vBulletin hack with vblogin.php

[Dave]

It's hard to know how someone gained access to your server without having access to your vBulletin forum/logs.

Anything is possible such as: shared webhost breach, insecure vBulletin plugins, bad vBulletin configuration, other vulnerable software hosted on the server, etc.

You could start out by posting all of your plugins here.

[Muhammad Rahman]

Quote:

Originally Posted by Dave

It's hard to know how someone gained access to your server without having access to your vBulletin forum/logs.

Anything is possible such as: shared webhost breach, insecure vBulletin plugins, bad vBulletin configuration, other vulnerable software hosted on the server, etc.

You could start out by posting all of your plugins here.

i contact my server, don`t have any log hack .. they said hack from script, not from sever attack

this my plugin

1. Adam's Subscribed Thread Notifications
2. Advanced Application Forms (INACTIVE)
3. BT - Social Group Message Quote
4. Change Posts Owner
5. Chip2love.9xpro - Limit new thread/post per day
6. First Post on all pages (INACTIVE)
7. Forum Category Icons (Advanced)
8. Forum Runner (INACTIVE)
9. GeekyDesigns Default Avatar
10. Global Threads: The Next Generation FREE by BOP5
11. GlowHost - Spam-O-Matic
12. Helpful Answers (INACTIVE)
13. iTrader (INACTIVE)
14. Limit Posts Per Day in Threads by BOP5
15. Make Prefixes Clickable to Filter Forumdisplay
16. Mark Thread As 'Sold'
17. Minimum Post Count Required To Post Blog Entries
18. Mod-Mall BB Code Spoiler
19. More Share Options for VB4 by BOP5 Light (INACTIVE)
20. Nested Quotes
21. Advanced User Tagging (DBTech)
22. DBSeo (DBTech) (INACTIVE)
23. Panjo (INACTIVE)
24. PB Usergroup Choice on Registration (INACTIVE)
25. Ajax Point System
26. PostRelease (INACTIVE)
27. ProvB - Extra Threadfields
28. Rotating Banner System
29. Skimlinks Plugin (INACTIVE)
30. Subscription Notification System
31. Tapatalk (INACTIVE)
32. Thread Participants - by rellect
33. Threads Started by User in Postbit & Profile
34. User Article Count (INACTIVE)
35. Usergroup Allow HTML
36. vBadvanced CMPS
37. vBulletin Blog (INACTIVE)
38. vBulletin CMS (INACTIVE)
39. vFcoders - Ajax First Post Collapsable Hack (INACTIVE)
40. View your Threads or Posts from the Navbar
41. VSa - Sub-Forum Manager (INACTIVE)
42. WS vBulletin Tweet Poster
43. XenForo Style Avatars
44. [OzzModz] Exclude Forums From Activity Stream (INACTIVE)

[ozzy47]

Do you have anything listed under ACP --> Plugins & Products --> Plugin Manager in the group Product : vBulletin

[Muhammad Rahman]

Quote:

Originally Posted by ozzy47

Do you have anything listed under ACP --> Plugins & Products --> Plugin Manager in the group Product : vBulletin

yes.. only my custom mod

Code:

