Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
  #1  
Old 10-19-2013, 12:22 PM
XrayHead's Avatar
XrayHead XrayHead is offline
 
Join Date: Oct 2002
Posts: 138
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Site hacked please assist

In response tto this thread:
https://vborg.vbsupport.ru/showpost....&postcount=101


Site URL. www.wyedeancanoeclub.co.uk
(Those reading this please note to not visit the site unless you're experienced in dealing with matters such as these as your pc can possibly become infected)

Description of what's going on.

Infection details
http://labs.sucuri.net/db/malware/ma...-mwjsiframe213

Scan here
http://sitecheck.sucuri.net/results/...anoeclub.co.uk

NOTE: I am working my way through this -
Here is vbulletins advisary for cleaning up after this hack.

First you need to follow our advisory about deleting the install folder off your forums.
Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions


Ok I'm struggling with a couple of things, so far I have done the following by reading this thread: http://www.vbulletin.com/forum/blogs...ve-been-hacked but have a couple of questions as well.

1. I have deleted the "Install" folder and all of it's contents
2. I changed my CPanel, FTP, Admincp passwords and my freind added .htaccess to admincp, modcp and includes
3. I have removed 8 "Admin User Accounts " that where defiantly used buy the attacker
4. I have disabled and removed the plugin titled "Product : vBulletin"

Next steps I will need some help with!

At present I do not have a database backup, I have sent a support request to my hosting company and am awaiting a reply on that.

QUESTIONS?

1. Before I deleted the plugin "Product : vBulletin" I took detailed screen captures and notes of the scripts that were run. Would it help if I added this information here?

2. Can I view a log of any database changes that were added by the attack

3. "Restoring the default vBulletin files"

If I delete all my vBulletin files Version "4.1.5" on the server and upload "the latest stable version 4.2.2", then run the upgrade (Basically following the upgrade procedure) will this error or clear any database changes the hacker has done, or am I better to just re-upload and overwrite all the 4.1.5 files I have on there at present to see if that clears it?

I plan to dump the database and back that up before I run any upgrade.

Here is a screen cap of the admin log


Thanks in advance for any help!

--------------- Added [DATE]1382256700[/DATE] at [TIME]1382256700[/TIME] ---------------

Still looking into this and still waiting for some advise!

This is a list of the actions performed by the plugin listed - Product: vBulletin





Here's a complete list of the plugins I have at present:

http://i38.photobucket.com/albums/e1...ps3a31cc3e.png



PS: Waiting for advice before I upgrade to 4.2.2
Reply With Quote
  #2  
Old 10-20-2013, 05:45 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I would guess you want to delete all those plugins listed under "Product: vBulletin" unless you added it yourself and know what it does.

Upgrading your site will most likely not fix any hacking that was done.

Did you go through your templates? I have seen several hackers modify templates and add in back code.
Reply With Quote
  #3  
Old 10-20-2013, 05:55 PM
XrayHead's Avatar
XrayHead XrayHead is offline
 
Join Date: Oct 2002
Posts: 138
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I don't really have many template mod's - I only installed one Style and edited in a couple of places . I can remove that and just start fresh with the vBulletin default if need be (will this help)?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:00 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03735 seconds
  • Memory Usage 2,176KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (3)post_thanks_box
  • (3)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (3)post_thanks_postbit_info
  • (3)postbit
  • (3)postbit_onlinestatus
  • (3)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete