The Arcive of Official vBulletin Modifications Site.

Daniel Thomas · #1 02-28-2008, 12:45 PM

Hi, I'm having issues with a hacker.

Our site, forum.pwmania.com has been hacked twice by a hacker, Boraish.

Apparently, from the looks of it, they are hacking our Style and simply overwriting it because I'm going into VB's finalupgrade.php script and I reinstall the style and then it all works again. Anybody know what the issue is and how to fix it?

#2 02-28-2008, 01:18 PM

change all your access passwords, for once, and deactivate the /install/directory when you do not need it...

ifthe guy have access to your style, it is because he have access to your site... think of it.

Daniel Thomas · #3 02-28-2008, 02:40 PM

Okay, so when you say "access to the site" do you mean access directly to the server or access to the VB AdminCP? If you're referring to the AdminCP, well, the guy just hacked it a 3rd time 10 minutes ago and I'm the only administrator who has been on the last 2 times its been hacked and I'm also the only person who has access to the Styles, so that must mean he's hacked my account and was using it while I was still logged in.

From my experience, its something with VB because if the guy has access to the server, then he could take down all 8 sites we have hosted on the server but instead he's only messing with the forum, the only thing he can hack because he apparently doesn't have access to the server.

The /install/ files are non-functional until I rechmod them so I can run the finalupgrade.php file to reinstall the vbstyles.

I'm not new to these hackers, I've heard of them before and they do this stuff all the time.

Opserty · #4 02-28-2008, 04:21 PM

Disable your modifications, use the default vBulletin style and upgrade to the latest version of vBulletin. That is the only way to reduce his success rate.

You don't need the /install/ directory once you have upgraded/installed, you should delete it once you have finished with it. (The on-screen instructions say just delete install/install.php but it is safe just to remove the entire directory, I'm pretty sure none of the files in that directory are used in standard scripts)

What version of vBulletin are you using?
Are there any other scripts running on your domain? (that are not part of default vBulletin, e.g. Wordpress or something)

They could just be editing the style directly from the database, although it is a little difficult, it is not impossible. Check the Administration Logs in the vBulletin AdminCP to see if it was edited by another Admin (he may have gained access to their account).

If you keep restoring old things he will just take it down again.

Boofo · #5 02-28-2008, 04:25 PM

Quote:

Originally Posted by Opserty

You don't need the /install/ directory once you have upgraded/installed, you should delete it once you have finished with it. (The on-screen instructions say just delete install/install.php but it is safe just to remove the entire directory, I'm pretty sure none of the files in that directory are used in standard scripts)

I agree you should delete most of it, but you really should keep the install directory and only these 2 files in it for later use:

Quote:

index.html (1 byte)
mysql-schema.php

Lynne · #6 02-28-2008, 05:15 PM

Quote:

Originally Posted by Boofo

I agree you should delete most of it, but you really should keep the install directory and only these 2 files in it for later use:

Why keep them on the server? I keep a copy of my site on my home computer. I am the only one who ever does anything to vb, so I'm the only one who needs those files, therefore I just delete the whole install directory since noone else needs it.

Daniel Thomas · #7 02-28-2008, 05:36 PM

Apparently the server has crashed or else they are dossing it because its been down for several hours now.

Quote:

You don't need the /install/ directory once you have upgraded/installed, you should delete it once you have finished with it.

If I remove all the contents from the install folder, then there is nothing for me to reinstall the vbstyles, because once he hacks it, everything is screwed up. You can't login to the admincp or anything, whatsoever. I must use the finalupgrade.php Step 4 to reinstall the vbulletin-style.xml file to get it working again so I can log in.

Quote:

What version of vBulletin are you using?
Are there any other scripts running on your domain? (that are not part of default vBulletin, e.g. Wordpress or something)

3.6.4
There are no other scripts other than VB in the forums subdomain.

Quote:

They could just be editing the style directly from the database, although it is a little difficult, it is not impossible. Check the Administration Logs in the vBulletin AdminCP to see if it was edited by another Admin (he may have gained access to their account).

As I stated earlier, I'm the only one who has the permissions to edit styles and I'm also the only administrator who has logged in and he was hacking the forum while I was still on it. he's probably hacked it 6-7 times now.

Quote:

If you keep restoring old things he will just take it down again.

I have to restore vbulletin-style.xml in order to get the forum working again.

EDIT:
The only other alternative I know of is that he somehow either found a flaw in the coding or else has hacked the server in some way because I found a file called update.php that they kept installing on the server that would overwrite the forum, allowing them to put that message on the board. He probably installed it two or three times and everytime I found it, I chmodded it to disable it and then he would install a new one in a different spot. Once I can get back on the server, I'll let yall see it.

Boofo · #8 02-28-2008, 06:27 PM

Quote:

Originally Posted by Lynne

Why keep them on the server? I keep a copy of my site on my home computer. I am the only one who ever does anything to vb, so I'm the only one who needs those files, therefore I just delete the whole install directory since noone else needs it.

It won't do any harm leaving it there. It is the other files that don't need to be there.

If I remember right, Kirby used that file for one of his hacks a while back.

Lynne · #9 02-28-2008, 07:36 PM

If he keeps putting some update.php file on the server, then it sounds to me like he has ftp access to your site. You should change your passwords to logon to your server. Is this the only site on the server? If other sites are there and have modifications installed, maybe he is somehow using one of them to upload the file? Sorry, hacking isn't my expertise, but I would definitely start by changing all passwords and making sure the admin cp is htaccess protected.

When you say you keep installing the style again and again, are you putting up your own style, or the vbulletin default style?

Also, have you read this? http://www.vbulletin.com/forum/showthread.php?t=194701

dfdems · #10 02-28-2008, 09:58 PM

My site actually got hacked today in much the same fashion. I am going back though it right now trying to set it straight. I am guessing a product or plugin is a possible cause.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04506 seconds Memory Usage 2,263KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (8)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (9)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!