vb.org Archive - View Single Post

Valter · #1 05-05-2011, 02:02 PM

If your forums has been hacked by "Team Animus", please read this to get helped to remove hacking traces and make your forums secure.

NOTE: Please be careful when removing any data. Make sure you have backups of your important files and databases!

What they did:

Code:

1. Added vba.php to INCLUDES folder
2. Replaced several index.php files, added some index.html files
3. Added new user with ID "13371338", admin status
4. Changed user titles to "Hacked by Team Animus"
5. Disabled current admins
6. Disabled forums

Here is what I have done:

Code:

01. MyAdmin > Deleted latest user (hacker - admin group)
02. MyAdmin > Changed autoincrement value in USER table to {LatestUserID} + 1
03. MyAdmin > Executed two queries to fix user titles:
	UPDATE user SET usertitle = replace(usertitle, "Hacked by Team Animus", "");
	UPDATE user SET customtitle = '0' where customtitle = '1';
04. FTP > To be sure that all files are OK, I've deleted everything from my forum folder, except:
	images, banners, .htaccess, favicon, config.php (re-checked content of this one, just in case)
05. FTP > Uploaded original forum files + custom .php's which belongs to add-ons I'm using
06. FTP > Uploaded tools.php, restored my admin status, enabled forums
07. FTP > Deleted tools.php and /install/install.php
[S]08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?)[/S] - Edit: added by vB in 4.1.3
09. ACP > Updated "VSa - Advanced Forum Rules" add-on (download latest version: vB3.x, vB4.x)
10. ACP > Re-imported all add-ons I'm using, with "overwrite" checked, to ensure there are no modified codes
11. ACP > Maintenance > update user titles, fix broken user profiles, repair and optimize tables

If you have any questions, feel free to ask.

And again: Make sure you have backups of your important files and databases before you delete anything!

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01122 seconds Memory Usage 1,767KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_code (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: