Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 09-30-2013, 10:30 AM
seriousrat seriousrat is offline
 
Join Date: May 2012
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Hacked Sites, How Many Recently?

Seems like everyone is getting hacked. Some threads say over 200 in the past month. Ours, http://www.seriousoffshore.com/forums/ , and one of our main members, http://www.donzi.org/ were both hacked the end of last week/over the weekend.

Has anyone been able to find out why so many recently?

Ours seems to have the hack code inserted the first part of September, then activated later. So, our recent backups are also infected which has created a major pain.

I hope this is the right place to ask the question.
Reply With Quote
  #2  
Old 09-30-2013, 10:53 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I have not seen a list or a count on the number of sites, but they almost all have to due with the install directory not being deleted.

To recover, please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
Reply With Quote
  #3  
Old 09-30-2013, 01:08 PM
seriousrat seriousrat is offline
 
Join Date: May 2012
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Have you seen the redirect worm that is in the seriousoffshore.com/forums before (if you've looked)? They did get in through the install as you said, but then they created admin users, modified files in the admincp folder, the style templates, and the plugins. The admincp and database hacks are pretty severe. Plus, because of the delay for when it went active, our backups are infected. As our webmaster says, Every time he thinks he has everything, something else pops up.

Anyway, if anyone is familiar with the pain of this one, helpful hints are certainly appreciated.

Thanks for the input so far.
Reply With Quote
  #4  
Old 09-30-2013, 08:16 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If you follow the two blog posts, thoroughly, and not skip any details at all, you should be ok.
Reply With Quote
  #5  
Old 09-30-2013, 08:21 PM
tbroush tbroush is offline
 
Join Date: Aug 2003
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ozzy47 View Post
If you follow the two blog posts, thoroughly, and not skip any details at all, you should be ok.
I wish that was as easy as that.
Reply With Quote
  #6  
Old 09-30-2013, 08:38 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

No one said it was easy, but there have been many successful sites to recover following the info provided in there.
Reply With Quote
  #7  
Old 09-30-2013, 08:47 PM
tbroush tbroush is offline
 
Join Date: Aug 2003
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well I guess mine has been one of the few that continues to have issues even after doing everything and more in all of those blogs.
Reply With Quote
  #8  
Old 09-30-2013, 08:51 PM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by tbroush View Post
Well I guess mine has been one of the few that continues to have issues even after doing everything and more in all of those blogs.
It is not easy and it is time consuming, and I am sorry you were hacked. Keep at it and ask questions here, if you do not understand something.
Reply With Quote
  #9  
Old 09-30-2013, 08:52 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What is the things that keep popping up, always different, same thing, and what is the things?
Reply With Quote
  #10  
Old 09-30-2013, 09:18 PM
tbroush tbroush is offline
 
Join Date: Aug 2003
Posts: 39
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

well all he does now is when you go to the forum.php page it take you to an html page but not necessarily redirecting you anywhere. So I usually just run the upgrade script and is back to normal. So today I deleted all of the custom templates and uploaded new ones just in case the code was in there, but I have done everything else possible.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:13 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07996 seconds
  • Memory Usage 2,255KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete