vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Being hacked A LOT, help? on 4.2.1 (https://vborg.vbsupport.ru/showthread.php?t=302400)

The Mailman 09-17-2013 05:24 PM

Being hacked A LOT, help? on 4.2.1
 
My site (supermensa.org) is being hacked with the hackers gaining access to admin and presumably the sql database. The first hack was, I assume since they have a walkthrough on their site on how to do it, due to the /install/ folder exploit. I've since upgraded to 4.2.1 and deleted /install/, and they still came back and nuked the place. (changing my admin email and altering the visual appearance of the site to give the generic "you've been hacked lulz" message.

I have it set in config that my admin account cannot be altered, yet things like email get changed when they strike.

any ideas? anything someone can see that's open on my site? should i leave hooks/plugins off for the time being?

TheLastSuperman 09-17-2013 05:31 PM

Sounds to me like a file was overlooked when you cleaned it the first time around... either a file is still present (shell script more than likely) or a plugin still within your database.

Follow these guides, by that I mean grab what you fancy red bull or coffee, sit back, read then have at it! Be thorough or don't even bother - no honestly you must be thorough no joke I'm saying that with much emphasis these days!

http://www.vbulletin.com/forum/blogs...vbulletin-site
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site

Steve-Hoog 09-17-2013 05:46 PM

The Mailman

Just for grins, do you have any of these Plugins?

Quote:

VSa - Advanced Forum Statistics 7.1 VSa - Advanced Forum Statistics
Edit Check Version Disable Export Uninstall

VSa - ChatBox 3.1.8 VSa - ChatBox
Edit Check Version Disable Export Uninstall

VSa - Visitors in Last X Hours 3.0.4 VSa - Visitors in Last X Hours


The Mailman 09-17-2013 06:26 PM

Quote:

Originally Posted by TheLastSuperman (Post 2446259)
Sounds to me like a file was overlooked when you cleaned it the first time around... either a file is still present (shell script more than likely) or a plugin still within your database.

I can't be a file left over (I did an emergency rollback to like 1-2 weeks before they knew we existed on both the /forums/ dir and the sql database) so I guess a plug-in

will disabling all plugins manually do the trick and just updating/re-enabling one by one, or do i have to uninstall everything and start over


Quote:

Originally Posted by Steve-Hoog (Post 2446265)
The Mailman

Just for grins, do you have any of these Plugins?

nope

Steve-Hoog 09-17-2013 06:43 PM

Quote:

Originally Posted by The Mailman (Post 2446279)
nope

That kind of eliminates that idea.

I have seen it can't happen to 4.1.x, not true.

I have seen it can't happen if the Install is removed; others are saying not true. I have just removed mine; so I will find out soon enough.

People keep asking me how they are getting in; well heck if vB can't tell us, how would I know!

The Mailman 09-17-2013 07:13 PM

fwiw, i've updated every plugin i had running to the latest version and renamed the database

admincp is under .htaccess protection now

any other way they'd be able to access the sql database or admin?

Steve-Hoog 09-17-2013 07:28 PM

Just made this post in another thread here: On vb.com one user is suggesting our MySQL database is compromised because of a lack of security on our config.php file. This is the most sensible explanation I have heard so far. But I don't know how to monitor MySQL access; I'll be trying to figure that out next.

CAG CheechDogg 09-17-2013 08:39 PM

Quote:

Originally Posted by Steve-Hoog (Post 2446265)
The Mailman

Just for grins, do you have any of these Plugins?

What is wrong with these plugins? Since you mentioned them are we supposed to be concerned with these?

Steve-Hoog 09-17-2013 09:03 PM

I have had several people suggest Plug Ins are vulnerable; I thought maybe if several of us have the same Plug In, maybe a pattern could be established to suggest one of them is bad. Was just an idea and in no way implies any of my three are bad.

It seems the experts have no clear answer, so I am beating the bushes so to speak.

Lynne 09-17-2013 11:38 PM

After you were first hacked, did you make sure to check your Administrator usergroup and verify you didn't leave their account as an Administrator (so they could still access the admincp)? And, did you go through your Plugin Manager and make sure they didn't add any plugins to your site? Also verify that all your old plugins haven't been touched and had bad code added to them. If you can't do those things, I'd suggest using a database backup. Also, make sure all the files uploaded to the site are default vbulletin files and not files added by the hackers.


All times are GMT. The time now is 01:35 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01036 seconds
  • Memory Usage 1,739KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete