Hacked through provider - files added.
 

Ok, looks like some a$$hole somehow got into my providers site and purchased a $hit ton of server stuff, ie, new server, hosting, etc. Got all that taken care of, etc.

My site has been obviously compromised, and will address that later tonight. In the mean time going through the cpanel screen on my providers site, it looks like, according to the time stamps, that the culprite only ADDED files, they did not modify previously existing files. Very strange because if someone was going f... you over would they not just $hit tank your site? I have an output.txt and .php files added that have somehow overroad my entire site. They did not have DB access thank god.

I assume that when you look at an FTP manager, the dates next to the files/folders (especially folders) will change even if ONE thing in a multi tier folder changes, correct? Any input appreciated. Thanks.

I still have no idea how they knew my ID and PW for my provider... they didn't even change account info, contact, etc...

Try this: login into the admin cp > Maintenance > Diagnostics > Suspect File Versions. That will display any files which do not belong to vBulletin or are modified. Also check your plugins at Plugins & Products > Plugin Manager. There might be some fishy plugins with backdoor code.

In case you use shared hosting, they probably "rooted" the server and ran a script to replace all index files of all websites with their deface page. If that's the case, you better find a completely different host.

Thanks. I don't think they did that, as they charged close to a grand of $hit from my account, like new server space, domain names, etc.

I have not checked the suspect file version. It seems that I have only a few added files. In fact this whole thing is weird, how did someone get a multi digit ID and long PW???? The only two people that know are God and me and God isn't saying $hit.

In fact what is so weird is they could have totally have destroyed the site, etc. but everything is there with the exception of the few newly added files. Strange...

Ok, here are the files with new dates of 01/15/2015:

Index.php
MS.php
output.txt
wso.php

They didn't alter anything else because those scriptkiddies usually only do it to deface your site so they can brag about it to their other scripkiddy friends.

What I would do is change the passwords of all your stuff, just to be sure.
- Delete those suspicious files and re-upload the index.php file of vBulletin. (wso.php is a web-shell by the way, a backdoor. Delete that file asap)
- Be sure all of your plugins are up to date.
- Change the admincp folder to something else.

I can help you out in private if you need help, but of course understandable if you have some trust issues now.

Thanks. The admin CP folder was changed to something else originally... do I need to change it again? Also, I assume they got the FTP connection info for the DB... should I change the DB pw as well? If so, do I just do that in config, or do I need to do something on the back end of VB?

Still pretty ballsy to charge $1000.00 in server, and domain names...

Are any of thise files, with the exception of INDEX, vbulletin files to begin with? Not sure if these are fresh uploads or altered existing files.

You usually change the passwords of your FTP/MySQL in the CPanel of your host. If you change the password of MySQL, you also have to change it in the config file at includes/config.php of vBulletin.

Thanks. How about those file names? Are any of those vbulletin files by origin?


Oh, and also, should I change the admin folder name to something else?

--------------- Added [DATE]1421452963[/DATE] at [TIME]1421452963[/TIME] ---------------

I can"t delete output.text is that a vbulletin file??? It keeps showing up. Thanks.

output text could be from the https://vborg.vbsupport.ru/showthread.php?t=268208 mod.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site

Thanks! I believe that is it. It shows spiders, etc. in the output. No need to go to those threads, seems like everything is ok. I still would like to know how they got my host account info... everything seems ok now.. thanks.

--------------- Added [DATE]1421513152[/DATE] at [TIME]1421513152[/TIME] ---------------

How long does it take for google to pick up the changes back to my site? It still is saying in google search "hacked by..." ? I resubmitted my sitemap via seo, and have checked on the page source code and the "hacked by..." is gone (removed when I changed the site back).

Cleaned up everything, changed FTP and database passwords, removed all recent files, scanned for foreign non vbulletin software, used secondary confirmation for host access (texts pin), changed admin folder name, pw protected, changed mod folder name, pw protected... I do have the admin firewall on, and I still got hacked again this morning. I have the admin firewall mod and never received notice that someone accessed the admincp, so I wonder if this was a direct FTP?

Can the host provider tell how someone is getting in? I updated my vbulletin software this past weekend. I don't know how these people are getting in!!! I'm not sure if it originally started off as a problem on the providers end (as originally the hackers had access to my account info and proceeded to charge a bunch of stuff - ie server space, etc. on the providers site) - because I think if it was a direct ftp hack they would not have had access to my actual provider account info.

I've scanned my computer at home, and have no rootkits, or viruses. Any ideas how to combat this? Thanks.