The Arcive of Official vBulletin Modifications Site.

creative-friend · #1 09-08-2013, 07:07 PM

Hi,

Its been 2,3 times that my forum mainpage has been hacked, before i deleted the index.php page and uploaded it again but this time its not working....after hacking the main page somehow hackers are making IDs with full Admin Power......

Has anyone got a clue whats happening?? i really need help with this issue

Attachment 146347

ozzy47 · #2 09-08-2013, 07:17 PM

Delete the /install directory.

Here is a interesting article TheLastSuperman wrote, it way help, http://www.vbulletin.com/forum/blogs...vbulletin-site

If none of that helps, ask your host to reload your most recent backup, then you would still need to delete the install directory.

creative-friend · #3 09-08-2013, 07:27 PM

Thanks for your reply mate

But the thing is only the main page has been hacked if i run a backup it will probably take a week posts thread and that....

So is there any solution just to restore my home page please....

ozzy47 · #4 09-08-2013, 07:32 PM

Read the article, and follow the suggestions there.

Spangle · #5 09-08-2013, 07:37 PM

First thing you have to do is reset all the passwords, that means anyone signing in has to change their password.

Secondly you need to go through the files and see if there are any there that shouldn't be.

The only way to restore things as they were id by running a backup, and to be honest it shouldn't take that long, once you get it from your host, I know it's too late, but you should really be downloading a back at least every other day yourself, not relying on the host.

If it's only the front page that they have hacked, ( I'm assuming it's a portal) alter your .htaccess to forum.php, then at least your members can get into the site.

snakes1100 · #6 09-08-2013, 07:47 PM

Quote:

Originally Posted by creative-friend

Hi,

Its been 2,3 times that my forum mainpage has been hacked, before i deleted the index.php page and uploaded it again but this time its not working....after hacking the main page somehow hackers are making IDs with full Admin Power......

Has anyone got a clue whats happening?? i really need help with this issue

Attachment 146347

Its not that simple, he could of added his code in numerous ways, as the install security hole allowed a sql injection, that is why you have new admins.

He could of used any one of these to inject the change on your home page:
base64 code in the db, in the datastore, template or style tables.
iframe code in the db, in the datastore, template or style tables.

You simply need to remove the code, but first you have to find it, there are a few articles out lining ways to find it in the db & one hack to search for certain things i nthe datastore, which will remove it & rebuild your datastore for you.

creative-friend · #7 09-08-2013, 08:07 PM

Quote:

Originally Posted by Spangle

First thing you have to do is reset all the passwords, that means anyone signing in has to change their password.

Secondly you need to go through the files and see if there are any there that shouldn't be.

The only way to restore things as they were id by running a backup, and to be honest it shouldn't take that long, once you get it from your host, I know it's too late, but you should really be downloading a back at least every other day yourself, not relying on the host.

If it's only the front page that they have hacked, ( I'm assuming it's a portal) alter your .htaccess to forum.php, then at least your members can get into the site.

I do have backup of 2 days before.....but i have contacted my host so lets see what they will say....waiting for their reply if not then i will restore the backup then......

one more thing is that i only backup my database and the size of the database backup is around 300 so am not even sure its thats the right backup.....but i download it from my control panel....

--------------- Added [DATE]1378674505[/DATE] at [TIME]1378674505[/TIME] ---------------

Quote:

Originally Posted by snakes1100

Its not that simple, he could of added his code in numerous ways, as the install security hole allowed a sql injection, that is why you have new admins.

He could of used any one of these to inject the change on your home page:
base64 code in the db, in the datastore, template or style tables.
iframe code in the db, in the datastore, template or style tables.

You simply need to remove the code, but first you have to find it, there are a few articles out lining ways to find it in the db & one hack to search for certain things i nthe datastore, which will remove it & rebuild your datastore for you.

how do i find that code please tell me....is there any way to find it and remove it please let me know...

ozzy47 · #8 09-08-2013, 08:12 PM

Did you follow the steps in the article I linked you to? It tells you in there.

Run the following Queries in phpMyAdmin:

Code:

SELECT title, phpcode,  hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode  LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%'  OR phpcode like '%iframe%';

Code:

SELECT styleid, title,  template FROM template WHERE template LIKE '%base64%' OR template LIKE  '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR  template like '%iframe%';

Then you could also try this mod, https://vborg.vbsupport.ru/showthread.php?t=281080

M.Iftikhar · #9 09-09-2013, 05:46 AM

please contact me i will help you.....thanks

joeychgo · #10 09-09-2013, 06:13 AM

You could always hire Securi --

They'll clean your site and monitor it for the next year. They do a great job.

.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.06020 seconds Memory Usage 2,273KB Queries Executed 14 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (2)bbcode_code (3)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!