vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   Site Hacked - Added Unknown Plugin (https://vborg.vbsupport.ru/showthread.php?t=293462)

airplane-dude 01-01-2013 06:04 AM
Site Hacked - Added Unknown Plugin
 
Hi all,

My forums have been hacked.. I had an unknown plugin installed, and deleted.. and it's added re-directs and virus to my forums. Any ideas on how to 'clean' it? There are no unknown plugins on my forums now, but my admin log shows some bad activity:

ID User Name Date Script Action Info IP Address
40004 admin 15:18, 28th Dec 2012 plugin.php
40003 admin 15:18, 28th Dec 2012 plugin.php kill plugin id = 49
40002 admin 15:18, 28th Dec 2012 plugin.php delete plugin id = 49
40001 admin 15:18, 28th Dec 2012 plugin.php
40000 admin 15:11, 28th Dec 2012 plugin.php edit plugin id = 49
39999 admin 15:11, 28th Dec 2012 plugin.php update plugin id = 49
39998 admin 15:11, 28th Dec 2012 plugin.php edit plugin id = 49
39997 admin 15:11, 28th Dec 2012 plugin.php modify
39996 admin 15:10, 28th Dec 2012 template.php search
39995 admin 15:09, 28th Dec 2012 attachment.php types
39994 admin 15:09, 28th Dec 2012 attachmentpermission.php
39993 admin 15:08, 28th Dec 2012 image.php upload Avatars
39992 admin 15:07, 28th Dec 2012 plugin.php
39991 admin 15:07, 28th Dec 2012 plugin.php update plugin id = 49
39990 admin 15:07, 28th Dec 2012 plugin.php edit plugin id = 49

Any help would be appreciated.

borbole 01-01-2013 10:43 AM
If I were you I would revert to the most recent backup prior to being hacked. Another thing would be to do a thorough check up of your server space for any backdoor files and the likes and overwrite all your forum files with a fresh set from a new vb package your forum version. Also it would be best to contact your host and to ask them to check their access logs for around the time of the hack to see if there will be any info as to how they got in.

P.s. What version of vb are you using btw? If you are not already using the latest version, it would be best to upgrade your forum a.s.a.p.

Carnage 01-01-2013 11:04 AM
the plugin probably edited some templates directly to put the redirect code in. If you don't have any recent backups, I'd suggest looking at the templates (maybe reimport your styles)

airplane-dude 01-01-2013 02:19 PM
Very is latest of 3.8.X (I posted this in the wrong section I guess, sorry)..

I will admit, my latest backup was quite sometime ago..

Is there a way to revert to the default templates?

Lynne 01-01-2013 05:25 PM
Upload tools.php to your /admincp and point your browser to it > login > Rebuild Master Style

Then create a new style with no parent:
  • Styles & Templates > Style Manager > Add New Style
  • Parent Style: No Parent Style
  • Title: Default vBulletin
  • Allow User Selection: Yes
  • Save
Then browse the site using that totally default vbulletin style - do you still have the same problem?

airplane-dude 01-02-2013 01:40 AM
Does doing the above get rid of the color schemes and look of the forums?

Can I save those colors and such, somewhere?

Max Taxable 01-02-2013 01:45 AM
Quote:
Originally Posted by borbole (Post 2393957)
If you are not already using the latest version, it would be best to upgrade your forum a.s.a.p.
The version matters not at all if it's backdoor exploits installed by the admin via a style template. (Or any mod with such.)

Lynne 01-02-2013 02:38 AM
Quote:
Originally Posted by airplane-dude (Post 2394106)
Does doing the above get rid of the color schemes and look of the forums?

Can I save those colors and such, somewhere?
Rebuilding the Master Style will not touch your color schemes or modified templates unless you did something really strange and modified the master style instead of just creating and modifying a new style (very rare). You can always export your style first via Styles & Templates > Download/Upload Styles if you think you may have done that. Again, you would have needed to be in debug mode to do that in the first place which would be very rare for a regular vbulletin user.


All times are GMT. The time now is 02:31 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01064 seconds
  • Memory Usage 1,726KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete