Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page 4.2.1 PL1 hacked, what to look for in logs
FAQ Community Calendar Today's Posts Search

Reply
Page 4 of 5 « First 23 4 5
 
Thread Tools Display Modes
  #31  
Old 08-10-2014, 06:56 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
And I assume the same thing for each usergroup?
Reply With Quote
  #32  
Old 08-10-2014, 06:57 PM
ifitsmedia ifitsmedia is offline
 
Join Date: Jul 2010
Posts: 102
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Yes, HTML is disabled in all usergroups as well.
Reply With Quote
  #33  
Old 08-10-2014, 06:59 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
And you have went through all the php files in your forum root, and there is nothing there that should not be?
Reply With Quote
  #34  
Old 08-10-2014, 07:04 PM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Have you changed all passwords for all admins, FTP and capnel if not it needs done. The next step is to hire someone to find out how you have been hacked
Reply With Quote
  #35  
Old 08-10-2014, 07:05 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
How about any erroneous cron jobs? ACP --> Scheduled Tasks --> Scheduled Task Manager
Reply With Quote
  #36  
Old 08-10-2014, 07:07 PM
ifitsmedia ifitsmedia is offline
 
Join Date: Jul 2010
Posts: 102
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I ran Maintenance > Diagnostics > Suspect file versions and checked every file that had a notice. Aside from some older files from previous versions of VB and old plugins, nothing was out of place.

I replaced all VB core files with fresh downloads, and replaced most plugin files as well.

Sucuri and ClamAV didn't find anything either.

--------------- Added [DATE]1407701446[/DATE] at [TIME]1407701446[/TIME] ---------------

Quote:
Originally Posted by ozzy47 View Post
How about any erroneous cron jobs? ACP --> Scheduled Tasks --> Scheduled Task Manager
Those all seem to be ok as far as I can tell. There's a couple from mods and the rest look like core VB tasks.
Reply With Quote
  #37  
Old 08-10-2014, 07:16 PM
tpearl5's Avatar
tpearl5 tpearl5 is offline
 
Join Date: Nov 2001
Location: PA
Posts: 1,014
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by ifitsmedia View Post
Thanks tpearl5. Yes, install dir was already removed.

I also suspect there is a backdoor somewhere, or a file that is vulnerable to sql injection. I'm wondering if there are some strings I can search my apache raw access logs for to identify the culprit.
I'm not sure anything would appear in the access logs, but you may want to look at and sort by the modified dates of any files (not just vbulletin ones).
Reply With Quote
  #38  
Old 08-10-2014, 07:18 PM
doctorsexy's Avatar
doctorsexy doctorsexy is offline
 
Join Date: Mar 2011
Location: earth
Posts: 383
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Why are you on 4.2.1 and not 4.2.2
Reply With Quote
  #39  
Old 08-10-2014, 07:21 PM
ifitsmedia ifitsmedia is offline
 
Join Date: Jul 2010
Posts: 102
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
It was due to incompatibility with a mod I was using. I'm no longer using it and will be upgrading, but I don't think 4.2.1 PL1 -> 4.2.2 PL1 fixes any security issues.
Reply With Quote
  #40  
Old 08-10-2014, 09:24 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Looks like you may have to resort to paying to have it sorted.
Reply With Quote
Reply
Page 4 of 5 « First 23 4 5

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 11:52 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04105 seconds
  • Memory Usage 2,256KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete