Forum hacked, restored, now showing bare index

[HM666]

Quote:

Originally Posted by loua_oz

Yes, possible.
Yes again, shared hosting, it may well be their problem. As I said, seems the hackers waltz in and farm the users and their sites without apparent problem with their sites. They (webhostinghub.com) applied some measures that alert me when (some, what their poor security can detect) it happens. They quarantine the malicious code but still - it comes through their lack of security.

Issues like this have a potential to drive a hosting company out of business.

If any, the luck is my site is not commercial, no money loss. But hours lost to restore by me for someone who had ruined my site for fun.

When I asked webhostinghub.com why don't they introduce 2 level login (with RSA dongle) they said it could fix cPanel only but not "3rd Party software", possibly implying VBulletin to be at fault.
They confirmed nobody had compromised my passwords and logged in.

I still believe it is cPanel, an independent vendor, who is at fault.
No offers for help (paid) from this site would fix it. It is not VB, I think.

Always try to have frequent backups. But I'm guessing you have already got that under control. Has the hosting company upgraded cPanel lately? Do you know? I know mine upgraded my cPanel WHM within the last month or two, so possibly its an old version. No idea.

Quote:

Originally Posted by RichieBoy67

Well it could be hosting but my guess is that it is something you have missed.

Did you delete all the files on your server and reinstall fresh? Did you run the diagnostics to look for third party files?

Have you been with this same host all the other times you were hacked?

Yeah all good questions in trying to find the issue. Also are you sure that there is no portion of the hack in the vBulletin database itself? Since you keep on getting the same thing, that maybe possible as well.

[loua_oz]

Whole this business is Mickey Mouse, I am not surprised it gets hacked, the surprise is it has ever worked at all.

The hosting company upgraded cPanel (another mickeymousepieceofsh1t) 2 months ago.

The day I changed my password into free text and as guessable as "Walked d0wn the str1t and heard d0g fart while black dog humped the white 0ne" they sprayed me with banners like "Hackers can guess your password and (must click): Accept the risk: Yes No".

That tells how helpless they are.

Should I change the provider? I could, just to see that new one is as clueless as the previous.

[RichieBoy67]

Well we still do not know for sure it is your server. You have not answered my questions.

#1 - Did you wipe all the files off the server and resinstall Vbulletin fresh?

#2 - Did you run diagnostics and check for files that do not belong? Did you check those files and look for debase64 code?

#3 - Did you go into the plug in manager and look for plug ins that should not be there?

[loua_oz]

Trivialities like that were done even before I posted here.

Whole root directory "rm -r", wiped out
Fresh install of VB 4.2.3
There are no plugins, all vanilla
Maintenance-Diagnostics shows nothing that should not be there

And then, I asked here why is it not going into the Forum home page and you went around and around (oferring paid service via PM) instead of (if you knew it) telling me there is
.htaccess
file missing and that does not come with fresh install.

[TheLastSuperman]

Ok so the folders and files were restored from your backup... was this a complete backup meaning - Did it contain the folders, files, AND all databases?

- If you restored the folders and files only, then the hacker apparently altered your database.
-- The reason we would speculate this to be the cause is; You stated you completely wiped the root directory therefor uploading 100% fresh files did not fix this. per your screenshot so one would be safe to assume (despite the saying regarding that lol) that they altered your actual database. I myself have seen sites where they altered all files and also inserted their webtemplate w/ all the hacker info and silly rubbish into all templates in the style, every single template so more than you think is going on here, could quite possibly be going on you never know until you really dig into it.
**Be careful wiping all files, most owners store their attachments in the actual filesystem and by simply deleting all "possibly" infected files you would in-turn be deleting all attachments - ACK! So always check settings first before blindly deleting folders and files. I would have moved all the contents of the forums root into a new folder, CHMOD it 000 to prevent anything from running that way if attachments were stored that way you could check and clean them later if need be then simply CHMOD back to correct permissions and restore the files to the correct location.

-If you restored a complete backup including all folders, files, and databases then something else must be "up" or wrong. They may or may not have uploaded a shell script or similar such as c99 madshellor a variant and went about modifying what they could and wanted to regarding the actual server.
-- Yes, a hacker can gain access to one site on a shared server and from there gain access to others, its not the hardest thing to do and happens all the time when people do not keep software up-to-date in regards to security and exploits. If your site is a VPS/Dedicated they can still modify the server to a certain degree if they have a shell script in place, of course depending on the sophistication of the script being used.

Check on vBulletin.com for posts and blog posts by myself and Zachery - we have useful info and queries to run that help you look for such things. Edit: Two links I included in my next post following this one.

[TheLastSuperman]

Quote:

Originally Posted by loua_oz

.htaccess
file missing and that does not come with fresh install.

It does however its located in the do_not_upload folder, despite the folders name you do actually upload one of the .htaccess files in said sub-folders depending on your setup. So yes upon initial installation its not there, now lets say someone wanted to use Mod Rewrite Friendly URL's instead of the basic ones, they would have upon installation uploaded the .htaccess file required to make mod rewrite friendly URL's work in vBulletin.

So this may or may not simply be a case of a missing .htaccess file, also yes removal of or changes to an .htaccess file can make the site display wonky as if the formatting is off. Also bear in mind that over the course of a ten year span with being hacked upwards of four times... the settings and such despite it being vanilla in regards to modifications could still have template edits or other changes made internally that do not show nor are reflected in the actual files. So a call to a site or a file inserted into a template could be your backdoor here as well, I'd go through the database and use the queries in our blog posts to see if anything comes up.

Edit: Here are two links, backup your database if not already before doing anything;
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/artic...vbulletin-site

Edit yet again! Per your second screenshot, looks as if you had the CMS setup in the root folder, and all the forum files uploaded to /forums/ so make sure you do the same setup again if that was the case. If a pertinent file is missing such as index.php (and nothing else such as an index.html file exist) then it has no way to render a missing file and will therefor list the contents of the directory. Basically to sum it up, servers are typically setup to look in a certain order for important files or well I should phrase it "looks for commonly known files such as index.php and index.html index.aspx or similar as they render content to browsers", usually it looks for index.php first then looks for index.html which by the way can be changed i.e. the order but in your case seems as if some files were not uploaded properly after restoring.
*****Just make sure you grasp that, you had setup the CMS in the root and the forums into /forums/ then read the info on how to setup the CMS in root and forums in a folder and ensure its all done correct and you *should* be back to normal unless of course like I initially suspected and the hacker modified the actual database.

[bremereric]

I just stepped up to Surcuri's cloud proxy firewall. After the 5th time I have been hacked.

[HM666]

Yeah my thought was after all files had been deleted the only thing left is something put into the database. I've seen client sites that were hacked not only in the physical files but they also somehow gained access into the admin panel and put some weird non-vb stuff in the templates mainly calling their hack into the site instead of your regular vBulletin front page or other pages. Then if you make a full backup of your database after that hack happens its still lodged in there and you restore and voila the hacker is back. This is definitely something you should check when trying to completely rid yourself of the hack and get your site back on track. The thing here is if this is in your database then even if you switch hosts the hack will follow you. So there are some things that you really need to check out first before decided to make a move to a new hosts.

Not too long ago there was a hacker that went around gaining access to vB web sites via this kind of hack. They would upload files on the site and put stuff in the templates. To know if you had this kind of hack was pretty simple. You all of a sudden out of nowhere had a newly registered member that was an admin and had access to your ACP and there were admins other than the ones you had in place logging into the panel. Simply deleting their account and deleting the physical files did not kill the hack because they had put some hacker code into random templates.

Now if that is not the case and you do not remember deleting any random weird rogue admin accounts then as others have said its possible there is something else going on or the hack is elsewhere. Its best to make 100% sure that if you switch hosts that this hack is not lurking about in your database before preceding.

[loua_oz]

Thank you,
The hacked directory (root and subdirectories) were saved by the provider as soon as I requested them to down the site (it was displaying hackers' message and I could not get into admin to shut it down).

Just went in and chmod to 000 what they saved, thanks for that. Poking around the site there is nothing visibly wrong.

If a file or directory are touched, it shows the timestamp that sticks out when the directories are listed.
Several times I saw things like "maill.php" that was inserted without harming the site contents.

Indeed, as I am on the shared server, could be 100s of sites hosted on one physical machine.
However disciplined I might be, a slacky site owner on the server may invite a trouble for all ?

Is there some tool to check the database? The cPanel provided by webhostinghub.com has "database repair" and it ran cleanly.

--------------- Added [DATE]1441775800[/DATE] at [TIME]1441775800[/TIME] ---------------

Just remembered. In

./includes/config.php

there is hardcoded database name and password, in plain sight, unencripted

// ****** MASTER DATABASE USERNAME & PASSWORD ******
// This is the username and password you use to access MySQL.
// These must be obtained through your webhost.
$config['MasterServer']['username'] = 'dbname_admin';
$config['MasterServer']['password'] = 'unencripted_password';

Is that how it should be? Never seen that in my life.

[alcazarx]

Most webscripts store config data in plain text, under normal conditions users cant view/use them.
If a hacker has access to the files of your script it doesnt matter if the data is encrypted or not, he can get it by decrypting them (unless its one-way-encryption).

As for the DB, you have to check it manually if its ok (or send it to an expert here), the "repair" functions that the DB or Hostings offer are to fix damaged tables or db's, not to removed unwanted elements.