Thread: Admin account compromised
View Single Post
  #3  
Old 10-25-2016, 01:08 AM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by sattvhelp View Post
this morning an admin account was compromised on our forum. They then sent out a mass email stating that the forum was promoting a website (which we do not), made changed to allow uploading of php, and then uploaded a php script, this is the script that was uploaded http://binibrahim.com/shells/godshell.txt

we have removed the files that were uploaded, dealt with the account, and think we have set everything back to normal, but are worried what exactly what this script may have done.

has anybody seen this script before, or can see what its meant to do, as we dont want to have missed any back doors that may have been left behind by it
http://binibrahim.com/shells/godshell.txt

^ Please tell me you've already deleted that file OR that the link above is not your site... IF it is your site delete that file promptly and submit a ticket with your Host asking what assistance they can offer (Maldet scan and/or similar will at least help).

- Replace all default files with 100% fresh new files from a brand new .zip you can acquire via https://members.vbulletin.com then check and see what is left i.e. any new files with recent timestamps around the date of the hacking? *Also look for odd named files, I've seen hackers retain timestamps on files i.e. upload a much older file that you would not assume is bad (i.e. been there long enough) and yet it is.
- Run Suspect File Versions from Maintenance in AdminCP.
- Check the plugin table for any new rogue plugins OR any that contain malicious code. Once you confirm none exist then click to save the active plugins (this will rebuild plugin cache.

http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/artic...vbulletin-site
Reply With Quote
Благодарность от:
rhody401
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01292 seconds
  • Memory Usage 1,770KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_box_bit
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete