The Arcive of Official vBulletin Modifications Site.

loua_oz · #11 09-18-2013, 02:54 AM

Posted in another tread, Plug Ins had a script "OverrideAdminRights" in ForumRunner, could be seen in "Product Management".

The Mailman · #12 09-19-2013, 07:24 PM

Quote:

Originally Posted by Lynne

After you were first hacked, did you make sure to check your Administrator usergroup and verify you didn't leave their account as an Administrator (so they could still access the admincp)? And, did you go through your Plugin Manager and make sure they didn't add any plugins to your site? Also verify that all your old plugins haven't been touched and had bad code added to them. If you can't do those things, I'd suggest using a database backup. Also, make sure all the files uploaded to the site are default vbulletin files and not files added by the hackers.

I did and noticed like 4 more admins were added, but this was the first attack - I deleted that database and rolled back to a pre-hack one. I tried a fix and the second time they got in they didn't do this, but rather just take over my admin account. They did add a plugin that was noticeable, "cumlauncher2000"

But like I said, I've rolled back to a pre-attack db and updated all plugins and so far so good...but don't know if they've just lost interest for this week or if I'm still vulnerable.

Quote:

Originally Posted by loua_oz

Posted in another tread, Plug Ins had a script "OverrideAdminRights" in ForumRunner, could be seen in "Product Management".

well good thing I deleted forumrunner altogether

AramisErak · #13 09-20-2013, 10:12 AM

Did you remember to change your passwords to both the server and the bbs after the rollback?

If they're changing the unmodifiable users list, it sounds like they hacked into the server, not just the BBS, at which point they could manually hack the config file where you set the umodifiable users.

You may wish to ask your hosting provider to check the server for exploit code as well.

If that config file is set to mod 777, ( -rwxrwxrwx), you probably should log into a terminal to the server, and chmod the file to 555 (-r-xr-xr-x).

huskermax · #14 09-20-2013, 02:14 PM

Quote:

Originally Posted by Steve-Hoog

The Mailman

Just for grins, do you have any of these Plugins?

I have chat box and top posters.

I am trying to confirm with Valter if I have all the right files.

Bubble #5 · #15 09-20-2013, 05:00 PM

Good article HERE about security.

I would also add THIS mod. Has helped us a lot in the past.

The Mailman · #16 10-03-2013, 12:27 AM

Quote:

Originally Posted by AramisErak

Did you remember to change your passwords to both the server and the bbs after the rollback?

If they're changing the unmodifiable users list, it sounds like they hacked into the server, not just the BBS, at which point they could manually hack the config file where you set the umodifiable users.

You may wish to ask your hosting provider to check the server for exploit code as well.

If that config file is set to mod 777, ( -rwxrwxrwx), you probably should log into a terminal to the server, and chmod the file to 555 (-r-xr-xr-x).

it's not 777, it was 644, should it be 555?

they hacked the site again. they know the name of the new sql database i made (it was named after the hacker) and his first move was to change my email address (the name he made up referenced the sql db name i made, trying to send a message or whatever) to a yopmail and i presume begin a password reset. config says i, the admin (#1) am an unmodifiable user...

how could he know the db name? should config be 555d?
how do i disable the password reset function in the interim?

findingpeace · #17 10-03-2013, 01:00 AM

Really sorry to read this, The Mailman

No one should be able to hack your vBulletin like this, regardless of the config.php permissions. Who is your hosting company? Do you run on shared, VPS, or dedicated?

Have you changed root/whm, cpanel, FTP, and all vBulletin admin passwords?

If you have a good hosting company, please ask them to run a malware scan on your server. If they won't, you can install & run maldet for unix. If you have an amazing hosting company, ask them to find logs showing who is doing what. Have you grabbed IP addresses yet? Perhaps they can narrow it down that way? If they won't, please write back here and I can give you some starting logs to glance at.

Finally, set up Host Access Control in WHM. Do not allow anyone to run FTP, cPanel, or WHM unless it's from your IP address. Again, let me know if you need assistance with this. I just went through the same thing. They're still trying, and failing now. So they can be defeated!

Good luck

This sucks.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.05111 seconds Memory Usage 2,236KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (4)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (7)post_thanks_box (2)post_thanks_box_bit (7)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (2)post_thanks_postbit (7)post_thanks_postbit_info (7)postbit (7)postbit_onlinestatus (7)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start fetch_musername post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start post_thanks_function_fetch_thanks_bit_start post_thanks_function_show_thanks_date_start post_thanks_function_show_thanks_date_end post_thanks_function_fetch_thanks_bit_end post_thanks_function_fetch_post_thanks_template_start post_thanks_function_fetch_post_thanks_template_end pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

Благодарность от:
obglobal.net

Благодарность от:
tbworld

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!