Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #11  
Old 01-02-2013, 02:49 PM
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Location: Inside A Blade Server
Posts: 840
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Are you able to login to the AdminCP directly using admincp/index.php?
Reply With Quote
  #12  
Old 01-02-2013, 02:52 PM
Traxdata Traxdata is offline
 
Join Date: Jul 2004
Posts: 128
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

no way,
since I have to enter my pw and when I click on continue...redirecting to this stupid website.

have access only with ftp, phpmyadmin or ssh

Like I said, my other website is not a forum, so no database, has nbothng to do with vbulletin, only .html and .jpg files.
I have replaced ALL .html files and some .jpg but still cant see the pictures and still redirecting active, talked to hoster - nothing suspicious (malware/trojaner) found on server.
Reply With Quote
  #13  
Old 01-02-2013, 02:55 PM
In Omnibus's Avatar
In Omnibus In Omnibus is offline
 
Join Date: Apr 2010
Location: Inside A Blade Server
Posts: 840
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Are you able to access the AdminCP using tools.php?

--------------- Added [DATE]1357142189[/DATE] at [TIME]1357142189[/TIME] ---------------

The first thing I would do is to replace the index.php file with the default file. You should be able to do that much via FTP.
Reply With Quote
  #14  
Old 01-02-2013, 02:57 PM
Traxdata Traxdata is offline
 
Join Date: Jul 2004
Posts: 128
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

never tried, do I have to login on tools.php? if so, then no way.

--------------- Added [DATE]1357143095[/DATE] at [TIME]1357143095[/TIME] ---------------

no way, it asks for member# and redirects to another website,
Reply With Quote
  #15  
Old 01-02-2013, 03:41 PM
Simon Lloyd's Avatar
Simon Lloyd Simon Lloyd is offline
 
Join Date: Aug 2008
Location: Manchester
Posts: 3,481
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It seems to me that one or more of your core files hasn't been overwritten, you will also have a file or two which doesn't belong in your forum root which is rewriting the infection every time it doesn't see it, my suggestion would be to rename your forum folder add a new folder then name it to what your forum folder was, upload all fresh files (with the install/install.php deleted and the config.php.new edited for your database and renamed to config.php) and then try to access, if you can then you need to search your old folder for files that shouldn't be there, delete them, then upload with overwrite via ftp in ascii mode your fresh files in to the renamed folder, rename the temp folder to something else and then rename your old folder back to it's original and see how you go.
Reply With Quote
Благодарность от:
In Omnibus
  #16  
Old 01-02-2013, 03:56 PM
Traxdata Traxdata is offline
 
Join Date: Jul 2004
Posts: 128
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The problem found, it was also infected .htaccess file in www, I have added one in root but not in www............... shame on me.

. so if one of you will ge the same issue.

But still - it were about 10 infected vbulletin files - you have to delete them, you can easily find them but checking the date - the older and not changed ones are harmful, only recently changed you have to delete and replace with old original files.

The problem came with Filezilla, it seems to be well known problem, I would recommend to login with SFTP and not with FTP if using Filezilla and then changing all the PWs.

--------------- Added [DATE]1357146302[/DATE] at [TIME]1357146302[/TIME] ---------------

Quote:
Originally Posted by Simon Lloyd View Post
It seems to me that one or more of your core files hasn't been overwritten, you will also have a file or two which doesn't belong in your forum root which is rewriting the infection every time it doesn't see it, my suggestion would be to rename your forum folder add a new folder then name it to what your forum folder was, upload all fresh files (with the install/install.php deleted and the config.php.new edited for your database and renamed to config.php) and then try to access, if you can then you need to search your old folder for files that shouldn't be there, delete them, then upload with overwrite via ftp in ascii mode your fresh files in to the renamed folder, rename the temp folder to something else and then rename your old folder back to it's original and see how you go.
YEs, it was the first I did, I deleted and replaced all recently changed files (.php), all index.html and other .html files, and have created new .htaccess but did not in www, it was such waste of time! I could be ready within 10 minutes.

Database was not effected - thankfully!!! since it could take ages to restore.
Reply With Quote
Благодарность от:
Brandon Sheley
  #17  
Old 01-02-2013, 04:08 PM
Amaury Amaury is offline
 
Join Date: Nov 2011
Location: Ellensburg, WA
Posts: 1,075
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'd suggest filing a ticket so vBulletin can help.

Also, which version of vBulletin 3 are you running?
Reply With Quote
  #18  
Old 01-02-2013, 04:20 PM
Simon Lloyd's Avatar
Simon Lloyd Simon Lloyd is offline
 
Join Date: Aug 2008
Location: Manchester
Posts: 3,481
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Traxdata View Post
The problem came with Filezilla, it seems to be well known problem, I would recommend to login with SFTP and not with FTP if using Filezilla and then changing all the PWs.
Thats possible because filezilla stores your passwords as plain text, however, the passwords will not have been transmitted elsewhere by filezilla but rather you have/had an infection on your own pc that's found and relayed these.

--------------- Added [DATE]1357147387[/DATE] at [TIME]1357147387[/TIME] ---------------

One other thing, if your .htaccess was infected then thats not an issue with vbulletin but more with a server vulnerability as only you or your server control panel can affect the .htaccess.
Reply With Quote
Благодарность от:
Brandon Sheley
  #19  
Old 01-02-2013, 04:23 PM
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Posts: 3,134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Simon Lloyd View Post
Thats possible because filezilla stores your passwords as plain text, however, the passwords will not have been transmitted elsewhere by filezilla but rather you have/had an infection on your own pc that's found and relayed these.
Couldn't thank the post so, thanks here! You are 100% correct.
Reply With Quote
  #20  
Old 01-02-2013, 04:31 PM
Simon Lloyd's Avatar
Simon Lloyd Simon Lloyd is offline
 
Join Date: Aug 2008
Location: Manchester
Posts: 3,481
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You're too kind , although this is sadly true in so many "i've been hacked" cases, we're all guilty of some security faux pas at sometime or another and only realise it when our world seems like it's caved in!
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:22 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04238 seconds
  • Memory Usage 2,267KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (3)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (3)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete