Thread: We have been hacked as well
View Single Post
  #5  
Old 09-12-2013, 02:09 PM
Spangle Spangle is offline
 
Join Date: Jun 2011
Posts: 520
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Jester1423 View Post
Ok guys I need serious help. We were hacked and I was able to delete the Admin accounts the hackers added. Looking at the CP log all they changed was the Notice.php But I have no idea were to go to clean up the mess they made. Any help would be great.

www.jeepasylum.com

--------------- Added [DATE]1378993172[/DATE] at [TIME]1378993172[/TIME] ---------------

I figured it out and feel slightly stupid now. Any suggestions on how they might have been able to add admin accounts and how I can prevent this in the future.
First thing you need to do is delete your install folder if you haven't already.

Then you need to run ACP>Maintenance>Diagnostics>Suspect file versions
That will check your VB install for any suspect files, read all the files carefully, chances are they will have created file with .php extensions, check these are what the system is expecting, if it isn't the check will say something like "expected contents not found".

Then you actually need to check to see what is actually in your public_html file, deleted the suspect files, and look out for any you don't recognise, in my installation I found mail.php, password.php, password.txt.

If you are unsure as to what should be there check your downloads for files that go into the root directory.

Then do a check on all accounts that have admin permissions, if they have an IP address, block that address via IPDeny in your C Panel
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01621 seconds
  • Memory Usage 1,767KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete