Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
  #1  
Old 12-13-2010, 06:49 AM
AbvAvg AbvAvg is offline
 
Join Date: Apr 2008
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Forum Hacked. Is DB ok?

Our vB forum (4.0.3) was hacked. We have somehow managed to start it again.
This was not a server side hacking, but only vB was hacked.

We were using default theme and there is no customisation. So a simple upgrade would take care of the files.

However, we are unsure about the sanctity of the database. Is there some way we can check this?

TIA.
Reply With Quote
  #2  
Old 12-13-2010, 02:03 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Not really. I mean, you can look in the usual areas - template table, plugin table - for any base64 additions. But, there are just so many different ways to hack a site that it's very hard to know exactly what they did and/or write a list of all things to check for.
Reply With Quote
  #3  
Old 12-15-2010, 04:02 PM
AbvAvg AbvAvg is offline
 
Join Date: Apr 2008
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

How do I look for base64 additions?
What other things do I need to check?

One thing is sure that it was not a server side hacking. So access to DB was limited to what vB provides.
Reply With Quote
  #4  
Old 12-15-2010, 04:17 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by AbvAvg View Post
How do I look for base64 additions?
What other things do I need to check?

One thing is sure that it was not a server side hacking. So access to DB was limited to what vB provides.
You'll see actual snippets of "funky" code and by that I mean code that normally does not belong there...

Code:
eval(base64_decode("aWblahblahblah
Now that can be in the database where users would normally not see it and in other cases they modify your actual .php files and insert it there or within your templates.

Along with checking for similar types of code in all those areas you'll want to check the timestamps of all files and folders on the server, look for Shell scripts those are scripts they upload that will still allow access even after you patch the original way they gained access and shells depending on how their coded can allow them to do quite a few things including but not limited to detecting what type of server your on and recording all database credentials... I dealt with one recently that also allowed them to modify and upload files through it's interface.

The main thing to be sure of is:

1. I've patched or removed how the initially gained access.
2. I've removed all malicious snippets of code.
3. I've removed any and all malicious files and shell scripts if any.

If you've never ran backups before now is a good time to get in that habit never be at a disadvantage because someone hacked your site always be on top of your game as a forum administrator or owner by being well prepared and overly cautious imo .
Reply With Quote
  #5  
Old 12-17-2010, 07:46 AM
AbvAvg AbvAvg is offline
 
Join Date: Apr 2008
Posts: 6
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I will upgrade the forum so that will replace all templates, etc.
Will then have to see thru the DB.

Thank you for your help and advise.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:57 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08519 seconds
  • Memory Usage 2,189KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (5)post_thanks_box
  • (5)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit_info
  • (5)postbit
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete