Being hacked A LOT, help? on 4.2.1
 

My site (supermensa.org) is being hacked with the hackers gaining access to admin and presumably the sql database. The first hack was, I assume since they have a walkthrough on their site on how to do it, due to the /install/ folder exploit. I've since upgraded to 4.2.1 and deleted /install/, and they still came back and nuked the place. (changing my admin email and altering the visual appearance of the site to give the generic "you've been hacked lulz" message.

I have it set in config that my admin account cannot be altered, yet things like email get changed when they strike.

any ideas? anything someone can see that's open on my site? should i leave hooks/plugins off for the time being?

Sounds to me like a file was overlooked when you cleaned it the first time around... either a file is still present (shell script more than likely) or a plugin still within your database.

Follow these guides, by that I mean grab what you fancy red bull or coffee, sit back, read then have at it! Be thorough or don't even bother - no honestly you must be thorough no joke I'm saying that with much emphasis these days!

http://www.vbulletin.com/forum/blogs...vbulletin-site
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site

The Mailman

Just for grins, do you have any of these Plugins?

I can't be a file left over (I did an emergency rollback to like 1-2 weeks before they knew we existed on both the /forums/ dir and the sql database) so I guess a plug-in

will disabling all plugins manually do the trick and just updating/re-enabling one by one, or do i have to uninstall everything and start over


nope

That kind of eliminates that idea.

I have seen it can't happen to 4.1.x, not true.

I have seen it can't happen if the Install is removed; others are saying not true. I have just removed mine; so I will find out soon enough.

People keep asking me how they are getting in; well heck if vB can't tell us, how would I know!

fwiw, i've updated every plugin i had running to the latest version and renamed the database

admincp is under .htaccess protection now

any other way they'd be able to access the sql database or admin?

Just made this post in another thread here: On vb.com one user is suggesting our MySQL database is compromised because of a lack of security on our config.php file. This is the most sensible explanation I have heard so far. But I don't know how to monitor MySQL access; I'll be trying to figure that out next.

What is wrong with these plugins? Since you mentioned them are we supposed to be concerned with these?

I have had several people suggest Plug Ins are vulnerable; I thought maybe if several of us have the same Plug In, maybe a pattern could be established to suggest one of them is bad. Was just an idea and in no way implies any of my three are bad.

It seems the experts have no clear answer, so I am beating the bushes so to speak.

After you were first hacked, did you make sure to check your Administrator usergroup and verify you didn't leave their account as an Administrator (so they could still access the admincp)? And, did you go through your Plugin Manager and make sure they didn't add any plugins to your site? Also verify that all your old plugins haven't been touched and had bad code added to them. If you can't do those things, I'd suggest using a database backup. Also, make sure all the files uploaded to the site are default vbulletin files and not files added by the hackers.