vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   Cleaning after hack (https://vborg.vbsupport.ru/showthread.php?t=303829)

Skivey 10-25-2013 11:49 AM

Cleaning after hack
 
Ive just deleted about 15 'new' administrators

Any idea what these are?

http://postimg.org/image/5fd9xpgu5/

Matt

--------------- Added [DATE]1382705488[/DATE] at [TIME]1382705488[/TIME] ---------------

this is the contents

http://postimg.org/image/dlzo3jwc7/

--------------- Added [DATE]1382711311[/DATE] at [TIME]1382711311[/TIME] ---------------

I cant seem to see administrator log?

Where should I find this? I can see Moderator Log but not administrator?

borbole 10-25-2013 05:47 PM

Those that make use of the init_startup hook locations are all malicious. Delete them.

ForceHSS 10-25-2013 06:40 PM

Delete all them and the hacker admins then check admin logs see what they have changed I have fixed many forums and have seen them change files in templates and in skimlinks as well

Skivey 10-26-2013 08:13 AM

I reuploaded all the forum files so they are now original flles.

As well as this I have deleted all of the above hooks, deleted admins, changed the database name and password, changed the admin and mod cp links. Changed the ftp password, deleted anything 'install'.

Is there anything else I need to do? Do I need to reset users passwords? if so what is the query used to do this?

Regards

Matt

--------------- Added [DATE]1382779442[/DATE] at [TIME]1382779442[/TIME] ---------------

I also notice a few php and html files that I dont recognise..... is there a way of checking all files and folders? Im going to keep the forum down till I get all this sorted....

--------------- Added [DATE]1382779857[/DATE] at [TIME]1382779857[/TIME] ---------------

zdberr9cd964b2da2e416c43c2b2cc5d64ac18.dat

ozzy47 10-26-2013 09:35 AM

I would do the following, to ensure everything is clean.

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions


All times are GMT. The time now is 03:37 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02691 seconds
  • Memory Usage 1,719KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (5)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete