Help - my forum has been hacked

[jaxo]

Hi, sorry I`m not even sure if I should be posting here or on .com,. however my site has been hacked and I am unsure what to do.

I logged in today and just by concidence noticed an administrator by the name of h311-c0d3 was online,.. I checked admin permissions and logs and there where about 6-7 admin there who should not have been.

I check logs and deleted the admin. Most had no logs but a couple had been running scripts which seems to be to do with paid subscriptions. When I tried to access this section of the admin panel it asked for a password.. (something I have never set, as I have no paid subs)

I`m at a bit of a loss,.. what should I do? How did they get in etc?

I`d be greatful for any advice,.. The site is http://cccam-exchange.com and its running Version 4.2.0

Thanks invance

Jack

[ForceHSS]

<a href="http://www.vbulletin.com/forum/blogs/michael-miller/3934768-recovering-a-hacked-vbulletin-site" target="_blank">http://www.vbulletin.com/forum/blogs...vbulletin-site</a>

[jaxo]

Thanks for that link. Will have a read and see what I can do.. Thanks

--------------- Added [DATE]1378752377[/DATE] at [TIME]1378752377[/TIME] ---------------

From what i can see, they have tried to run scripts and have did something with paid subscription section of the admin panel... every tab I try to access it asks for a password (which I do not know, as I have never set up any paid subscriptions).. where in the files is this password located so I can change or remove it,.. Or is there a quiery I could run to remove it?

What I have did so far is removed the rogue admin, checked config.php to see if any superadmin have been added (which they havent), upgraded my vbulletin to the latest version and renamed the admincp... As far as I am aware they got access through the vbulletin software and not through the server.

Is their anything else I can check for or do ?

--------------- Added [DATE]1378753861[/DATE] at [TIME]1378753861[/TIME] ---------------

Here is a copy of my admin log and what they have done..

25618 N/A 16:06, 8th Sep 2013 subscriptions.php modify 37.130.224.22
25617 N/A 16:06, 8th Sep 2013 subscriptions.php add 37.130.224.22
25616 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
25615 N/A 16:06, 8th Sep 2013 plugin.php add 37.130.224.22
25614 N/A 16:06, 8th Sep 2013 plugin.php 37.130.224.22
25613 N/A 16:06, 8th Sep 2013 plugin.php kill plugin id = 677 37.130.224.22
25612 N/A 16:06, 8th Sep 2013 plugin.php delete plugin id = 677 37.130.224.22
25611 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
25610 N/A 16:06, 8th Sep 2013 plugin.php kill plugin id = 678 37.130.224.22
25609 N/A 16:06, 8th Sep 2013 plugin.php delete plugin id = 678 37.130.224.22
25608 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
25607 N/A 16:06, 8th Sep 2013 plugin.php product 37.130.224.22
25606 N/A 16:05, 8th Sep 2013 diagnostic.php payments 37.130.224.22
25605 N/A 16:05, 8th Sep 2013 subscriptionpermission.php modify 37.130.224.22
25604 N/A 16:05, 8th Sep 2013 plugin.php 37.130.224.22
25603 N/A 16:05, 8th Sep 2013 plugin.php doimport 37.130.224.22
25602 N/A 16:05, 8th Sep 2013 plugin.php files 37.130.224.22
25601 N/A 16:05, 8th Sep 2013 plugin.php files 37.130.224.22
25600 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
25599 N/A 16:02, 8th Sep 2013 plugin.php product 37.130.224.22
25598 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
25597 N/A 16:02, 8th Sep 2013 plugin.php product 37.130.224.22
25596 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
25595 N/A 16:02, 8th Sep 2013 plugin.php add 37.130.224.22
25594 N/A 16:02, 8th Sep 2013 plugin.php files 37.130.224.22
25593 N/A 15:53, 8th Sep 2013 plugin.php 37.130.224.22
25592 N/A 15:53, 8th Sep 2013 plugin.php doimport 37.130.224.22
25591 N/A 15:52, 8th Sep 2013 plugin.php files 37.130.224.22
25590 N/A 15:52, 8th Sep 2013 plugin.php updateactive 37.130.224.22
25589 N/A 15:51, 8th Sep 2013 plugin.php 37.130.224.22
25588 N/A 15:51, 8th Sep 2013 plugin.php update 37.130.224.22
25587 N/A 15:51, 8th Sep 2013 plugin.php add 37.130.224.22
25586 N/A 15:51, 8th Sep 2013 plugin.php add 37.130.224.22
25585 N/A 15:50, 8th Sep 2013 plugin.php files 37.130.224.22
25584 N/A 15:50, 8th Sep 2013 plugin.php modify 37.130.224.22
25583 N/A 15:50, 8th Sep 2013 plugin.php product 37.130.224.22
25582 N/A 15:50, 8th Sep 2013 subscriptions.php add 37.130.224.22
25581 N/A 15:50, 8th Sep 2013 subscriptions.php modify 37.130.224.22

[TheLastSuperman]

Quote:

Originally Posted by ForceHSS

http://www.vbulletin.com/forum/blogs...vbulletin-site

Ohh now I like that link... wonder why?

Moved thread from vB5 General Discussion to vB4 General Discussion.

Seems eerily familiar to this - https://vborg.vbsupport.ru/showthread.php?t=301904

The doimport is what includes their backdoor scripts.

[Zachery]

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

[XrayHead]

Subscribed, going to keep an eye on this thread! Let me know how you get on as my site got hacked yesterday as well!!

Just out of interest what was the username that did all the damage? The one on my site that run the scripts via the plugin.php and subscriptions.php was "optima"




Xray

[ozzy47]

I guess you did not delete your install directory.

[borbole]

It looks like no matter what you do, all seems pointless. You close one door and many more are opened. vB should start to take security more seriously as it has more leaks than the Titanic for crying out loud.

[ozzy47]

All knows security issues have been addressed, only reason the last user was compromised, is because they did not delete their install directory, as they were instructed to do so many times.

No matter what you think you do with security with the software, hackers will always attempt to find holes, so best bet is to take measures to protect your site, rather than relying on the software to do it.

[XrayHead]

I think it would be more productive to help people fix this issue rather than fill the thread with useless post's! I personally never got any update from vBulletin as I've been changing email addresses for the past 2 months (that's another Yahoo mess in its self)..

Anyway this seems to be a very common hack that has hit hundreds of boards! Surely someone must have a fix for any database changes this attack applies??