|
Home Page Hacked
1 Attachment(s)
Hi,
Its been 2,3 times that my forum mainpage has been hacked, before i deleted the index.php page and uploaded it again but this time its not working....after hacking the main page somehow hackers are making IDs with full Admin Power...... Has anyone got a clue whats happening?? i really need help with this issue Attachment 146347 |
Delete the /install directory.
Here is a interesting article TheLastSuperman wrote, it way help, http://www.vbulletin.com/forum/blogs...vbulletin-site If none of that helps, ask your host to reload your most recent backup, then you would still need to delete the install directory. |
Thanks for your reply mate
But the thing is only the main page has been hacked if i run a backup it will probably take a week posts thread and that.... So is there any solution just to restore my home page please.... |
Read the article, and follow the suggestions there.
|
First thing you have to do is reset all the passwords, that means anyone signing in has to change their password.
Secondly you need to go through the files and see if there are any there that shouldn't be. The only way to restore things as they were id by running a backup, and to be honest it shouldn't take that long, once you get it from your host, I know it's too late, but you should really be downloading a back at least every other day yourself, not relying on the host. If it's only the front page that they have hacked, ( I'm assuming it's a portal) alter your .htaccess to forum.php, then at least your members can get into the site. |
Quote:
He could of used any one of these to inject the change on your home page: base64 code in the db, in the datastore, template or style tables. iframe code in the db, in the datastore, template or style tables. You simply need to remove the code, but first you have to find it, there are a few articles out lining ways to find it in the db & one hack to search for certain things i nthe datastore, which will remove it & rebuild your datastore for you. |
Quote:
one more thing is that i only backup my database and the size of the database backup is around 300 so am not even sure its thats the right backup.....but i download it from my control panel.... --------------- Added [DATE]1378674505[/DATE] at [TIME]1378674505[/TIME] --------------- Quote:
|
Did you follow the steps in the article I linked you to? It tells you in there.
Code:
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';Code:
SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%'; |
please contact me i will help you.....thanks
|
You could always hire Securi --
They'll clean your site and monitor it for the next year. They do a great job. . |
Hi Guys
Thanks everyone for your help.....i had problem in my forumhome template......i reverted that template now its working fine.... |
If it's the Syrian Army whatchamacallit, they apparently found a way to add themselves as administrators even getting past user moderation/approval (unless someone on my team approved an odd account without telling me).
They hacked NOTICE.PHP and embedded a meta-refresh in the PHRASE table. I don't that it will stop them but I have added the following to my .htaccess # Block Syrian Army IP Addresses deny from 5.0.0.0/16 deny from 31.9.0.0/16 deny from 82.137.192.0/20 deny from 91.144.0.0/20 deny from 178.253.64.0/20 These IP addresses are all assigned to a Syrian government ISP (and sharing this list here may tip them off that I have identified which network they came in from). I am using VB 4.something (still uploading a backup of the actual VBulletin files so my forum is offline at the moment). ADDED ON EDIT: Vbulletin 4.1.5 Patch 1 I don't think changing passwords is going to help with this. They found a flaw in the VBulletin script. I show three actions by the hacker's user account in the ADMINLOG. They are: ADD action with "notice.php" UPDATE action with "notice.php" MODIFY action with "notice.php" He used a HOTMAIL.IT email address (according to the user account). He apparently deleted his IP address from the USER record (or when he injected it the IP address wasn't recorded). The ADMINLOG shows the IP address, though. I'll post more info when I find it. If anyone knows how they managed to create an admin user account without being approved, I'll be glad to hear about that. Please spare me the "they cracked your password" explanation as that dog won't hunt. |
Al souweqah street, Damascus seems to be there going by their ip but I am sure none of the ips are even his real ones. I did see a plugin here that blocks citys or something like that. If anyone has a link plz post it
|
The IP address is real. The hack started at 19 minutes after the hour and was finished within 9 minutes.
