|
HACKED vBulletin 4.2.0 Patch Level 3
Hello guys,
Maybe someone can help me... Today morning my vBulletin 4.2.0 Patch Level 3 was hacked by what it seems a brasilian hacker that leaved this message: Quote:
I have vBa CMPS installed in the root of the forum and the index is working fine, only when we go to forum.php is redirecting to this page: http://i.imgur.com/JingJTM.png The source code of that page is: http://paste2.org/YeFAjz9m Any ideas guys? Please? Thanks! Best regards, Tim --------------- Added [DATE]1378910715[/DATE] at [TIME]1378910715[/TIME] --------------- Ok, I have found this in my forumhome template: http://paste2.org/Mw7snpxK I also have found a new admin in the administrators group: ID: 136733 username: polter email: pulodentrodurio@hotmail.com join and last activity date: 11-09-2013 Could he modified anything more? |
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked http://www.vbulletin.com/forum/blogs...vbulletin-site Also please see these recent security announcements: vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions |
Did you have the install folder in place?
Remove it, remove the new admins, remove or revert the compromised templates, enjoy a cold beer. |
|
Thank you guys for your help!
Does someone know exactly what the hacker changed? Until now only found: 1- a new admin (already deleted) 2- forumhome templatechanged (already reverted) I already deleted the install folder also like Wayne Luke said here: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 Anymore changes that anyone have notice? Best regards |
Did you read over: http://www.vbulletin.com/forum/blogs...ve-been-hacked ?
|
Thank you squidsk,
Just a quick note. I saw the logs on And found what he did: http://i.imgur.com/pJRBdfi.png So, If I am right, he only modified template files right? Is possible to know if was only forumhome or more? Thanks! --------------- Added [DATE]1378915535[/DATE] at [TIME]1378915535[/TIME] --------------- UPDATE: I have checked all template files one by one in the Last edited information and the only template file that was edit by the hacker was FORUMHOME in all templates that I have installed. It says: Last edited September 11 2013 at 05:51 by polter UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video It says: Last edited September 11 2013 at 05:49 by Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME My bbcode_video file code: http://paste2.org/5bP0w05b UPDATE3: Just cant find the template file that he inserted on style 2 (default): http://i.imgur.com/pJRBdfi.png I saw the files one by one and cant find the today date... |
Same problem here!
To resolve I did a restore from my DB (earliest possible before the attack) Also deleted the install folder. Now everything seems to be ok! ... It is advisable to change passwords .. |
| All times are GMT. The time now is 03:35 PM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|