I Just got hacked...What Now?
 

Well folks, My account was hacked....I was lucky enough to change my info back from the phpmyadmin backend. What this means though is my system seems to be vulnerable. I have vbExternal, Deluxe Login and AnyMedia mods installed. Are any of these mods hackable? Or is it just vb?

First thing to do is check all your files. Look for anything that should not be there. A common practice once a hacker gets access is to leave a shell script of some kind, so they can get back at any time.

What type of damage did they do? Was it just an alteration of some of the pages or was there deeper access, possible to the database.

I would suggest disabling all your mods and change all your passwords. Once some other replies come in on the security of the mods you can then determine if they are safe enough to reactivate.

Very much doubt it would be vBulletin itself. Jelsoft are professional coders ;)

The second mod sounds a bit iffy, what does it do?

They only hacked my account so far. I have changed my passwords and disabled the one mod that is attached to vb. the vbexternal and deluxe login are separate so i left those.

I dunno but I wanna think it was a flaw in the deluxe login but I read through the entire mod post and no one complained of hack issues.


Update - Ok i checked my ip trail and there seems to be no odd ip addresses so I will assume my account was not accesses yet. Secondly, My mods are disabled and there seems to be no file tampering. Is it possible to hack people via the password recovery method. I remember MSN used to have that problem so maybe it might be possible this way.

UberMensch - I wouldn't say vb is 100% hack proof so I wouldn't want to rule it out because they have come across very vulnerable holes in the past.


Is there a possibility that bots are attacking my site and changing the password alone?

Vanilla vBulletin is 99.9% secure. Not to mention, these "vulnerable holes" you mentioned almost always (1) require an extravagantly outlandish and extreme set of circumstances, variables, and conditions be met for any security breach to occur and (2) are fixed before most of the Internet at large knows they exist.

Having said that, the fault most surely lies either with your server or a modification you've installed/made physically to your vBulletin installation.

I'd suggest that you replace all your non-image files with fresh ones from the vBulletin.com Member's Area.

There is also a feature in the vBulletin AdminCP under "Maintenance" which is called "Check for Suspect Files". Using this, you can see any files whose contents don't match what default vBulletin files should contain and also any non-native files in your forum directory.

Ok so I did a Suspect File check and found this file on the server:

modevfration.php >> apparently it is a php.backdoor trojan

I am going to check into the other mods to see if there are any security breaches. Plus I got some info from the vbulletin.com forums on how to secure vb much more so I will be doing that. Thanks for the help so far and I will report back on my progress.

I think I may know why the worm slipped in. I had HTML enabled for a forum where only I could post but I think having HTML is a bad idea period so it's disabled as well.

hi....i m the new vb comer...and my forum just got hack in 2 weeks ago. they can get in my admin anytime they want. i change and make the double password on my admin cp...but it desn't work. and then my friend tell me rename the admin cp folder. i mean " change uume.com/admincp to uume.com/XXX....after i did change. i never see him get in my admin again. i really want to know.....how can i see his hack file or trojan virus in my wed server? how can i test that? is that use the software or something eles?

Binkuang, This is what Kirk Y said, and it worked for me -

the hacker just get back today....i really think he can't get in my admin cp......but not. i erase all file and post and the mysql database too. that is very sick. www.monkeylovepig.com is my froum. i lossed


i really not see the one called "Check for Suspect Files" in the Maintenance. the list have Database Backup , Repair / Optimize Tables , Update Counters,Diagnostics, Execute SQL Query, View PHP info. is that my forum is different? and also how to disabling all mods.

Changing your password is the first step, but it is not the only step and you cannot stop at that point. You need to find out how the hacker got access to your site, and if they left anything behind to allow them to access it again.

If you are on a shared host you may also want to check there support. I have seen times that, due to specific configurations, other accounts can place files in your web space, or worse edit files in your space.

Go to AdminCP -> Maintenance -> Diagnostics -> Suspect File Versions

thanks very much......nothing i can do now. i m the army just got discharge. if fight..i m ok. but the wed. i m not able to handle it. and i very don't know how can he access to my admincp? i just did the Suspect File check it show below. is that this one has problem:bencode.php

Why do you have two threads about this?

I posted in the other that I doubt that file is a problem. I have that file on my site because I use those functions for my tracker and tracker related queries/code on my site.

the bencode file is part of the anymedia mod.