He hit an old thread from 2006 that looks pretty innocuous to me. It looks like he then hit the upgrade script in the install directory (I know -- I should not have left that there, but I get busy with a lot of tasks on this server). After hitting the upgrade.php a couple of times and firing off some Javascript he got into the AdminCp. Once in he executed the newsproxy.php script. Then he hit the notice.php script. And then he was done. --------------- Added [DATE]1378745307[/DATE] at [TIME]1378745307[/TIME] --------------- I doubt I can shed any more light on this. He got in through an UPGRADE hack and that is all my fault. |
I have reverted my forum home template, deleted the install directory and removed the two admin accounts that were created.
Should I be okay after this? |
There are no guarantees in life but deleting the accounts and the scripts they used to hack in will certainly make it harder for them to do any more damage.
I also pruned all users awaiting email confirmation, only out of spite, because they were also all obvious forum spammers. --------------- Added [DATE]1378747182[/DATE] at [TIME]1378747182[/TIME] --------------- For what it's worth, I had my admins change their passwords but I don't think that was necessary on this one occasion. That said, the main admin account's password cannot be changed because I blocked that in the INCLUDES/CONFIG.PHP script. That is a prudent measure to take because when they do get in and create an admin account, they can change passwords all over the place. This is the section to update: Code:
// ****** UNDELETABLE / UNALTERABLE USERS ****** |
OK, I'm hacked the same way.
I upgraded all files to 4.2.2. I deleted the /install directory. I've searched, and the ONLY two Admin accounts are those of myself and our Editor ... Still hacked - not sure what else to do? It redirects to the Syrian army thing as soon as you login to the forums or click a thread. |
In my case the hacker embedded an HTTP meta refresh directive in new NOTICE.
|
xenite - can you explain a little more detail - where is that located, and how can I clear it out? I've replaced ALL the forum files on the server, so assume this must be injected into the mySQL?
|
Login to ADMINCP.
Scroll down to NOTICES (FAQ should be just above it, ANNOUNCEMENTS should be just below it). Click into NOTICES MANAGER. If they loaded a notice, you will see it there. |
boom-that was it. deleted both of them, upgraded to 4.2.1 and removed /install directory. Should that tighten things up?
|
Zachary, one of the support staff here, has shared this info:
Quote:
For example, I run a dedicated server and I have managed to lock it down in a lot of ways. I was simply not aware of this new INSTALL directory hack (Vbulletin for some reason can't allow me to change my email address for my membership so every time I turn off the old one I miss all their notices). Anyway, you can lock down a server by using a firewall to block IP addresses that participate in brute force dictionary attacks (they try to log in to forums, blogs, and servers with random user names and passwords). You can disable FTP and SSH services when you are not using them (but if you run an HTTPS site you need to keep SSH active). In VBulletin you can prevent people from changing your admin password but only if they cannot hack into your server (or server account on a shared server). Passwords are harder to crack if they are 11 characters long (forget all the funky special characters -- they don't offer any additional protection). If you can "salt" your passwords (by adding 2 or more characters to the passwords when they are stored in the database) you should. However, if hackers can get into your server and download the encrypted password file they can crack all the passwords in a matter of hours or days (depending on how long the passwords are). It really comes down to being prudent and diligent. You cannot always keep them out. There are a lot more of them out there trying to hack your site than there is of you (if that makes sense). |
Yesterday or the day before my homepage got hacked. Arabic writing. I was on vB 4.1.12. I upgraded to 4.2.1, and FTP'd the files and then used the vB upgrade process. It worked. I then deleted the Install file from the FTP.
This should have solved the issue, but today, got hacked again. Gonna try the same process to see if I can get my forum back, but this time I cannot even access the Admin CP panel, a hacked page comes up :( Quote:
Turns out there were several Admin accounts I knew nothing of. Now those accounts, one of which was cleverly named vbsupport, have been deleted. Hopefully this solves the problem but if not, I am happy to share. |
| All times are GMT. The time now is 07:36 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|