Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 10-20-2013, 12:44 AM
r5e r5e is offline
 
Join Date: Oct 2005
Location: Sydney
Posts: 51
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Bulk delete bogus admin accounts following hack?

Yeah, I got hacked a few weeks back, just like so many others. I spent some time cleaning up and then took the extra time to follow best security practices (including password protecting my adminCP & modCP folders on cpanel).

I thought I was OK, but when my host migrated my site to a new server, seems they had pulled an older filesystem backup and my install folder was restored. I didn't notice until yesterday when I got word of new admin accounts appearing and checked the filesystem to find the admin folder back again. I deleted it immediately of course!

So, after all my clean up work, I have again been repeatedly hacked over the last 1.5 weeks. Fortunately, this time there is nothing nasty (that I've seen so far) and no scripts/redirects and other malware trying to run off my site. I suspect this was due to the extra security I'd added as above.

So, now I have 762 other admin accounts I want to delete. I can't use any prune or delete tools from the adminCP, as they deliberately do not work on admin accounts. I can't spend all day and night sitting and deleting them 1 by 1. I have in the past done some direct SQL queries to remove various spammers that fell outside of the built-in abilities to remove, but I did so by copy/pasting bits of code others had shared and I'm not really confident to try myself. Does anyone know of a mod that can allow this to be done, or of any code that I might try?

The main offender is a user called "supportvb" that has hundreds of accounts. All of the accounts are recent (last 10 days) and none of them have any posts. Any help/advice appreciated. I'm sure that since all these hacks, there must be other forum owners trying to bulk delete or mass remove these bogus admin accounts.
Reply With Quote
  #2  
Old 10-20-2013, 01:05 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Create a new usergroup called hackers, move all the users into that group, then mass delete thru that group.
Reply With Quote
Благодарность от:
Max Taxable
  #3  
Old 10-20-2013, 04:24 AM
r5e r5e is offline
 
Join Date: Oct 2005
Location: Sydney
Posts: 51
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Can't do any operations (including move, as recommended) using prune function to the admin group. I can generate a list and display all the bogus admin accounts I want to delete, however, next to the delete or move buttons, I am told:

"Users marked with the [ ! ] button are not editable using this system."
(as they are members of the admin group - this is deliberate)

I can presently only do this 1 by 1 and I have 745 "supportvb" admins still to delete. I need a better way!
Reply With Quote
  #4  
Old 10-20-2013, 05:08 AM
CAG CheechDogg's Avatar
CAG CheechDogg CAG CheechDogg is offline
 
Join Date: Feb 2012
Location: Riverside, California USA
Posts: 1,080
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If you have access to your cPanel go to phpMyAdmin and delete them that way ....
Reply With Quote
  #5  
Old 10-20-2013, 07:42 AM
r5e r5e is offline
 
Join Date: Oct 2005
Location: Sydney
Posts: 51
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, I do have access to phpMyAdmin. I had considered this was probably the easiest option, but every official answer I always see to this suggestion is not to delete users directly from the database as it can cause problems.

I'm not 100% confident in exactly how to do it from phpMYAdmin. I can look at the table "user" on my database, select "search" and then in the "username" column, select "=" and type "supportvb" This will return me a list of all of these users. I then click on "select all" and then delete. Is this correct? It seems simple, but I didn't want to trash my DB through lack of knowledge on this. Appreciate if someone can confirm, or provide me better instructions.

--------------- Added [DATE]1382260489[/DATE] at [TIME]1382260489[/TIME] ---------------

Just did some other research and found someone else with a similar requirement. I modified their query slightly and I got the following:

Code:
UPDATE user SET usergroupid =17 WHERE (
CONVERT( `username` USING utf8 ) = 'supportvb'
I ran this via phpMy Admin. This looked for the username "supportvb" (which was the hack that inserted itself hundreds of times into the admin group) and then changed the group from 6 (admin) to 17 (a new group I created for this).

I now see the numbers in my Usergroup Manager reflect this. I check on one of the supportvb users and I can confirm that the group is no longer Admin, and the primary usergroup for these accounts is now the new group I created for them.

I now use the pruning system to clean up the rest. However, I find that when I search on this new usergroup, all the supportvb users show there, but they have 2 groups listed - the new one I just modified them to and also moderators. The "!" still appears on every account and it will not let me prune them.

What did I miss?
Reply With Quote
  #6  
Old 10-20-2013, 09:15 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Sounds to me like there may be a plugin running to make them un-editable. Try disabling all your mods via config.php and see if the "!" still appears next to their names.
Reply With Quote
  #7  
Old 10-20-2013, 09:42 AM
r5e r5e is offline
 
Join Date: Oct 2005
Location: Sydney
Posts: 51
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Interesting suggestion, but sadly no luck. I disabled all plugins via config.php and confirmed that the "Manage Products" page says "Warning: Plugins are currently globally disabled via config.php."

Attempting to prune this usergroup correctly lists all 744 instances of the "supportvb" user, but on each of them it shows they are also in the "moderator" group. The ! appears next to every one of them and therefore I cannot perform any actions.

Curiously, looking at the tables directly via phpMyAdmin, they seem to only show only "17" (the group I put them in) for the usergroupid column and nothing at all in membergroupids. Looking at any of these users from admincp, they all show they are a member of only this group and no others. However, as soon as I see them from the prune list, it shows them as moderators.

If there is a safe way to simply remove them all from the database directly, I'll give it a go, I'm just loathe to try it in light of the funny way they are already responding from my first attempt.
Reply With Quote
  #8  
Old 10-21-2013, 11:18 AM
sreeve sreeve is offline
 
Join Date: Aug 2012
Posts: 3
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I too have the same problem with r5e.. would appreciate more ideas to resolve this "cannot" delete "supportvb" users that are in the admin group.
Reply With Quote
  #9  
Old 10-22-2013, 09:18 PM
r5e r5e is offline
 
Join Date: Oct 2005
Location: Sydney
Posts: 51
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Still have the same problem.

I have posted in vbulletin.com's forum as well. I expected that as many of their customers had this problem and because it was caused by a security exploit, they may have been keen to offer some sort of "official" solution. Many of their customers are still compromised by these same admin accounts that they are unable to remove and VB staff in their forum are studiously ignoring my posts for 4 days now, while answering others.

While I am confident that by password protecting from cpanel my admincp and modcp folders, I have prevented these accounts being able to do anything worse than posting, it still feels uncomfortable having them around. I want to be able to cleanly delete them.

The work I have done so far shows that it may not be as simple as a database edit (especially if you don't know what you're doing). I would like someone to assist me (and the loads of others) who have this problem. A bulk delete mod would be nice, but a simple step-by-step instruction and a few lines of SQL query would be even better.

Anyone?
Reply With Quote
  #10  
Old 10-22-2013, 09:25 PM
squidsk's Avatar
squidsk squidsk is offline
 
Join Date: Nov 2010
Posts: 969
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Have you checked your config.php to see if the hack added the accounts to the uneditable/undeletable list?
Reply With Quote
Благодарность от:
Max Taxable
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:40 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.13463 seconds
  • Memory Usage 2,266KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (2)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete