Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 11-20-2014, 11:06 AM
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default I've been hacked?

Hi, I logged onto today to see a random account i've never seen before with administrator. This is what he did



Can someone tell me how he got access or what he was doing once he was in.

Thank you.

Edit: /install directory has been deleted already.

Edit: Version 4.1.5 (Latest version)
Reply With Quote
  #2  
Old 11-20-2014, 11:07 AM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Please post all of your active add-ons here.
We also need to know which vBulletin version you're using.
Reply With Quote
  #3  
Old 11-20-2014, 11:08 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

What version of vB4 are you running?
Reply With Quote
  #4  
Old 11-20-2014, 11:09 AM
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dave View Post
Please post all of your active add-ons here.
We also need to know which vBulletin version you're using.
I'm using version 4.1.5 (Latest version)

By add-ons are you referring to products? If so

Reply With Quote
  #5  
Old 11-20-2014, 11:13 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well first off, that version is outdated, and has unpatched security issues, you should be running the latest 4.2.2 at a minimum, or 4.2.3

Inferno shout is outdated, and most likely did not come from this site, I would ditch that and get a different shout, such as it's newer version, https://vborg.vbsupport.ru/showthread.php?t=236970
Reply With Quote
Благодарность от:
Brandon Sheley
  #6  
Old 11-20-2014, 11:14 AM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Alright, that looks fine.
Now:

- Be sure the /install folder is not present on your vBulletin installation.
- Check all of your active plugins, there shouldn't be any fishy plugins with odd names.
- In your ACP go to Maintenance > Diagnostics > Suspect File Versions. Check if there are any weird files which were created recently on your server.
- Change the password of all administrator/moderator accounts.
- Protect your ACP with a plugin like this: https://vborg.vbsupport.ru/showthread.php?t=296383

Edit: vBulletin version is very outdated, update to the latest.
Reply With Quote
  #7  
Old 11-20-2014, 11:15 AM
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ozzy47 View Post
Well first off, that version is outdated, and has unpatched security issues, you should be running the latest 4.2.2 at a minimum, or 4.2.3

Inferno shout is outdated, and most likely did not come from this site, I would ditch that and get a different shout, such as it's newer version, https://vborg.vbsupport.ru/showthread.php?t=236970
Do you have any idea how the hacker got access to begin with?
Reply With Quote
  #8  
Old 11-20-2014, 11:15 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Also check your plugins, ACP --> Plugins & Products --> Plugin Manager and see it there are any unknown plugins running under vBulletin
Reply With Quote
  #9  
Old 11-20-2014, 11:16 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Buzzle View Post
Do you have any idea how the hacker got access to begin with?
Well it could have been any of the security issues in the version you are running, or through Inferno shout.
Reply With Quote
  #10  
Old 11-20-2014, 11:17 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dave View Post
Alright, that looks fine.
Now:

- Be sure the /install folder is not present on your vBulletin installation.
- Check all of your active plugins, there shouldn't be any fishy plugins with odd names.
- In your ACP go to Maintenance > Diagnostics > Suspect File Versions. Check if there are any weird files which were created recently on your server.
- Change the password of all administrator/moderator accounts.
- Protect your ACP with a plugin like this: https://vborg.vbsupport.ru/showthread.php?t=296383

Edit: vBulletin version is very outdated, update to the latest.
Only one I would ditch Dave is Inferno shout.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:10 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08767 seconds
  • Memory Usage 2,266KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete