Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 11-06-2015, 10:25 AM
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Location: Bosnia
Posts: 198
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Security leak: malware infected

So, yesterday out of nowhere, google sent me a mail that they've blocked my forum because they found malware on my forum. If I try to visit it directly, both firefox and chrome also block the visit with that usual page and you have to ignore it to get to the forum. Of course, same is on google search engine too.

I've contacted my hosting provider and they've told me my version which is -3.8.4. patch level 2- has security leak and that my forum was attacked before but they've removed everything, this time it happened on March and google found out yesterday.

Hosting provider recommended me to overwrite all the files, but I'm unsure if I'll lose some settings if I do that with original vB files. Also, do I have to do the same with the plugins as well?

Even if I do that, how can I know it won't happen again? I can't download v3.8.9. but I can see on vbulletin.com that I can download 4.0.2. version patch level 11, but how can I do that if I haven't payed for upgrade?

The main question is bolded so please let me know asap what do I do, and will I lose some settings?
Reply With Quote
  #2  
Old 11-06-2015, 10:40 AM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Your host is full of crap, how would they know your vBulletin version is vulnerable to exploits? Any evidence on their claims?

There's no way for us to know that you'll lose settings if you overwrite all the files, we don't know if you made modifications to vBulletin's core files. You could leave the plugins, you may want to check if all the plugins you use are safe though.

There are so many factors in this, it's not possible to know before-hand that you forum will not be "hacked" again. It's entirely possible that you have a vulnerable plugin installed, or a backdoor on your server, or had your FTP login stolen, or have a malicious hook installed, etc.
Reply With Quote
  #3  
Old 11-06-2015, 11:38 AM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes and no, if he specified Google flagged it then they might have had "hacked" on their radar per say. I always overwrite all files before attempting to clean a hacked site then sometimes again after finding and removing shell scripts to be extra safe although I've ran into some doozies lol!

Dave is right though, a lot of factors here however explaining all those is a job for everyone but me, it's field trip time with my youngest daughter so I'll have to check back on this and help if I can in a few hours, I shall wish you good luck until then!

Some links that might come in handy:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/artic...vbulletin-site
Reply With Quote
  #4  
Old 11-06-2015, 02:29 PM
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Location: Bosnia
Posts: 198
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thank you both for the reply. So last night I've asked my hosting provider to manually check and remove malware from my forum, they've said they did, so I've applied for review from google again, which resulted badly - google said there is still a malware.

So I've decided to overwrite only files which were showing as infected on google (index.php and forumdisplay.php, while I was doing that, users told me that forum already works, so I don't know how was it suddenly removed from google blacklist. Even on my google webmasters my forum still shows malware infected, but it's not on google's blacklist anymore..
Reply With Quote
  #5  
Old 11-06-2015, 05:30 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I just tried the site in your signature and there is something going on there. Try clearing your site cookies and then go to your site and you will see it.
Reply With Quote
  #6  
Old 11-06-2015, 05:45 PM
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Location: Bosnia
Posts: 198
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I did but can't see anything, how do you mean something is going on? I know my site is back, that's what I wrote in the last post, if you meant that.
Reply With Quote
  #7  
Old 11-07-2015, 05:42 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This is what I get when I go to your website:

Attachment 153630
Reply With Quote
  #8  
Old 11-08-2015, 10:07 PM
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Location: Bosnia
Posts: 198
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, it's happening again. Can you help me? How do I fix this issue?

--------------- Added [DATE]1447033158[/DATE] at [TIME]1447033158[/TIME] ---------------

Guys, so I went to phpmyadmin, forum database, table datastore and field pluginslist, in there I found this line at the top of it - Noob @ +++++++ . vn

I believe that's the guy who broke there and put some lines but I don't know which ones. I've googled something that vBSEO plugin has a leak so I've removed it, but now I need to remove those lines.

I've contacted my hosting provider to see if they have old backups of this, but if they don't what is my next step? How do I find out which ones did he put there?

--------------- Added [DATE]1447034562[/DATE] at [TIME]1447034562[/TIME] ---------------

I guess that's just the mail of one plugin creator. But I went to my plugins page and checked my versions, and found out that my ibproarcade plugin doesn't exist on this forum and that there is a thread that everyone needs to upgrade it to new version because of security issue - https://vborg.vbsupport.ru/showthread.php?t=279245. Could this be the way they've inputed malware on my hosting?

--------------- Added [DATE]1447036147[/DATE] at [TIME]1447036147[/TIME] ---------------

I've updated arcade plugin anyway, just in case. The other outdated plugin is vBadvanced which is 3.2.1 and latest is 4.3.0 but I think they don't have security issues with older versions.

--------------- Added [DATE]1447077012[/DATE] at [TIME]1447077012[/TIME] ---------------

I've installed latest version of vBadvanced as well, just in case..
Reply With Quote
  #9  
Old 11-09-2015, 08:42 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

To rebuild the plugins line in your datastore table, just go to your plugins and disable one, then enable it again.

If you go to admincp > plugins & products > plugin manager, are there any plugins listed at the top under the header of "vBulletin"?
Reply With Quote
  #10  
Old 11-09-2015, 10:09 PM
digif's Avatar
digif digif is offline
 
Join Date: Feb 2009
Location: Bosnia
Posts: 198
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:42 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04313 seconds
  • Memory Usage 2,273KB
  • Queries Executed 14 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete