Thread: vBulletin hack with vblogin.php
View Single Post
  #29  
Old 11-06-2014, 11:05 PM
HM666's Avatar
HM666 HM666 is offline
 
Join Date: Jan 2014
Location: Little Rock, AR
Posts: 1,060
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Muhammad when was your last back up of your site before this hack occurred? You may have to at the worst revert the site to that point when it was not hacked. That is a last ditch effort though and should only be done if nothing else can be, mainly because you would lose some data in that process so save that option for last but be prepared it might come down to that.

Steps you should take:

1. Go to members.vbulletin.com, login and download the same version that you are running on the site.

2. Unzip it and upload all the vbulletin core php files in binary only. You probably won't have to upload your images but you should check them just to be sure sometimes these hackers will change them. So download those from your web site and check them to be sure that they are not files that are hacked (or look like they are supposed to). If the images have been hacked them upload them as well but NOT in binary mode.

3. Go into your admincp and look on the left side column and find "Maintenance" click it to open if its not open and then go to "Diagnostics". Now on your right you will see "Suspect File Versions" click the "Submit" button under it. This will give you an idea of what files have been changed, are not part of vBulletin, or compromised. Just because it says that its not part of vBulletin does not mean that its a hacked file. It maybe a part of a mod you are using. But if there are weird ones or ones that really you do not remember uploading then download them to your PC desktop and check them in some thing like Dreamweaver or HTMLKit. You can check the code.

4. Go to "Usergroups>Usergroups Manager" Tick the drop down on the right and choose "Show All Primary Users" if you do not recognize an admin account try to delete it. If you cannot and it gives you a message about the account not being able to be changed then you will need to download your includes/config.php file and check the Undeletable Admin portion against the ID of that account in your admincp and take out the ID, save the file and upload it again. After you upload it again try to delete that admin account again.

5. Now still in the Usergroups Manager tick the drop down next to the Administrators and choose "Show All Secondary Users", again if you do not recognize the accounts delete them, if you cannot and get a error message then remove them from your config.php and try to delete them again.

6. Now go to "Styles & Templates" on the left side bar and click it to open if its not already open. Click on "Style Manager". Find the style you are using on the site. Click the drop down on the right and choose "Edit Templates". Click the first button next to "All Template Groups" it should look like this: << >> This will show all your templates. Scroll down and when you come across one that is in red open it and look to see if you see the hackers code in the template. If not cancel and move on to the next template in red. If you see the hackers code in your template then copy and paste all the template code into a notebook file and save it and then click on the template in the list and click the "Revert" button. You save the template in a notebook file just in case there is coding that has been changed and you need it. OR......you can just create a new skin and try working within it instead, but that would mean that any template modifications that have been done due to a mod or you have done personally would need to be redone. So that is up to you on that one which way you go. Once you have gone through all the templates and gotten rid of the hackers code if its there you should have been able to get rid of the hack by this point. If not...

Well if not then it might be in the database which is the worse case scenario I was discussing further up. This is where you might have to go to your last back up of the site before the hack happened.

After you get rid of the hack you will need to perform some basic things on the site to ensure that you are more secure in the future. You can find info on getting secure here: https://vborg.vbsupport.ru/showthrea...ghlight=hacked

Hope this helps and sorry if its was long winded or things you already knew to do.

--------------- Added [DATE]1415322405[/DATE] at [TIME]1415322405[/TIME] ---------------

Quote:
Originally Posted by Muhammad Rahman View Post
since use vBulletin License .. I never use nulled mod ...
my hosting say hacker inject via script/mod to upload msd.zip and try find config.php to see database username and password .. and then run msd script ..,
Find and delete msd.zip and everything it may have created in your files.

msd is MySQL Dumper its a script that will dump your entire database! Its used for backups or to physically change your database. This would need to be removed immediately.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02475 seconds
  • Memory Usage 1,790KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete