The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Hacked by Team Animus?
If your forums has been hacked by "Team Animus", please read this to get helped to remove hacking traces and make your forums secure.
NOTE: Please be careful when removing any data. Make sure you have backups of your important files and databases! What they did: Code:
1. Added vba.php to INCLUDES folder 2. Replaced several index.php files, added some index.html files 3. Added new user with ID "13371338", admin status 4. Changed user titles to "Hacked by Team Animus" 5. Disabled current admins 6. Disabled forums Code:
01. MyAdmin > Deleted latest user (hacker - admin group) 02. MyAdmin > Changed autoincrement value in USER table to {LatestUserID} + 1 03. MyAdmin > Executed two queries to fix user titles: UPDATE user SET usertitle = replace(usertitle, "Hacked by Team Animus", ""); UPDATE user SET customtitle = '0' where customtitle = '1'; 04. FTP > To be sure that all files are OK, I've deleted everything from my forum folder, except: images, banners, .htaccess, favicon, config.php (re-checked content of this one, just in case) 05. FTP > Uploaded original forum files + custom .php's which belongs to add-ons I'm using 06. FTP > Uploaded tools.php, restored my admin status, enabled forums 07. FTP > Deleted tools.php and /install/install.php [S]08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?)[/S] - Edit: added by vB in 4.1.3 09. ACP > Updated "VSa - Advanced Forum Rules" add-on (download latest version: vB3.x, vB4.x) 10. ACP > Re-imported all add-ons I'm using, with "overwrite" checked, to ensure there are no modified codes 11. ACP > Maintenance > update user titles, fix broken user profiles, repair and optimize tables If you have any questions, feel free to ask. And again: Make sure you have backups of your important files and databases before you delete anything! |
#2
|
|||
|
|||
ok, so I went to
user>operations>changed the user number to be correct>hit "go" And it reverts right back to the 13371341 Any ideas? |
#3
|
|||
|
|||
It should be {LatestUserID} + 1.
Check user ID of your latest regular user (sort rows by user id desc). Let's say its 456. Go to USER table > Operations > change AUTO_INCREMENT to 457. |
#4
|
|||
|
|||
nevermind, I missed 3 new registrants.
|
#5
|
|||
|
|||
I'm still wondering how they added files.
There must be something more than Forum Rules add-on. |
#6
|
||||
|
||||
If they breached the db because of the exploit it would be nothing to get to the server from there, I would think.
Oh, and this is legit: 08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?) It was added in 4.1.3, I think. |
#7
|
|||
|
|||
Great share, I wasn't attacked thank god.
|
#8
|
||||
|
||||
Not every site had the same things done to it honestly. Having cleaned a number of them, lots of different things were done to different sites, not all steps were done to all of the sites. It would be in your best intrests to RESTORE A BACKUP, or contact vBulletin support for help.
|
#9
|
|||
|
|||
my forum has also been hacked by 2 different groups, one just did a quick and simple redirect, the other has for the moment taken control and somehow they are redirecting everything to their server, my server admin isnt around at the moment so im totally at a loss how to kill them off
ive been hacked by http://pro2leet.net/forum.php and http://belegit.net/forum/ and both these sites use vbulletin software |
#10
|
||||
|
||||
We were lucky in that (Australian time) the hack attack occurred in the early morning but after our daily 3am backup.
I changed passwords, I deleted all the newly updated files, I replaced them from original source, restored from the 3am backup - all good. We only lost a handful of threads and posts, but it was the safest option IMHO. Lessons? 1. Have a daily backup! 2. Have all the source code safe somewhere else. 3. Take more time to eyeball add-on code Note: Valter's code has been around for years. NO ONE noticed the problem until now. It's very easy to visually check all form fields and SQL in an addon; checking that vB cleaning and escape_string have been applied. We (Admins) all need to be vigilant, no point blaming anyone, TeamAnimus have done us a favour by making us take security seriously. Not that I would object to tasking Seal Team 6 onto TeamAnimus Kym --------------- Added [DATE]1304639047[/DATE] at [TIME]1304639047[/TIME] --------------- Quote:
Sounds like a piggy back attack to me. |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|