The Arcive of Official vBulletin Modifications Site.

ThePhoneGuy · #1 11-23-2009, 05:38 PM

Well theres an issue. I followed your guys security advice to the T after SEVERAL hacking attempts. Anyways this hacks whatever it is lets the person delete whoever they wish.

Every time it shows invisible users on the dash. i have included an image.

ChopSuey · #2 11-23-2009, 08:43 PM

That person is not deleted, theres an option to set Invisible users to have some name.n I cant seem to find where it is though.

ThePhoneGuy · #3 11-23-2009, 09:00 PM

actually it does delete them. However i can re-create them if i go in and manually add there userid via mysql back. I have upgraded to vb4 we will see what happens :P.

ChopSuey · #4 11-23-2009, 09:10 PM

LOL okay then. Good luck

ThePhoneGuy · #5 11-25-2009, 04:38 AM

Hacker still got in T_T. Same method. I am upgrading to a new semi dedi server hopefully that helps.

Hell Bomb · #6 11-25-2009, 05:11 AM

get the mod, track guest views so you can get the hackers ip address and then block his op address via .htaccess or vBulletin ip address banning method.

ThePhoneGuy · #7 11-25-2009, 05:21 AM

I have his ip address T_T You dont get it. These are skilled hackers(changing ip/mac ip is a simple task."onion router

. I run a hacking website...... Possibly a form of xss. The method doesnt seem like he is hacking a users account(like an admin). So im not sure what to think. Well we will see if semi dedi stops him.

CarlitoBrigante · #8 11-25-2009, 05:48 AM

They have left a backdoor in your system, there were many many people, in the past week, with similar issues because of a vBSEO hack which granted the attacker full access to the system.

Even if you were not hacked through that specific hole, there is little doubt these people have some backdoor. Check the world-writable directories, and make sure that ALL your products are updated to the latest version (please note that the patched vBSEO version is still called 3.3.2, but the patch was added just a few days ago without a version number change).

Check for php files you did not remember having in your directories, and use the vBulletin suspicious file checker to help with this (in your diagnostic tools in vBulletin ACP).

Until you do not cleanup properly, they will be able to do whatever they want to.

ThePhoneGuy · #9 11-25-2009, 05:54 AM

i do not have vbseo. Is it possible to put any info in the sql? I am debating on clean install.

CarlitoBrigante · #10 11-25-2009, 06:07 AM

Definitely. For example, they could have injected a plugin if they hacked your database. Sometimes, they try to mask their malicious code/backdoor into existing plugins. But first, check for all php files in directories where they should not be; then use vB diagnostic tool to check for suspicious files. This find command might help you identify some files:

Code:

find . -type f -mtime -5 -name '*.php'

Change the mtime value depending on how back in time you want to go; -mtime -5 will return only files edited in the latest 5 days.

Disabling all shell execution/inclusion functions in PHP, unless you really need them, is also a good idea to stop most attacks. Check this: http://www.cyberciti.biz/faq/linux-u...ble-functions/

Also, try to go through your access logs to determine the point of entry: if you find that, then you have the key to clean-up everything more easily.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04010 seconds Memory Usage 2,262KB Queries Executed 14 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_code (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (1)postbit_attachment (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_attachment postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!