Hackers inserting ajax-2.php into /public_html directory

[loua_oz]

My webhosting provder detected (don't know how) that my site has been hacked, files that they found were malicious.

ajax-2.php

that VB Maintenance -> Diagnostics -> Search for suspicious Files also found, in 2 locations:

/public_html/ajax-2.php
/forums/admincp/ajax-2.php

There is ajax.php but that one came with site install and is 44KB long.
The hacked ajax-2.php is 22KB long, opened it, says "Created by BLACK-ID".

My provider sad I should change (their) CPanel password, and I did.
Also changed VB admin password.

However, I am almost sure that the file appeared again, after password change. Permissions are "644" as all regular files.

Anything can be done? If they can bring that file, they can bring anything.

(There is no "install" directory, installation was done as a paid service by VB Engineer.)

It is VB 4.2.2. patch 1

[ForceHSS]

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

Note: Dont skip any parts

[loua_oz]

On day 1, hackers came and left ajax-2.php and another file that seems to does mail spamming at 9:08 pm.
Shortly after that, webhosting informed me there were 2 files they detected, quarantined them, and asked me to change password.
Later that day, deleted files at 9:05pm and changed password at 9:10pm.
In the meantime, at 9:08pm, hackers came (2 minutes before password change) and left the files again.
That is why I believed they have some other way, through VB, but seems not, that it was the site itself.
There are no strange files after site (not VB) password change.

[RichieBoy67]

You must have another file on your site giving them access or they have ftp log in..could be a variety of things.

[Max Taxable]

Sequels always suck. ajax-1 was bad enough, ugh.

[RichieBoy67]

Quote:

Originally Posted by Max Taxable

Sequels always suck. ajax-1 was bad enough, ugh.

Are you kidding? Ajax is great for scrubbing bathtubs! :up:

[TheLastSuperman]

Find the shell script and remove it, until you find that shell script they will keep uploading and inserting more malicious files (and yes, a plugin can also have the same functionality as a shell script file i.e. once the plugin loads it can do whatever they've designed it to do).

So it's either a plugin re-inserting the files OR when you cleaned the site you simply missed a file which is a shell script that allows them to upload additional files amongst other things.

[loua_oz]

Since hosting cPanel password has been changed, no surprises.

On the VB side, it is all vanilla, no plugins or mods.

VB diagnostics does not detect any suspicious files for 2 days now.

I tend to beleive, the hosting company had a several or many similar attacks on many sites they host and detected that. They were quiet when more serious attacks happened through VB entry.

Thanks to all those who replied, the value here may be to check the hosting side before blaming the VB software.

--------------- Added [DATE]1403351342[/DATE] at [TIME]1403351342[/TIME] ---------------

The hack was, i think, to send spam mail to all members. Although they (the hackers) could perhaps do more, they did not. That is perhaps what the hosting company detected - spam mailing across many sites.

[RichieBoy67]

Well I am glad it is working for you. Perhaps it was that dreaded heartbleed bug. There was also recently a kernel vulnerability on many servers that needed to be upgraded. It could have been that as well but not that common or easy to hack.