Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions

Reply
 
Thread Tools Display Modes
  #1  
Old 09-12-2013, 12:32 PM
Jester1423 Jester1423 is offline
 
Join Date: Jan 2011
Posts: 82
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default We have been hacked as well

Ok guys I need serious help. We were hacked and I was able to delete the Admin accounts the hackers added. Looking at the CP log all they changed was the Notice.php But I have no idea were to go to clean up the mess they made. Any help would be great.

www.jeepasylum.com

--------------- Added [DATE]1378993172[/DATE] at [TIME]1378993172[/TIME] ---------------

I figured it out and feel slightly stupid now. Any suggestions on how they might have been able to add admin accounts and how I can prevent this in the future.
Reply With Quote
  #2  
Old 09-12-2013, 01:18 PM
joeychgo's Avatar
joeychgo joeychgo is offline
 
Join Date: Mar 2004
Location: Chicago, IL
Posts: 933
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I always recommend forum owners hire Securi. I use them for all my sites. they monitor the sites for intrusions, and track down and repair successful malware / virus attacks on my sites. They have been fantastic for me and they monitor all my sites.



.
Reply With Quote
Благодарность от:
ozzy47
  #3  
Old 09-12-2013, 01:23 PM
teamemmenracing teamemmenracing is offline
 
Join Date: Apr 2007
Posts: 13
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Jester1423 View Post
Ok guys I need serious help. We were hacked and I was able to delete the Admin accounts the hackers added. Looking at the CP log all they changed was the Notice.php But I have no idea were to go to clean up the mess they made. Any help would be great.

www.jeepasylum.com

--------------- Added [DATE]1378993172[/DATE] at [TIME]1378993172[/TIME] ---------------

I figured it out and feel slightly stupid now. Any suggestions on how they might have been able to add admin accounts and how I can prevent this in the future.


You figured it out .....??????
Please tell .... I don't mind feeling stupid at all, Ive been banging my head against the wall all day .....
I had the exact ame hack
Reply With Quote
  #4  
Old 09-12-2013, 01:30 PM
cellarius's Avatar
cellarius cellarius is offline
 
Join Date: Aug 2005
Posts: 1,987
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by joeychgo View Post
I always recommend forum owners hire Securi. I use them for all my sites. they monitor the sites for intrusions, and track down and repair successful malware / virus attacks on my sites. They have been fantastic for me and they monitor all my sites.
Not a bad tipp. But you might want to
a) fix the link, which is broken (typo)
b) remove the affiliate id. AFAIR that's against forum rules here.
Reply With Quote
  #5  
Old 09-12-2013, 02:09 PM
Spangle Spangle is offline
 
Join Date: Jun 2011
Posts: 520
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Jester1423 View Post
Ok guys I need serious help. We were hacked and I was able to delete the Admin accounts the hackers added. Looking at the CP log all they changed was the Notice.php But I have no idea were to go to clean up the mess they made. Any help would be great.

www.jeepasylum.com

--------------- Added [DATE]1378993172[/DATE] at [TIME]1378993172[/TIME] ---------------

I figured it out and feel slightly stupid now. Any suggestions on how they might have been able to add admin accounts and how I can prevent this in the future.
First thing you need to do is delete your install folder if you haven't already.

Then you need to run ACP>Maintenance>Diagnostics>Suspect file versions
That will check your VB install for any suspect files, read all the files carefully, chances are they will have created file with .php extensions, check these are what the system is expecting, if it isn't the check will say something like "expected contents not found".

Then you actually need to check to see what is actually in your public_html file, deleted the suspect files, and look out for any you don't recognise, in my installation I found mail.php, password.php, password.txt.

If you are unsure as to what should be there check your downloads for files that go into the root directory.

Then do a check on all accounts that have admin permissions, if they have an IP address, block that address via IPDeny in your C Panel
Reply With Quote
  #6  
Old 09-12-2013, 03:11 PM
Jester1423 Jester1423 is offline
 
Join Date: Jan 2011
Posts: 82
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

These are the only ones I dont recognize

admin_rbs.php
admin_rbs_banner_list.php
admin_rbs_delete.php
Reply With Quote
  #7  
Old 09-12-2013, 11:33 PM
xenite xenite is offline
 
Join Date: Oct 2005
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Jester1423 View Post
Ok guys I need serious help. We were hacked and I was able to delete the Admin accounts the hackers added. Looking at the CP log all they changed was the Notice.php But I have no idea were to go to clean up the mess they made. Any help would be great.

www.jeepasylum.com

--------------- Added [DATE]1378993172[/DATE] at [TIME]1378993172[/TIME] ---------------

I figured it out and feel slightly stupid now. Any suggestions on how they might have been able to add admin accounts and how I can prevent this in the future.

STEP 1: Login to ADMINCP
STEP 2: In the left-hand margin, scroll down to NOTICES
STEP 3: Click on NOTICES
STEP 4: DELETE the notice with the hacker message
STEP 5: Find the new admin account(s) they created.
STEP 6: Note the IP address(es) used to create the admin account(s)
STEP 7: DELETE the admin account(s) they created.
STEP 8: BAN the IP address(es) they used.
Reply With Quote
  #8  
Old 09-13-2013, 02:10 PM
rhody401's Avatar
rhody401 rhody401 is offline
 
Join Date: Feb 2012
Posts: 120
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Jester1423 View Post
These are the only ones I dont recognize

admin_rbs.php
admin_rbs_banner_list.php
admin_rbs_delete.php

Those are part of the Rotating Banner System mod. (RBS)
Reply With Quote
  #9  
Old 09-14-2013, 01:24 AM
Jester1423 Jester1423 is offline
 
Join Date: Jan 2011
Posts: 82
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well found 4 more accts tonight and the modified some plugins but all it shows in the log is the plug in id. How do i tell which plugins were modified? The paypal address was also changed as well.

--------------- Added [DATE]1379125536[/DATE] at [TIME]1379125536[/TIME] ---------------

I did delete the install folder off the server just now because I had forgot to.
Reply With Quote
  #10  
Old 09-14-2013, 04:53 AM
socialteenz's Avatar
socialteenz socialteenz is offline
 
Join Date: May 2011
Posts: 465
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Jester1423 View Post
Well found 4 more accts tonight and the modified some plugins but all it shows in the log is the plug in id. How do i tell which plugins were modified? The paypal address was also changed as well.

--------------- Added 14 Sep 2013 at 02:25 ---------------

I did delete the install folder off the server just now because I had forgot to.
You need to delete the plug in's & update the passwords as well.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:23 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.13129 seconds
  • Memory Usage 2,255KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete