard of. :confused:

Try installing this mod, and see if it turns up anything, https://vborg.vbsupport.ru/showthread.php?t=304190

Try installing this mod, and see if it turns up anything, https://vborg.vbsupport.ru/showthread.php?t=304190

That does turn up a number of warnings, but they are not specific as to why.

It seems to check for anything modified within the past 3 months, which happens to be a lot because I have been doing updates recently.

Correct, so if you see something that has been modified, and you don't remember modifying it, best to check into it.

Checking them all now, nothing amiss so far.

When is the last time you updated TapaTalk, I remember there was a vulneribility in it back in May or so.

Also have you checked your notices to see if there is anything in there?

Under 'Forums' that mod tells me "4 forums contain potentially malicious code" - but I have no idea why or how to check them. All the other warnings seem to be false positives.

I have scanned all files with ClamAV and Sucuri server side scanner, nothing turned up.

--------------- Added 1407699424 at 1407699424 ---------------

Tapatalk is currently the latest version. I upgraded it a few weeks before any of the problems started. Before that I was running an older version of it for a while.

Nothing unusual in notices, only the ones that I made.

Does it happen to list the forums?

Yea it does list the forums. Checking them, it seems to flag the forums that have an HTML link in the forum description. Nothing harmful, just internal links pointing to rules etc.

If you allow any group to use even the admin group you should never allow html to be used

Hmmm, I am at a loss then. Sounds like you might just have to pay someone to clean up your site.

If you decide to go that route, I would suggest, TheLastSuperman (https://vborg.vbsupport.ru/member.php?u=274667"), he has done quite a few cleanup's after a hack on boards.

If you allow any group to use even the admin group you should never allow html to be used

Can you explain this more?

He is talking about, ACP --> Forums & Moderators --> Forum Manager, in each forum you have a option, Allow HTML that should always be NO

Which I know is not what you were talking about.

Hmmm, I am at a loss then. Sounds like you might just have to pay someone to clean up your site.

If you decide to go that route, I would suggest, TheLastSuperman (https://vborg.vbsupport.ru/member.php?u=274667"), he has gone quite a few cleanup's after a hack on boards.

Thanks a lot for your time and help ozzy. I'm at a loss as well.

If it were a vulnerability in VB core, I would expect to find more people posting similar stories. How it's happening on my site is eluding me though.

I think searching the Apache raw access logs may reveal the exploit being used, but I don't know what to search for.

There is also a option in each user group that it needs disabled

Yeah I would not be sure what to look for either. :(

He is talking about, ACP --> Forums & Moderators --> Forum Manager, in each forum you have a option, Allow HTML that should always be NO

Which I know is not what you were talking about.

Ok, that is set to NO of course.

And I assume the same thing for each usergroup?

Yes, HTML is disabled in all usergroups as well.

And you have went through all the php files in your forum root, and there is nothing there that should not be?

Have you changed all passwords for all admins, FTP and capnel if not it needs done. The next step is to hire someone to find out how you have been hacked

How about any erroneous cron jobs? ACP --> Scheduled Tasks --> Scheduled Task Manager

I ran Maintenance > Diagnostics > Suspect file versions and checked every file that had a notice. Aside from some older files from previous versions of VB and old plugins, nothing was out of place.

I replaced all VB core files with fresh downloads, and replaced most plugin files as well.

Sucuri and ClamAV didn't find anything either.

--------------- Added 1407701446 at 1407701446 ---------------

How about any erroneous cron jobs? ACP --> Scheduled Tasks --> Scheduled Task Manager

Those all seem to be ok as far as I can tell. There's a couple from mods and the rest look like core VB tasks.

Thanks tpearl5. Yes, install dir was already removed.

I also suspect there is a backdoor somewhere, or a file that is vulnerable to sql injection. I'm wondering if there are some strings I can search my apache raw access logs for to identify the culprit.


I'm not sure anything would appear in the access logs, but you may want to look at and sort by the modified dates of any files (not just vbulletin ones).

Why are you on 4.2.1 and not 4.2.2

It was due to incompatibility with a mod I was using. I'm no longer using it and will be upgrading, but I don't think 4.2.1 PL1 -> 4.2.2 PL1 fixes any security issues.

Looks like you may have to resort to paying to have it sorted. :(

There's nothing in 4.2.2 that would break a modification that worked on 4.2.1.

Upgrade to 4.2.2 and add the following line to your /includes/config.php file, right under the <?php line:
define('SKIP_ALL_ERRORS', true);

For everyone who is saying to upgrade as a response to this thread, are you suggesting that vBulletin 4.2.1 PL1 is not secure? I don't think that is the case.

It is secure, it just 4.2.2 is just more secure, but if you like what you have stay with it as long as you have installed the latest security patch that came out a few months ago.

How is it that hackers can find the security holes so easily before they are spotted by vBulletin developers? Are they smarter than the software developers at vBulletin or is vBulletin not spending enough time and effort on QC ?

It seems like they release a new version and wait for the hackers to show them where they messed up instead of conducting enough testing prior to the release.

There's nothing in 4.2.2 that would break a modification that worked on 4.2.1.

Upgrade to 4.2.2 and add the following line to your /includes/config.php file, right under the <?php line:
define('SKIP_ALL_ERRORS', true);
Unless there is a very good reason to disable all error reporting, please use SKIP_DS_ERRORS.

That reverts 4.2.2 to use the same as 4.2.1 (and previous versions).