Thread: Th3H4ck hacked hundreds of VB forums over the last two days.
View Single Post
  #36  
Old 09-08-2013, 12:39 PM
KissOfDeath KissOfDeath is offline
 
Join Date: Dec 2008
Posts: 158
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Toorak Times View Post
I have deleted my install directory and have been hit twice in 24 hours
I had the same thing, from the logs i saw that he created created a plugin then removed it and then created a user and removed that to,

Code:
102106	N/A	18:13, 30th Aug 2013	user.php	kill	user id = 333162	198.203.28.247
102105	N/A	18:13, 30th Aug 2013	user.php	remove	user id = 333162	198.203.28.247
102104	N/A	18:13, 30th Aug 2013	user.php	edit	user id = 333162	198.203.28.247
102103	N/A	18:13, 30th Aug 2013	user.php	find		198.203.28.247
102102	N/A	18:13, 30th Aug 2013	user.php	modify		198.203.28.247
102101	N/A	18:13, 30th Aug 2013	plugin.php			198.203.28.247
102100	N/A	18:13, 30th Aug 2013	plugin.php	kill	plugin id = 8305	198.203.28.247
102099	N/A	18:13, 30th Aug 2013	plugin.php	delete	plugin id = 8305	198.203.28.247
102098	N/A	18:13, 30th Aug 2013	plugin.php	modify		198.203.28.247
102097	N/A	18:05, 30th Aug 2013	plugin.php			198.203.28.247
102096	N/A	18:05, 30th Aug 2013	plugin.php	doimport		198.203.28.247
102095	N/A	18:04, 30th Aug 2013	plugin.php	files		198.203.28.247
what their doing is creating a backdoor to come back in later.

When i saw this i deleted the install folder as advised and restored my database to the 29th of august as this had been done on the 30th i figured that it would undo any database or template alterations,

Wrong, the next day the same user was back with admin access, i removed him again, and checked the admin logs and nothing had been done so i left it at that and just observed the site, the next day my templates had all been reverted to the originals so someone had access the admin cp again......

so then i figured it must be a file uploaded on the server because from what i've seen of the plugin being used gives them the ability to upload files to the server, so then i checked the file dates and found a suspicious "clock.php" file in the custom avatars folder that had been created the same day as the plugin above was installed so i removed that and restored another database backup from the 24th which is the day before the guy registered an account on my forums

I've changed admin, cpanel, & ftp passwords so i'll see where it goes from here, just removing the install folder is not enough,

here's an example of a file someone has uploaded as a backdoor back in to a forum http://www.paccin.org/deface.txt i guess their must be more files as well but this i all is could find on google
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01066 seconds
  • Memory Usage 1,770KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete