The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
We have been hacked as well
Ok guys I need serious help. We were hacked and I was able to delete the Admin accounts the hackers added. Looking at the CP log all they changed was the Notice.php But I have no idea were to go to clean up the mess they made. Any help would be great.
www.jeepasylum.com --------------- Added [DATE]1378993172[/DATE] at [TIME]1378993172[/TIME] --------------- I figured it out and feel slightly stupid now. Any suggestions on how they might have been able to add admin accounts and how I can prevent this in the future. |
#2
|
||||
|
||||
I always recommend forum owners hire Securi. I use them for all my sites. they monitor the sites for intrusions, and track down and repair successful malware / virus attacks on my sites. They have been fantastic for me and they monitor all my sites.
. |
Благодарность от: | ||
ozzy47 |
#3
|
|||
|
|||
Quote:
You figured it out .....?????? Please tell .... I don't mind feeling stupid at all, Ive been banging my head against the wall all day ..... I had the exact ame hack |
#4
|
||||
|
||||
Quote:
a) fix the link, which is broken (typo) b) remove the affiliate id. AFAIR that's against forum rules here. |
#5
|
|||
|
|||
Quote:
Then you need to run ACP>Maintenance>Diagnostics>Suspect file versions That will check your VB install for any suspect files, read all the files carefully, chances are they will have created file with .php extensions, check these are what the system is expecting, if it isn't the check will say something like "expected contents not found". Then you actually need to check to see what is actually in your public_html file, deleted the suspect files, and look out for any you don't recognise, in my installation I found mail.php, password.php, password.txt. If you are unsure as to what should be there check your downloads for files that go into the root directory. Then do a check on all accounts that have admin permissions, if they have an IP address, block that address via IPDeny in your C Panel |
#6
|
|||
|
|||
These are the only ones I dont recognize
admin_rbs.php admin_rbs_banner_list.php admin_rbs_delete.php |
#7
|
|||
|
|||
Quote:
STEP 1: Login to ADMINCP STEP 2: In the left-hand margin, scroll down to NOTICES STEP 3: Click on NOTICES STEP 4: DELETE the notice with the hacker message STEP 5: Find the new admin account(s) they created. STEP 6: Note the IP address(es) used to create the admin account(s) STEP 7: DELETE the admin account(s) they created. STEP 8: BAN the IP address(es) they used. |
#8
|
||||
|
||||
Quote:
Those are part of the Rotating Banner System mod. (RBS) |
#9
|
|||
|
|||
Well found 4 more accts tonight and the modified some plugins but all it shows in the log is the plug in id. How do i tell which plugins were modified? The paypal address was also changed as well.
--------------- Added [DATE]1379125536[/DATE] at [TIME]1379125536[/TIME] --------------- I did delete the install folder off the server just now because I had forgot to. |
#10
|
||||
|
||||
Quote:
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|