ADD Fetch AVATAR URL 	image_missing 		[Edit] [Delete]
ADD FORUM NAV 	parse_templates 		[Edit] [Delete]
ADD RECENT EVENT CALENDAR 	calendar_displaymonth_complete 		[Edit] [Delete]
ADD RENDER FORUMLIST 	forumbit_display 		[Edit] [Delete]
ADD VAR FORUMDISPLAY 	forumdisplay_complete 		[Edit] [Delete]
ADD VAR SHOWGROUP 	group_complete 		[Edit] [Delete]
ADD VAR SHOWTHREAD 	showthread_complete 		[Edit] [Delete]
Auto display custom image when link images die in post 	postbit_display_complete 		[Edit] [Delete]
Avatar Header 	parse_templates 		[Edit] [Delete]
Avatar post lam - alif project 	postbit_lite 		[Edit] [Delete]
AVATAR THREAD 	vba_cmps_module_recthreadsbits 		[Edit] [Delete]
AVatar Thread Lam - alif Project 	threadbit_display 		[Edit] [Delete]
FG 	activity_view_group 		[Edit] [Delete]
FGD 	fetch_template_complete 		[Edit] [Delete]
FJB Mobile Iklan Terbaru 	global_start 		[Edit] [Delete]
FJB Newpost select category 	parse_templates 		[Edit] [Delete]
FJB_Kategori_Home 	parse_templates 		[Edit] [Delete]
FJB_Kategori_Navigasi 	parse_templates 		[Edit] [Delete]
Force Style 	global_bootstrap_init_start 		[Edit] [Delete]
Forum Kategori Navigasi 	parse_templates 		[Edit] [Delete]
Forum Newpost select category 	parse_templates 		[Edit] [Delete]
ghj 	group_discussionbit_display_complete 		[Edit] [Delete]
Kategori Sidebar 	parse_templates 		[Edit] [Delete]
Lintas Agama Terbaru 	global_start 		[Edit] [Delete]
Point Sistem Cache Template [Member info Block] 	cache_templates 		[Edit] [Delete]
REMOVE PREFIX Navbar 	showthread_post_start 		[Edit] [Delete]
SERP Date Group Discussion 	group_discussionbit_display_complete 		[Edit] [Delete]
SERP Date Group Message 	group_messagebit_display_complete 		[Edit] [Delete]
SERP Date Postbit 	postbit_display_complete 		[Edit] [Delete]
SERP Date Thread 	threadbit_display 		[Edit] [Delete]
Statistik Tab 	member_build_blocks_start 		[Edit] [Delete]
Tab Profile Default 	member_build_blocks_start 		[Edit] [Delete]
UNFORMAT 	vbcms_article_populate_end 		[Edit] [Delete]
ZP Event 	global_start 		[Edit] [Delete]
ZP Favorit Minggu Ini 	global_start 		[Edit] [Delete]
ZP Inspirasi Fashion 	global_start 		[Edit] [Delete]
ZP Recent Thread 	global_start 		[Edit] [Delete]

[Dave]

Check the FG, FGD, ghj and Lintas Agama Terbaru plugins because they have suspicious names which I never heard of. If unsure, post the contents of the plugins here.

[Muhammad Rahman]

Quote:

Originally Posted by Dave

Check the FG, FGD, ghj and Lintas Agama Terbaru plugins because they have suspicious names which I never heard of. If unsure, post the contents of the plugins here.

that plugin its my make with unique name ..

[HM666]

Have you overwritten the files with the vBulletin files downloaded from the members area? This is what you need to do to get rid of this problem for now. To my knowledge there is no vblogin.php file in the official download, its called login.php if I remember correctly. So as said before they modified this to use that file.

To find how they got in is a different matter. If you are running your forum on a shared server then that is more and likely how. Shared servers and just that...shared and less secure than a VPS or dedicated server. You can try and speak with your web host and see if they have any way to tell where the attack came from. Most likely the hacker gained access to your FTP and changed/uploaded files to your site.

[RichieBoy67]

Are you using any nulled plug ins? The nulled plug ins for Dbtech seo are known to do this. Be sure all your plug ins are licensed and up to date and that your file permissions are correct. Also that you have the latest patch for your Vbulletin version.

Once you find the hole you will need to change all server log ins, ftp, mysql, etc and admin logs.

[TheLastSuperman]

I saw the name Plum, he's one of the known powersurge hackers.

- You could have been hacked into long ago, spare admin accounts present?
- Even if you have disabled a mod/plugin the files still have the vulnerabilities present so m,ods such as Tapatalk which had a recent security exploit found should always be updated to the most secure version or removed entirely.
- Do as HM666 mentioned and overwrite all files, after that review the back-end and see if there's any spare admin accounts (use usergroup manager check for accounts w/ secondary usergroups assigned as well) and then check the plugins via the plugin manager as they can edit plugins after gaining access then finally check all files that were not overwritten and do not skip checking your attachments folder if stored in filesystem I've seen them hide files there too.

[TheLastSuperman]

Quote:

Originally Posted by Muhammad Rahman

that plugin its my make with unique name ..

You wrote it/them? If so check them again and be sure you coded them properly otherwise you could have a plethora of security issues that we'll never be aware of or able to offer assistance with and no do not post your code, if its a private mod/plugin all the better since code is not known I would review with another fellow coder or ask for assistance in the Private Coders Discussion forum.