Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 05-05-2011, 02:02 PM
Valter Valter is offline
 
Join Date: Aug 2005
Location: Sarajevo
Posts: 2,432
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Hacked by Team Animus?

If your forums has been hacked by "Team Animus", please read this to get helped to remove hacking traces and make your forums secure.

NOTE: Please be careful when removing any data. Make sure you have backups of your important files and databases!

What they did:
Code:
1. Added vba.php to INCLUDES folder
2. Replaced several index.php files, added some index.html files
3. Added new user with ID "13371338", admin status
4. Changed user titles to "Hacked by Team Animus"
5. Disabled current admins
6. Disabled forums
Here is what I have done:
Code:
01. MyAdmin > Deleted latest user (hacker - admin group)
02. MyAdmin > Changed autoincrement value in USER table to {LatestUserID} + 1
03. MyAdmin > Executed two queries to fix user titles:
	UPDATE user SET usertitle = replace(usertitle, "Hacked by Team Animus", "");
	UPDATE user SET customtitle = '0' where customtitle = '1';
04. FTP > To be sure that all files are OK, I've deleted everything from my forum folder, except:
	images, banners, .htaccess, favicon, config.php (re-checked content of this one, just in case)
05. FTP > Uploaded original forum files + custom .php's which belongs to add-ons I'm using
06. FTP > Uploaded tools.php, restored my admin status, enabled forums
07. FTP > Deleted tools.php and /install/install.php
[S]08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?)[/S] - Edit: added by vB in 4.1.3
09. ACP > Updated "VSa - Advanced Forum Rules" add-on (download latest version: vB3.x, vB4.x)
10. ACP > Re-imported all add-ons I'm using, with "overwrite" checked, to ensure there are no modified codes
11. ACP > Maintenance > update user titles, fix broken user profiles, repair and optimize tables

If you have any questions, feel free to ask.

And again: Make sure you have backups of your important files and databases before you delete anything!
Reply With Quote
  #2  
Old 05-05-2011, 02:15 PM
RCKSTR RCKSTR is offline
 
Join Date: Jun 2010
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ok, so I went to

user>operations>changed the user number to be correct>hit "go"

And it reverts right back to the 13371341

Any ideas?
Reply With Quote
  #3  
Old 05-05-2011, 02:19 PM
Valter Valter is offline
 
Join Date: Aug 2005
Location: Sarajevo
Posts: 2,432
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It should be {LatestUserID} + 1.

Check user ID of your latest regular user (sort rows by user id desc). Let's say its 456.
Go to USER table > Operations > change AUTO_INCREMENT to 457.
Reply With Quote
  #4  
Old 05-05-2011, 02:22 PM
RCKSTR RCKSTR is offline
 
Join Date: Jun 2010
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

nevermind, I missed 3 new registrants.
Reply With Quote
  #5  
Old 05-05-2011, 02:43 PM
Valter Valter is offline
 
Join Date: Aug 2005
Location: Sarajevo
Posts: 2,432
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm still wondering how they added files.

There must be something more than Forum Rules add-on.
Reply With Quote
  #6  
Old 05-05-2011, 03:54 PM
Boofo's Avatar
Boofo Boofo is offline
 
Join Date: Mar 2002
Location: Des Moines, IA (USA)
Posts: 15,776
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If they breached the db because of the exploit it would be nothing to get to the server from there, I would think.

Oh, and this is legit:

08. ACP > Removed "Skimlinks Plugin" (who installed this? hacker?)

It was added in 4.1.3, I think.
Reply With Quote
  #7  
Old 05-05-2011, 04:08 PM
Eplexx Eplexx is offline
 
Join Date: Nov 2010
Location: Toronto
Posts: 94
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Great share, I wasn't attacked thank god.
Reply With Quote
  #8  
Old 05-05-2011, 05:23 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Not every site had the same things done to it honestly. Having cleaned a number of them, lots of different things were done to different sites, not all steps were done to all of the sites. It would be in your best intrests to RESTORE A BACKUP, or contact vBulletin support for help.
Reply With Quote
  #9  
Old 05-05-2011, 08:45 PM
wraggster wraggster is offline
 
Join Date: Mar 2005
Posts: 78
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

my forum has also been hacked by 2 different groups, one just did a quick and simple redirect, the other has for the moment taken control and somehow they are redirecting everything to their server, my server admin isnt around at the moment so im totally at a loss how to kill them off

ive been hacked by http://pro2leet.net/forum.php and http://belegit.net/forum/ and both these sites use vbulletin software
Reply With Quote
  #10  
Old 05-05-2011, 10:35 PM
AusPhotography's Avatar
AusPhotography AusPhotography is offline
 
Join Date: Nov 2007
Location: Hobart & Adelaide .au
Posts: 521
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

We were lucky in that (Australian time) the hack attack occurred in the early morning but after our daily 3am backup.

I changed passwords, I deleted all the newly updated files, I replaced them from original source, restored from the 3am backup - all good.
We only lost a handful of threads and posts, but it was the safest option IMHO.

Lessons?
1. Have a daily backup!
2. Have all the source code safe somewhere else.
3. Take more time to eyeball add-on code

Note: Valter's code has been around for years. NO ONE noticed the problem until now.

It's very easy to visually check all form fields and SQL in an addon; checking that vB cleaning and escape_string have been applied.
We (Admins) all need to be vigilant, no point blaming anyone, TeamAnimus have done us a favour by making us take security seriously.
Not that I would object to tasking Seal Team 6 onto TeamAnimus


Kym

--------------- Added [DATE]1304639047[/DATE] at [TIME]1304639047[/TIME] ---------------

Quote:
Originally Posted by wraggster View Post
my forum has also been hacked by 2 different groups, one just did a quick and simple redirect, the other has for the moment taken control and somehow they are redirecting everything to their server, my server admin isnt around at the moment so im totally at a loss how to kill them off

ive been hacked by http://pro2leet.net/forum.php and http://belegit.net/forum/ and both these sites use vbulletin software
Once the vba.php trojan is there, anyone can use it to hack your system.
Sounds like a piggy back attack to me.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:33 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06865 seconds
  • Memory Usage 2,266KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete