Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 09-17-2013, 12:51 PM
obglobal.net obglobal.net is offline
 
Join Date: Jan 2013
Posts: 203
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Hacked again! 2nd time in 2 weeks! Cannot access ACP.

This is ridiculous.

I don't know how to handle this kind of stuff! I can't even access my ACP to delete this dude.

Hacked by Ari Tiga Angka Enam.

Why is vBulletin so easy to hack? Someone please guide me through what to do via cPanel.

I lost about 50 posts last time because I reverted to a backup.

So over it.:down:
Reply With Quote
  #2  
Old 09-17-2013, 01:37 PM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Moved to vB4 General Discussion. I would guess that you overlooked something the first time around... a plugin was still present, the datastore table had a plugin within... a shell script on your server... any number of things honestly be sure to check using these links and be VERY THOROUGH grab a cup of coffee, do it right and above all else do not become frustrated that is the #1 thing many do and assume that since it started working after they uploaded files that its fine, no you need to be very in-depth after being hacked not only for your safety but for the safety of all your community members.

http://www.vbulletin.com/forum/blogs...vbulletin-site
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Reply With Quote
Благодарность от:
socialteenz
  #3  
Old 09-17-2013, 01:41 PM
socialteenz's Avatar
socialteenz socialteenz is offline
 
Join Date: May 2011
Posts: 465
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Did you remove the install directory? Check for all the users with admin privilege & change all your admin passwords.
Reply With Quote
Благодарность от:
TheLastSuperman
  #4  
Old 09-17-2013, 02:02 PM
obglobal.net obglobal.net is offline
 
Join Date: Jan 2013
Posts: 203
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by TheLastSuperman View Post
Moved to vB4 General Discussion. I would guess that you overlooked something the first time around... a plugin was still present, the datastore table had a plugin within... a shell script on your server... any number of things honestly be sure to check using these links and be VERY THOROUGH grab a cup of coffee, do it right and above all else do not become frustrated that is the #1 thing many do and assume that since it started working after they uploaded files that its fine, no you need to be very in-depth after being hacked not only for your safety but for the safety of all your community members.

http://www.vbulletin.com/forum/blogs...vbulletin-site
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
I got this from my hosting service:

I have checked your site and found the following suspicious files:

Code:
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/plugin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/help.php
[HEX]php_nested_base64_510 : [15/09/13] /home/obglobal/public_html/admincp/nsuser.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/index.php
[HEX]php_nested_base64_510 : [17/09/13] /home/obglobal/public_html/admincp/black.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/admin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/forum.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/index.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/showthread.php

Can someone PLEASE tell me how to clean these out? I really have no idea what to do and I'm desperate.

--------------- Added [DATE]1379430244[/DATE] at [TIME]1379430244[/TIME] ---------------

Quote:
Originally Posted by socialteenz View Post
Did you remove the install directory? Check for all the users with admin privilege & change all your admin passwords.
Yeah, I did.

Can I change my passwprds via cPanel, do you know?
Reply With Quote
  #5  
Old 09-17-2013, 03:34 PM
Spangle Spangle is offline
 
Join Date: Jun 2011
Posts: 520
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by obglobal.net View Post
I got this from my hosting service:

I have checked your site and found the following suspicious files:

Code:
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/plugin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/help.php
[HEX]php_nested_base64_510 : [15/09/13] /home/obglobal/public_html/admincp/nsuser.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/index.php
[HEX]php_nested_base64_510 : [17/09/13] /home/obglobal/public_html/admincp/black.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/admin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/forum.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/index.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/showthread.php

Can someone PLEASE tell me how to clean these out? I really have no idea what to do and I'm desperate.

--------------- Added [DATE]1379430244[/DATE] at [TIME]1379430244[/TIME] ---------------



Yeah, I did.

Can I change my passwprds via cPanel, do you know?
Firstly I would check all those files, check them against what is uploaded when you do an install, then check them against what is those folders for each plugin.
Delete any that you cannot find.

off the top of my head this one looks a bit suspicious

/home/obglobal/public_html/admincp/black.php
Reply With Quote
  #6  
Old 09-17-2013, 04:36 PM
socialteenz's Avatar
socialteenz socialteenz is offline
 
Join Date: May 2011
Posts: 465
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by obglobal.net View Post
I got this from my hosting service:

I have checked your site and found the following suspicious files:

Code:
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/plugin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/help.php
[HEX]php_nested_base64_510 : [15/09/13] /home/obglobal/public_html/admincp/nsuser.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/index.php
[HEX]php_nested_base64_510 : [17/09/13] /home/obglobal/public_html/admincp/black.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/admincp/admin.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/forum.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/index.php
[STR]Hacked_by_string : [17/09/13] /home/obglobal/public_html/showthread.php

Can someone PLEASE tell me how to clean these out? I really have no idea what to do and I'm desperate.

--------------- Added 17 Sep 2013 at 15:04 ---------------



Yeah, I did.

Can I change my passwprds via cPanel, do you know?
Yes, you can change the passwords via admincp.

Seems like you need to upload all vbulletin files again.

Check for vulnerable plug-in's too.

My bad, seems like superman summed it up nicely. Check his links.
Reply With Quote
  #7  
Old 09-17-2013, 05:06 PM
Steve-Hoog Steve-Hoog is offline
 
Join Date: Sep 2010
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

obglobal.net

Sounds like you got very close to the same thing I got. Our entire vB software was destroyed.

Basically I had to hire someone to clear out all files, reload the vB software, and then re introduce the database. And I can only thank God our database was not destroyed.

You definitely have a different hacker than I had; but I went by your URL and from what you posted in here I think you are screwed just like I was.

Steve
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:28 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.09850 seconds
  • Memory Usage 2,238KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (2)post_thanks_box_bit
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete