vb.org Archive
Page 1 of 8 1 23 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Hacked by Team Animus? (https://vborg.vbsupport.ru/showthread.php?t=263202)

Valter 05-05-2011 02:02 PM
Hacked by Team Animus?
 
If your forums has been hacked by "Team Animus", please read this to get helped to remove hacking traces and make your forums secure.

NOTE: Please be careful when removing any data. Make sure you have backups of your important files and databases!

What they did:
Code:
1. Added vba.php to INCLUDES folder
2. Replaced several index.php files, added some index.html files
3. Added new user with ID "13371338", admin status
4. Changed user titles to "Hacked by Team Animus"
5. Disabled current admins
6. Disabled forums
Here is what I have done:
Code:
01. MyAdmin > Deleted latest user (hacker - admin group)
02. MyAdmin > Changed autoincrement value in USER table to {LatestUserID} + 1
03. MyAdmin > Executed two queries to fix user titles:
        UPDATE user SET usertitle = replace(usertitle, "Hacked by Team Animus", "");
        UPDATE user SET customtitle = '0' where customtitle = '1';
04. FTP > To be sure that all files are OK, I've deleted everything from my forum folder, except:
        images, banners, .htaccess, favicon, config.php (re-checked content of this one, just in case)
05. FTP > Uploaded original forum files + custom .php's which belongs to add-ons I'm using
06. FTP > Uploaded tools.php, restored my admin status, enabled forums
07. FTP > Deleted tools.php and /install/install.php
[S]08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?)[/S] - Edit: added by vB in 4.1.3
09. ACP > Updated "VSa - Advanced Forum Rules" add-on (download latest version: vB3.x, vB4.x)
10. ACP > Re-imported all add-ons I'm using, with "overwrite" checked, to ensure there are no modified codes
11. ACP > Maintenance > update user titles, fix broken user profiles, repair and optimize tables

If you have any questions, feel free to ask.

And again: Make sure you have backups of your important files and databases before you delete anything!

RCKSTR 05-05-2011 02:15 PM
ok, so I went to

user>operations>changed the user number to be correct>hit "go"

And it reverts right back to the 13371341

Any ideas?

Valter 05-05-2011 02:19 PM
It should be {LatestUserID} + 1.

Check user ID of your latest regular user (sort rows by user id desc). Let's say its 456.
Go to USER table > Operations > change AUTO_INCREMENT to 457.

RCKSTR 05-05-2011 02:22 PM
nevermind, I missed 3 new registrants.

Valter 05-05-2011 02:43 PM
I'm still wondering how they added files.

There must be something more than Forum Rules add-on.

Boofo 05-05-2011 03:54 PM
If they breached the db because of the exploit it would be nothing to get to the server from there, I would think.

Oh, and this is legit:

08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?)

It was added in 4.1.3, I think.

Eplexx 05-05-2011 04:08 PM
Great share, I wasn't attacked thank god.

Zachery 05-05-2011 05:23 PM
Not every site had the same things done to it honestly. Having cleaned a number of them, lots of different things were done to different sites, not all steps were done to all of the sites. It would be in your best intrests to RESTORE A BACKUP, or contact vBulletin support for help.

wraggster 05-05-2011 08:45 PM
my forum has also been hacked by 2 different groups, one just did a quick and simple redirect, the other has for the moment taken control and somehow they are redirecting everything to their server, my server admin isnt around at the moment so im totally at a loss how to kill them off

ive been hacked by http://pro2leet.net/forum.php and http://belegit.net/forum/ and both these sites use vbulletin software

AusPhotography 05-05-2011 10:35 PM
We were lucky in that (Australian time) the hack attack occurred in the early morning but after our daily 3am backup.

I changed passwords, I deleted all the newly updated files, I replaced them from original source, restored from the 3am backup - all good.
We only lost a handful of threads and posts, but it was the safest option IMHO.

Lessons?
1. Have a daily backup!
2. Have all the source code safe somewhere else.
3. Take more time to eyeball add-on code

Note: Valter's code has been around for years. NO ONE noticed the problem until now.

It's very easy to visually check all form fields and SQL in an addon; checking that vB cleaning and escape_string have been applied.
We (Admins) all need to be vigilant, no point blaming anyone, TeamAnimus have done us a favour by making us take security seriously.
Not that I would object to tasking Seal Team 6 onto TeamAnimus :D


Kym

--------------- Added [DATE]1304639047[/DATE] at [TIME]1304639047[/TIME] ---------------

Quote:
Originally Posted by wraggster (Post 2192422)
my forum has also been hacked by 2 different groups, one just did a quick and simple redirect, the other has for the moment taken control and somehow they are redirecting everything to their server, my server admin isnt around at the moment so im totally at a loss how to kill them off

ive been hacked by http://pro2leet.net/forum.php and http://belegit.net/forum/ and both these sites use vbulletin software
Once the vba.php trojan is there, anyone can use it to hack your system. :eek:
Sounds like a piggy back attack to me. :(


All times are GMT. The time now is 11:40 AM.
Page 1 of 8 1 23 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01181 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete