The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Repeated Hacks Since Friday
So, I've been getting repeatedly hacked over the last few days. I've been hacked in the past, maybe once every month or two. They are getting into my database somehow and changing the templates to their "hacker" pages. I inspected all index files and they are all untouched and only way to repair was to recover the database from an older version.
I tracked down some files that were uploaded to my "signatures" directory yesterday but it is still happening. Went to bed last night and everything was fine and awakened to a hacked board. Yesterday, I changed my pw's for my admin account, changed login and pw for my databases, changed directory login and pw for all control panels (need 2 logins and pw's to get to admincp, etc). Added login and pw for mysqldumper, admincp, modcp, and install directories. Changed cpanel login and pw for domain control panel. Updated to latest patches of all add-ons and vbulletin. I did a diagnostics and viewed all the Suspect File Versions and found nothing out of the ordinary. The only thing I could think of doing today was remove vbadvanced cmps. Any advice would be greatly appreciated.. The next step I am going to take if it gets hacked again is to delete all files on the server and do a fresh install and restore the database to that install. The first was from T3eS_hack@hotmail.com or http://www.alboraaq.net/t3es. The ones following the first did not say who it was but i am assuming the same person. |
#2
|
||||
|
||||
Not sure if you are on a PC or not, but have you considered a keylogger? Have you done a complete scan of your system at home?
|
#3
|
|||
|
|||
I've been doing some more searching and found some more files. I'm slowly combing through all the files to find the hidden ones. Here is what I've found so far and have deleted them.
forum/customavatars/sni.php classifieds/uploads/sni.php reviewpost/data/sni.php gallery/files/sni.php forum/imagehosting/sni.php These appear to be for the Sniper-SA Shell. forum/customavatars/libe.php And I've at least got the IP address so I can search the log files to find out what they are accessing. Is there another way to track down suspicious files? I haven't been able to find out how they are actually making it on my server. I retreived the contents of one file, sni.php but not of the libe.php. I'm going to keep searching for files, but until I'm done I'm not going to log on to the forums. What I've also done since then is made sure all the config files are 600 and the others are 644. --------------- Added [DATE]1222817131[/DATE] at [TIME]1222817131[/TIME] --------------- I've also noticed all the directories the files are showing up in are 777, mainly gallery directories and such. |
#4
|
||||
|
||||
You're wasting your time combing thru directories looking for files.
The only way to remedy this situation is to completely clean the server off (or if your on shared hosting it maybe time to move) Next reupload all the original vBulletin files, dont copy from your hosting account and yadayadayada, download a fresh copy from vBulletin.com exttract and upload. Remove all unnecessary modifications and make sure you're running the most up to date versions of whatever you must have. Audit your database for potential extra tables, rows, and admin accounts that could be lurking inside of them. Rather than operating files and folders in 777 permissions, try 755 |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|