|
Hacked through provider - files added.
Ok, looks like some a$$hole somehow got into my providers site and purchased a $hit ton of server stuff, ie, new server, hosting, etc. Got all that taken care of, etc.
My site has been obviously compromised, and will address that later tonight. In the mean time going through the cpanel screen on my providers site, it looks like, according to the time stamps, that the culprite only ADDED files, they did not modify previously existing files. Very strange because if someone was going f... you over would they not just $hit tank your site? I have an output.txt and .php files added that have somehow overroad my entire site. They did not have DB access thank god. I assume that when you look at an FTP manager, the dates next to the files/folders (especially folders) will change even if ONE thing in a multi tier folder changes, correct? Any input appreciated. Thanks. I still have no idea how they knew my ID and PW for my provider... they didn't even change account info, contact, etc... |
Try this: login into the admin cp > Maintenance > Diagnostics > Suspect File Versions. That will display any files which do not belong to vBulletin or are modified. Also check your plugins at Plugins & Products > Plugin Manager. There might be some fishy plugins with backdoor code.
In case you use shared hosting, they probably "rooted" the server and ran a script to replace all index files of all websites with their deface page. If that's the case, you better find a completely different host. |
Quote:
Thanks. I don't think they did that, as they charged close to a grand of $hit from my account, like new server space, domain names, etc. I have not checked the suspect file version. It seems that I have only a few added files. In fact this whole thing is weird, how did someone get a multi digit ID and long PW???? The only two people that know are God and me and God isn't saying $hit. In fact what is so weird is they could have totally have destroyed the site, etc. but everything is there with the exception of the few newly added files. Strange... Ok, here are the files with new dates of 01/15/2015: Index.php MS.php output.txt wso.php |
They didn't alter anything else because those scriptkiddies usually only do it to deface your site so they can brag about it to their other scripkiddy friends.
What I would do is change the passwords of all your stuff, just to be sure. - Delete those suspicious files and re-upload the index.php file of vBulletin. (wso.php is a web-shell by the way, a backdoor. Delete that file asap) - Be sure all of your plugins are up to date. - Change the admincp folder to something else. I can help you out in private if you need help, but of course understandable if you have some trust issues now. |
Thanks. The admin CP folder was changed to something else originally... do I need to change it again? Also, I assume they got the FTP connection info for the DB... should I change the DB pw as well? If so, do I just do that in config, or do I need to do something on the back end of VB?
Still pretty ballsy to charge $1000.00 in server, and domain names... Are any of thise files, with the exception of INDEX, vbulletin files to begin with? Not sure if these are fresh uploads or altered existing files. |
Quote:
|
Quote:
Oh, and also, should I change the admin folder name to something else? --------------- Added [DATE]1421452963[/DATE] at [TIME]1421452963[/TIME] --------------- I can"t delete output.text is that a vbulletin file??? It keeps showing up. Thanks. |
output text could be from the https://vborg.vbsupport.ru/showthread.php?t=268208 mod.
Please read the following two blog posts: http://www.vbulletin.com/forum/blogs...ve-been-hacked http://www.vbulletin.com/forum/blogs...vbulletin-site |
Quote:
--------------- Added [DATE]1421513152[/DATE] at [TIME]1421513152[/TIME] --------------- How long does it take for google to pick up the changes back to my site? It still is saying in google search "hacked by..." ? I resubmitted my sitemap via seo, and have checked on the page source code and the "hacked by..." is gone (removed when I changed the site back). |
Cleaned up everything, changed FTP and database passwords, removed all recent files, scanned for foreign non vbulletin software, used secondary confirmation for host access (texts pin), changed admin folder name, pw protected, changed mod folder name, pw protected... I do have the admin firewall on, and I still got hacked again this morning. I have the admin firewall mod and never received notice that someone accessed the admincp, so I wonder if this was a direct FTP?
Can the host provider tell how someone is getting in? I updated my vbulletin software this past weekend. I don't know how these people are getting in!!! I'm not sure if it originally started off as a problem on the providers end (as originally the hackers had access to my account info and proceeded to charge a bunch of stuff - ie server space, etc. on the providers site) - because I think if it was a direct ftp hack they would not have had access to my actual provider account info. I've scanned my computer at home, and have no rootkits, or viruses. Any ideas how to combat this? Thanks. |
You should look into the access.log file of Apache and FTP log file, maybe that will give you some more information.
Do you use shared hosting by the way or do you have your own VPS/dedicated server? |
Not that I'm an expert on the subject, but the only thing I can think of other than your host server having been hacked is that they could have added a plugin. Seems unlikely though.
You said you scanned for non vbulletin software, how did you do that? |
Have you deleted the install directory?
|
Quote:
--------------- Added [DATE]1421778601[/DATE] at [TIME]1421778601[/TIME] --------------- Quote:
|
Could be a hidden file that hackers put in place sometimes and very hard to find
|
Quote:
When it first happened, I went into FTP and looked at all the files. Especially looking for modification dates, in the last day or so. Deleted all the files that were added on the day of the initial hack, and also uploaded clean files like the index file. Would this be a good indicator for looking at suspect files - by looking at the DAY they were uploaded or altered? I hate to be paranoid, but could this be something on my home computer that malware software is not finding? I have firewalls, etc. so I don't know how they are getting new PW information. It looks like these +++++++s are an Egyptian hacker group... |
Quote:
|
Quote:
Since the database has not been screwed with, I assume they did not get access to that, but would be easily available considering the access info would be in a file.... |
I know this won't be helpful but...
$5 will get you $10 that your host is GoDaddy. I've found that a good majority of hacked sites are hosted on GoDaddy. |
Quote:
So, are you indicating that the issue is on their end, or my end? Like I said, I have no idea how my original account was hacked, too much info they would have had to have had. Now this time around could be explained by something still on the server that I did not clean up, or perhaps, they are having issues??? Thoughts? |
Well like I said before it's totally plausible that those hacking group have root access to the server which would give them full control over the server and they'll be able to do anything they want. I would just move server as soon as possible and you'll probably see that it was because of GoDaddy, not something related to you.
|
Quote:
|
I would avoid Hostgator as well, go for Siteground or an other host such as Stablehost.
|
There are many ways to compromise a server. It doesn't necessarily have to be through vbulletin. Your host should be able to help you find your server logs and give you an idea on how they got in.
Also they could have gotten in though your computer itself, have you scanned it and seen if there was anything suspicious on the computer/laptop itself? |
Quote:
--------------- Added [DATE]1421799575[/DATE] at [TIME]1421799575[/TIME] --------------- Let me ask something that may be relevant? About a week ago I put out some ads for a blogger/writer. These were sent to my host email address (once you signed into host site). A few of those that responded sent pdf files with writing history, etc. I opened these. Could this have infected the machine, and if so, would it be my machine or the hosts machine? Thanks. Funny though I have not found any virus or malware on my system... --------------- Added [DATE]1421802952[/DATE] at [TIME]1421802952[/TIME] --------------- OK, took care of everything, hopefully this solves it. Now, it seems I cannot get into the forums, I get a 404 error. Now what??? |
404 means that files are not found.
Quote:
|
Quote:
|
| All times are GMT. The time now is 04:49 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|