vb.org Archive - 4.2.1 PL1 hacked, what to look for in logs

Page 4 of 5

« First

Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)

- - 4.2.1 PL1 hacked, what to look for in logs (https://vborg.vbsupport.ru/showthread.php?t=313608)

ozzy47

08-10-2014 06:56 PM

And I assume the same thing for each usergroup?

ifitsmedia

08-10-2014 06:57 PM

Yes, HTML is disabled in all usergroups as well.

ozzy47

08-10-2014 06:59 PM

And you have went through all the php files in your forum root, and there is nothing there that should not be?

ForceHSS

08-10-2014 07:04 PM

Have you changed all passwords for all admins, FTP and capnel if not it needs done. The next step is to hire someone to find out how you have been hacked

ozzy47

08-10-2014 07:05 PM

How about any erroneous cron jobs? ACP --> Scheduled Tasks --> Scheduled Task Manager

ifitsmedia

08-10-2014 07:07 PM

I ran Maintenance > Diagnostics > Suspect file versions and checked every file that had a notice. Aside from some older files from previous versions of VB and old plugins, nothing was out of place.

I replaced all VB core files with fresh downloads, and replaced most plugin files as well.

Sucuri and ClamAV didn't find anything either.

--------------- Added [DATE]1407701446[/DATE] at [TIME]1407701446[/TIME] ---------------

Quote:

Originally Posted by ozzy47 (Post 2510743)

How about any erroneous cron jobs? ACP --> Scheduled Tasks --> Scheduled Task Manager

Those all seem to be ok as far as I can tell. There's a couple from mods and the rest look like core VB tasks.

tpearl5

08-10-2014 07:16 PM

Quote:

Originally Posted by ifitsmedia (Post 2510693)

Thanks tpearl5. Yes, install dir was already removed.

I also suspect there is a backdoor somewhere, or a file that is vulnerable to sql injection. I'm wondering if there are some strings I can search my apache raw access logs for to identify the culprit.

I'm not sure anything would appear in the access logs, but you may want to look at and sort by the modified dates of any files (not just vbulletin ones).

doctorsexy

08-10-2014 07:18 PM

Why are you on 4.2.1 and not 4.2.2

ifitsmedia

08-10-2014 07:21 PM

It was due to incompatibility with a mod I was using. I'm no longer using it and will be upgrading, but I don't think 4.2.1 PL1 -> 4.2.2 PL1 fixes any security issues.

ozzy47

08-10-2014 09:24 PM

Looks like you may have to resort to paying to have it sorted. :(

All times are GMT. The time now is 05:21 AM.

Page 4 of 5

« First

Show 40 post(s) from this thread on one page

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01106 seconds Memory Usage 1,730KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (3)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: