Hi, I logged onto today to see a random account i've never seen before with administrator. This is what he did

http://puu.sh/cYklR/820873f86e.png

Can someone tell me how he got access or what he was doing once he was in.

Thank you.

Edit: /install directory has been deleted already.

Edit: Version 4.1.5 (Latest version)

Please post all of your active add-ons here.
We also need to know which vBulletin version you're using.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5)
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions)

What version of vB4 are you running?

Please post all of your active add-ons here.
We also need to know which vBulletin version you're using.

I'm using version 4.1.5 (Latest version)

By add-ons are you referring to products? If so

http://puu.sh/cYmWF/5856b728c1.png

Well first off, that version is outdated, and has unpatched security issues, you should be running the latest 4.2.2 at a minimum, or 4.2.3

Inferno shout is outdated, and most likely did not come from this site, I would ditch that and get a different shout, such as it's newer version, https://vborg.vbsupport.ru/showthread.php?t=236970

Alright, that looks fine.
Now:

- Be sure the /install folder is not present on your vBulletin installation.
- Check all of your active plugins, there shouldn't be any fishy plugins with odd names.
- In your ACP go to Maintenance > Diagnostics > Suspect File Versions. Check if there are any weird files which were created recently on your server.
- Change the password of all administrator/moderator accounts.
- Protect your ACP with a plugin like this: https://vborg.vbsupport.ru/showthread.php?t=296383

Edit: vBulletin version is very outdated, update to the latest.

Well first off, that version is outdated, and has unpatched security issues, you should be running the latest 4.2.2 at a minimum, or 4.2.3

Inferno shout is outdated, and most likely did not come from this site, I would ditch that and get a different shout, such as it's newer version, https://vborg.vbsupport.ru/showthread.php?t=236970

Do you have any idea how the hacker got access to begin with?

Also check your plugins, ACP --> Plugins & Products --> Plugin Manager and see it there are any unknown plugins running under vBulletin

Do you have any idea how the hacker got access to begin with?

Well it could have been any of the security issues in the version you are running, or through Inferno shout.

Alright, that looks fine.
Now:

- Be sure the /install folder is not present on your vBulletin installation.
- Check all of your active plugins, there shouldn't be any fishy plugins with odd names.
- In your ACP go to Maintenance > Diagnostics > Suspect File Versions. Check if there are any weird files which were created recently on your server.
- Change the password of all administrator/moderator accounts.
- Protect your ACP with a plugin like this: https://vborg.vbsupport.ru/showthread.php?t=296383

Edit: vBulletin version is very outdated, update to the latest.

Only one I would ditch Dave is Inferno shout.

Alright, that looks fine.
Now:

- Be sure the /install folder is not present on your vBulletin installation.
- Check all of your active plugins, there shouldn't be any fishy plugins with odd names.
- In your ACP go to Maintenance > Diagnostics > Suspect File Versions. Check if there are any weird files which were created recently on your server.
- Change the password of all administrator/moderator accounts.
- Protect your ACP with a plugin like this: https://vborg.vbsupport.ru/showthread.php?t=296383

Edit: vBulletin version is very outdated, update to the latest.

I've ran the scan and the only thing that it couldn't recognize were the plugins I added. I want to back my forums up but couldn't it just happen again?

Also, i've searched the plugin manager. Everything seems to be normal.

As I said in post #2, you need to follow the links.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5)
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions)

Make sure you do not skip over any steps.

As I said in post #2, you need to follow the links.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5)
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions)

Make sure you do not skip over any steps.

So if I ditch inferno, back it up from a safer time, add ACP protection there would be no way he could access it again?

Without having access to your ACP and access logs, we don't know how the person accessed your ACP.

There might, that is why you need to follow all the instructions in the blog posts, as well as ditch inferno.

Without having access to your ACP and access logs, we don't know how the person accessed your ACP.

And if they are smart, they deleted this info. :)

Without having access to your ACP and access logs, we don't know how the person accessed your ACP.

Is there a chance you can come on my teamviewer and have a look?

Ahh one of the multiple admin, do import hackers - look for one or more shell scripts uploaded to your server. Sometimes in clientscript/ or /includes and be sure to check any sub-folders.

Are you running any nulled modifications? Inferno Shoutbox Revolutionized what's that? :p

I'd submit a ticket and ask your hosting company to scan w/ whatever they have setup on their server be it Maldet (also referred to as Linux Malware Detect (LMD)) or similar but before warned some of these shell scripts are custom per site (depends on if you were worth their time) so Maldet and others do not always pick those up and the ONLY way to be sure is to go through all your folders by hand.

*Some stuff will stick out like a sore thumb, same way they want to be pompous and instead if using legit names like Admin for the 5-6 spare accounts its always something cocky such as lolwut, lmao, amongst other names I've since long forgotten :cool: the point being most of its easily spotted (file names such as shell.php / sexy.php / lol.php and similar) but every so often they hide one or mores files very well w/ names that seem valid so be sure to use the Maintenance tools in admincp and do suspect files and other tips in the links Ozzy posted above.

TBH it don't matter now how they got in, you need to plug the holes. First off by following all the instructions in the blog posts, then upgrade to at least 4.2.2

Alright, i'm going to back it up to yesterday and remove inferno shoutbox. Anything else?

Ok I remembered even more after I ran off to another thread so back to share! See my post here as this is a very similar situation and check for those plugins I listed or similar ones.

http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4012392-help-both-forum-and-admin-panel-just-show-white-page?p=4012531#post4012531

I have 1 hour of spare time, you may PM me your Teamviewer information and I'll take a look for you.

Alright, i'm going to back it up to yesterday and remove inferno shoutbox. Anything else?

You need to follow the instructions in the blog post I linked you to. It don't matter if it was not like this yesterday, they could have loaded the scripts months ago. Now they finally decided to act on them.

Follow the instructions, and upgrade to 4.2.2

If you decide to take the easy way out, you will just be hit again, as the site is now on their radar.

It depends if that was indeed the hole and what he did while inside. An easy way to see exactly what he did is to look at your server logs.

The shout is most likely a old version that was re released by a hacking team, and I won't mention their name. :)

Also the vB version being run has un patched security issues, as does any version below 4.2.2

Another thing it could be the install directory was still in the root.

Either way, the OP needs to follow the directions in the blog posts, then upgrade to 4.2.2

I know that hacking team only too well. :(

Yep, I agree to stick with the plan though I didn't read it. lol Was just saying to check server logs. it is one of the first things to do upon being hacked. :)