Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #11  
Old 11-20-2014, 11:17 AM
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dave View Post
Alright, that looks fine.
Now:

- Be sure the /install folder is not present on your vBulletin installation.
- Check all of your active plugins, there shouldn't be any fishy plugins with odd names.
- In your ACP go to Maintenance > Diagnostics > Suspect File Versions. Check if there are any weird files which were created recently on your server.
- Change the password of all administrator/moderator accounts.
- Protect your ACP with a plugin like this: https://vborg.vbsupport.ru/showthread.php?t=296383

Edit: vBulletin version is very outdated, update to the latest.
I've ran the scan and the only thing that it couldn't recognize were the plugins I added. I want to back my forums up but couldn't it just happen again?

Also, i've searched the plugin manager. Everything seems to be normal.
Reply With Quote
  #12  
Old 11-20-2014, 11:18 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

As I said in post #2, you need to follow the links.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

Make sure you do not skip over any steps.
Reply With Quote
  #13  
Old 11-20-2014, 11:21 AM
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ozzy47 View Post
As I said in post #2, you need to follow the links.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

Make sure you do not skip over any steps.
So if I ditch inferno, back it up from a safer time, add ACP protection there would be no way he could access it again?
Reply With Quote
  #14  
Old 11-20-2014, 11:23 AM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Without having access to your ACP and access logs, we don't know how the person accessed your ACP.
Reply With Quote
  #15  
Old 11-20-2014, 11:23 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

There might, that is why you need to follow all the instructions in the blog posts, as well as ditch inferno.
Reply With Quote
  #16  
Old 11-20-2014, 11:24 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dave View Post
Without having access to your ACP and access logs, we don't know how the person accessed your ACP.
And if they are smart, they deleted this info.
Reply With Quote
  #17  
Old 11-20-2014, 11:24 AM
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dave View Post
Without having access to your ACP and access logs, we don't know how the person accessed your ACP.
Is there a chance you can come on my teamviewer and have a look?
Reply With Quote
  #18  
Old 11-20-2014, 11:25 AM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
 
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ahh one of the multiple admin, do import hackers - look for one or more shell scripts uploaded to your server. Sometimes in clientscript/ or /includes and be sure to check any sub-folders.

Are you running any nulled modifications? Inferno Shoutbox Revolutionized what's that?

I'd submit a ticket and ask your hosting company to scan w/ whatever they have setup on their server be it Maldet (also referred to as Linux Malware Detect (LMD)) or similar but before warned some of these shell scripts are custom per site (depends on if you were worth their time) so Maldet and others do not always pick those up and the ONLY way to be sure is to go through all your folders by hand.

*Some stuff will stick out like a sore thumb, same way they want to be pompous and instead if using legit names like Admin for the 5-6 spare accounts its always something cocky such as lolwut, lmao, amongst other names I've since long forgotten the point being most of its easily spotted (file names such as shell.php / sexy.php / lol.php and similar) but every so often they hide one or mores files very well w/ names that seem valid so be sure to use the Maintenance tools in admincp and do suspect files and other tips in the links Ozzy posted above.
Reply With Quote
  #19  
Old 11-20-2014, 11:26 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

TBH it don't matter now how they got in, you need to plug the holes. First off by following all the instructions in the blog posts, then upgrade to at least 4.2.2
Reply With Quote
  #20  
Old 11-20-2014, 11:30 AM
Buzzle Buzzle is offline
 
Join Date: Apr 2012
Posts: 17
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Alright, i'm going to back it up to yesterday and remove inferno shoutbox. Anything else?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:24 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04293 seconds
  • Memory Usage 2,260KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete