vb.org Archive - HELP! forum hacker somehow creating admin accounts

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)

- - HELP! forum hacker somehow creating admin accounts (https://vborg.vbsupport.ru/showthread.php?t=303237)

HELP! forum hacker somehow creating admin accounts

Since mid September someone has been trying to hack my site.

This person has tried creating multiple admin accounts. I'm not sure how he is able to create the accounts (it isn't recording an IP address or anything).

I have the first username he tried, and when I google it, I find other sites he has hacked. Their main pages are wiped and he has his name in big font and a scrolling message at the top saying the site has been hacked and things like, "Islam is the way of life." And most often awful music playing.

He has since tried creating several other admin account names.

My admincp, is not located at mysite.com/admincp.php - I have renamed it a long time ago to prevent hackers from uploading files into the admincp (I'm not sure if this has been the reason why he hasn't been able to mess up my site - it would make sense if it is a robot that is doing it).

My site is hosted on bluehost.

Does anyone have any idea where he is getting in and registering the admin accounts? How do I stop this before he really gets in and ruins my site?

Any help is appreciated!

Have you already deleted your install directory, as was suggested when the vB4 exploit was announced?

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

Quote:

Originally Posted by Digital Jedi (Post 2451998)

Have you already deleted your install directory, as was suggested when the vB4 exploit was announced?

Thank you! Just deleted it. Totally missed the announcement in the admincp. :o

I hope this solves it.

Sorry you were hacked. I hope it solves it to.

Just deleting the install directory won't solve the issues, you need to follow the links that tbworld posted as well.

Yes, I already changed passwords and I'm going through and deleting files they added (found a bunch in the clientscript directory). I just hope that deleting the install directory will close the backdoor that was letting someone come in and do all this.

Make sure you follow the guidelines completely, be thorough and take your time. If you can do backups after every step, do so. If you have any questions please ask, most of us try to help others if we can.

((hugs)) Michelle

I'm still dealing with this chaos and am in your exact same boat. They are completely right - there's a lot more to fixing this issue than deleting the install folder.

Also - one thing that I think ( can't say absolutely for sure ) that might not have been in those guides - but I added another layer - using htaccess to restrict access to my admincp folder as well. This would prevent them from even being able to log in and use their admin accounts through the admincp. Of course the password file sits above the public folder.

Oh and my attack happened around the same time as yours.

Password protecting the folders is part of the guides

X vBulletin 3.8.12 by vBS Debug Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages:

Phrase Groups Available:

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01120 seconds Memory Usage 1,730KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: