Go Back   vb.org Archive > vBulletin Modifications > vBulletin 4.x Modifications > vBulletin 4.x Add-ons

Reply
 
Thread Tools
Check If Your Forum Was Hacked Details »»
Check If Your Forum Was Hacked
Version: 1.00, by SEOvB SEOvB is offline
Developer Last Online: May 2015 Show Printable Version Email this Page

Category: Administrative and Maintenance Tools - Version: 4.x.x Rating:
Released: 11-04-2013 Last Update: Never Installs: 30
Additional Files  
No support by the author.

//////////////////////////////////
// This Script is Brought To You By: SEOvB | Affordable vBulletin Services
//////////////////////////////////

As most of us know, a vulnerability in the install directory was recently found in vBulletin. Due to this vulnerability, thousands of vBulletin-powered sites got hacked; hackers managed to gain access to the AdminCP to inject malicious content.

When a forum is first hacked, hackers create admin accounts for themselves, and that's actually the time where cleanup is most required, to fence off the hackers and enhance security. But, majority of forum owners don't even know they actually got hacked until Google puts a veil on their forum with malware warning page.

At that point, removing the install directory, the main point of entry for hackers, won't help because the forum has already been compromised, and a more thorough checkup is needed to ensure that no malicious code has been injected.


- What This Script Does ?
This script will scan forum templates, plugins, phrases, announcements and forum titles and descriptions to detect potential and confirmed malicious code. It will give you the information you need to determine whether or not your forum has been hacked, and a recommendation on what action to take next.

- Demo Link
You can view a live demo of the script here.

- How to Upload:
Upload SEOvB_Hack_Checker.php in root of forum files on server (Within public_html if forum is installed on root, upload in any other directory if forum is installed on /public_html/exampledirectory)

- How to Access the Script:
Point your browser's address bar to open http://www.YOURFORUMURL.com/forum/SE...ck_Checker.php (Case sensitive and suppose if forum is installed into /forum/ directory on server.)

- New Templates
None.

- Database Changes
None.

- Setup Instructions
No setup is needed.

- What does it do?
It tests for potential and confirmed malicious code in certain sections of your forum database, and it arranges the test results in an easy-to-read table.

If you receive a 'Warning' message, it means that the script detects some code or recent change to your forum that may be cause for concern, but isn't for certain a hack. The script scans for changes made within the last 3 months, so if you have made many changes to your forum skin or mod assortment within the past 3 months, there may be some false positives.

You can review the extra information in the test results section to determine whether or not your forum needs further cleaning. However, even with just one 'Warning', we highly recommend a full investigation and cleanup process to make sure that your forum is safe.

If you receive a 'Hacked' message, it means that your forum has definitely been compromised, and a thorough cleanup needs to be performed ASAP.

If you receive only 'All Clear' messages, it means that your forum has not been hacked.

- Requirements
Should work on all vBulletin versions of 4.x.x

- Uninstall Instructions
Delete SEOvB_Hack_Checker.php file from root of forum files.

- FAQs

- After I remove malicious items from my forum, what this script will do ?
It will say 'All Clear' for the cleared items.

- Some of the items are coming with 'All Clear' except 1, what does it mean ?
Your forum may require cleanup.

- Will it tell me which items are containing warning ?
Yes, it will. It will let you know, if templates are infected, with the template name and last modified by whom.

Download Now

File Type: php SEOvB_Hack_Checker.php (6.2 KB, 201 views)

Screenshots

File Type: jpg SEOvB_Hack_Checker Page.jpg (55.4 KB, 0 views)

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Благодарность от:
Black Snow

Comments
  #12  
Old 11-06-2013, 01:37 PM
winky8300 winky8300 is offline
 
Join Date: May 2008
Posts: 74
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

hello

thank you very much concerned about the safety of our forums
Reply With Quote
Благодарность от:
SEOvB
  #13  
Old 11-06-2013, 04:54 PM
scottct1 scottct1 is offline
 
Join Date: Mar 2002
Location: Connecticut
Posts: 391
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I try running it and I get the following message..

Access denied.
Reply With Quote
  #14  
Old 11-07-2013, 01:02 AM
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Location: Indianapolis
Posts: 2,451
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by scottct1 View Post
I try running it and I get the following message..

Access denied.
Hi Scott,

Is that the entirety of the message? This may be an issue with the file permissions on the script or with your webserver configuration. Try to set the file permission on the script to 755 and run it again. If that doesn't solve the issue, please send us a PM with a link to the script on your site, and we can take a look.

Thanks
Nick - Chief vB Developer @ SEOvB
Reply With Quote
  #15  
Old 11-07-2013, 09:20 AM
AK47- AK47- is offline
 
Join Date: Apr 2012
Posts: 76
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Malicous hooks to inject with are
Ajax_complete
init_startup
global_start
A new method which will remain private.

Hope i helped
Reply With Quote
  #16  
Old 11-07-2013, 11:10 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

IMO this seems to have potential. What I think would be the best way to see this workin is the following.

1. Change it from 3 months to 24 hrs. Due to the fact that the report will contain way to many false positives to try and sift through when you run it.

2. Create a table in the DB to store the report info.

3. Create a cron job that runs once a day. When it runs store the info in the previously created table. Maybe also add user id and IP info to the table, may make it easier to identify if it was a valid change to something, or from a hacker.

4. Set up a page in the acp that you can view the daily reports from. Have the ability to prune the entries in the table there by date.
Reply With Quote
2 благодарности(ей) от:
SEOvB, tareqbd
  #17  
Old 11-08-2013, 01:20 PM
Wolver2 Wolver2 is offline
 
Join Date: Oct 2010
Posts: 106
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I appreicate this mod very much. I was wondering what if there were malicious things that happened around 6 months ago? should I still use this plugin?
Reply With Quote
Благодарность от:
SEOvB
  #18  
Old 11-08-2013, 01:44 PM
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Location: Indianapolis
Posts: 2,451
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Wolver2 View Post
I appreicate this mod very much. I was wondering what if there were malicious things that happened around 6 months ago? should I still use this plugin?
If you're familiar with php then you can just adjust this line:

PHP Code:
$threshold $curtime - (60 60 24 30 3); 
Change the last "3" to "6" then it'll cover the last 6 months.

Hope that it helps.
Reply With Quote
  #19  
Old 11-18-2013, 02:52 PM
Disasterpiece's Avatar
Disasterpiece Disasterpiece is offline
 
Join Date: Apr 2007
Location: GER
Posts: 765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think this scripts output is generally misleading and causes panic where not necessary.

Either you should seriously refine your script and add A LOT more conditions to reduce false positives (and as it seems right now, 95% seems to be only false positives) or discontinue the mod.

Determining if a forum was hacked should be left to specialists. If you let someone who doesn't have a clue run your script, nothing good will come from it.
Reply With Quote
2 благодарности(ей) от:
CoZmicShReddeR, Quijar Haderak
  #20  
Old 11-20-2013, 02:19 AM
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Location: Indianapolis
Posts: 2,451
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Disasterpiece View Post
I think this scripts output is generally misleading and causes panic where not necessary.

Either you should seriously refine your script and add A LOT more conditions to reduce false positives (and as it seems right now, 95% seems to be only false positives) or discontinue the mod.

Determining if a forum was hacked should be left to specialists. If you let someone who doesn't have a clue run your script, nothing good will come from it.
Hi Disasterpiece,

We understand where you are coming from; the script errs on the side of caution, perhaps too much. This was originally an in-house tool that we used to quickly determine which commonly exploited sets of data needed investigating for forums that had been recently hacked. If time allows, we can refine and update the scan criteria of the script to be more precise.

However, we do disagree that the current script output is misleading and we disagree that it causes unnecessary panic. If a forum owner is concerned that his forum was hacked, which is highly likely given the recent mass attacks on vBulletin forums, we believe that this script is a good starting point for investigation and diagnosis, if the script description and instructions are carefully read and followed.

The script does not stop with a simple 'warning', but provides additional, useful information about what was modified and by whom. More information is better than less, and caution is better than carelessness, so the script provides as much information as it can, for those forum owners with some vBulletin knowledge who can understand the script output, and it also provides the most careful recommendation, for those with less vBulletin knowledge.

We do realize that this script alone is not enough for a diagnosis, which is why we recommend professional help. Speaking of which, we are happy to take a look at your script output via PM, if you have concerns, to clarify your results; we've done this a few times already.

Thanks,
Nick - Chief vB Developer @ SEOvB
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:16 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06663 seconds
  • Memory Usage 2,343KB
  • Queries Executed 27 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (7)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (9)postbit
  • (2)postbit_attachment
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete