vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Hacked 3.8.4 pl1 (https://vborg.vbsupport.ru/showthread.php?t=228692)

ThePhoneGuy 11-23-2009 05:38 PM
Hacked 3.8.4 pl1
 
1 Attachment(s)
Well theres an issue. I followed your guys security advice to the T after SEVERAL hacking attempts. Anyways this hacks whatever it is lets the person delete whoever they wish.

Every time it shows invisible users on the dash. i have included an image.

ChopSuey 11-23-2009 08:43 PM
That person is not deleted, theres an option to set Invisible users to have some name.n I cant seem to find where it is though.

ThePhoneGuy 11-23-2009 09:00 PM
actually it does delete them. However i can re-create them if i go in and manually add there userid via mysql back. I have upgraded to vb4 we will see what happens :P.

ChopSuey 11-23-2009 09:10 PM
LOL okay then. Good luck ;)

ThePhoneGuy 11-25-2009 04:38 AM
Hacker still got in T_T. Same method. I am upgrading to a new semi dedi server hopefully that helps.

Hell Bomb 11-25-2009 05:11 AM
get the mod, track guest views so you can get the hackers ip address and then block his op address via .htaccess or vBulletin ip address banning method.

ThePhoneGuy 11-25-2009 05:21 AM
I have his ip address T_T You dont get it. These are skilled hackers(changing ip/mac ip is a simple task."onion router:). I run a hacking website...... Possibly a form of xss. The method doesnt seem like he is hacking a users account(like an admin). So im not sure what to think. Well we will see if semi dedi stops him.

CarlitoBrigante 11-25-2009 05:48 AM
They have left a backdoor in your system, there were many many people, in the past week, with similar issues because of a vBSEO hack which granted the attacker full access to the system.

Even if you were not hacked through that specific hole, there is little doubt these people have some backdoor. Check the world-writable directories, and make sure that ALL your products are updated to the latest version (please note that the patched vBSEO version is still called 3.3.2, but the patch was added just a few days ago without a version number change).

Check for php files you did not remember having in your directories, and use the vBulletin suspicious file checker to help with this (in your diagnostic tools in vBulletin ACP).

Until you do not cleanup properly, they will be able to do whatever they want to.

ThePhoneGuy 11-25-2009 05:54 AM
i do not have vbseo. Is it possible to put any info in the sql? I am debating on clean install.

CarlitoBrigante 11-25-2009 06:07 AM
Definitely. For example, they could have injected a plugin if they hacked your database. Sometimes, they try to mask their malicious code/backdoor into existing plugins. But first, check for all php files in directories where they should not be; then use vB diagnostic tool to check for suspicious files. This find command might help you identify some files:

Code:
find . -type f -mtime -5 -name '*.php'
Change the mtime value depending on how back in time you want to go; -mtime -5 will return only files edited in the latest 5 days.

Disabling all shell execution/inclusion functions in PHP, unless you really need them, is also a good idea to stop most attacks. Check this: http://www.cyberciti.biz/faq/linux-u...ble-functions/

Also, try to go through your access logs to determine the point of entry: if you find that, then you have the key to clean-up everything more easily.


All times are GMT. The time now is 11:47 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01040 seconds
  • Memory Usage 1,726KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete