Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page Hacked through provider - files added.
FAQ Community Calendar Today's Posts Search

Reply
Page 2 of 3 1 2 3
 
Thread Tools Display Modes
  #11  
Old 01-20-2015, 03:50 PM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
You should look into the access.log file of Apache and FTP log file, maybe that will give you some more information.
Do you use shared hosting by the way or do you have your own VPS/dedicated server?
Reply With Quote
  #12  
Old 01-20-2015, 03:51 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Not that I'm an expert on the subject, but the only thing I can think of other than your host server having been hacked is that they could have added a plugin. Seems unlikely though.

You said you scanned for non vbulletin software, how did you do that?
Reply With Quote
  #13  
Old 01-20-2015, 03:52 PM
squidsk's Avatar
squidsk squidsk is offline
 
Join Date: Nov 2010
Posts: 969
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Have you deleted the install directory?
Reply With Quote
  #14  
Old 01-20-2015, 04:29 PM
pityocamptes's Avatar
pityocamptes pityocamptes is offline
 
Join Date: Apr 2010
Posts: 595
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Dave View Post
You should look into the access.log file of Apache and FTP log file, maybe that will give you some more information.
Do you use shared hosting by the way or do you have your own VPS/dedicated server?
Shared hosting. Last time I went in, when this first happened, all my logs were deleted...

--------------- Added [DATE]1421778601[/DATE] at [TIME]1421778601[/TIME] ---------------

Quote:
Originally Posted by squidsk View Post
Have you deleted the install directory?
Yes.
Reply With Quote
  #15  
Old 01-20-2015, 04:30 PM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Could be a hidden file that hackers put in place sometimes and very hard to find
Reply With Quote
  #16  
Old 01-20-2015, 04:34 PM
pityocamptes's Avatar
pityocamptes pityocamptes is offline
 
Join Date: Apr 2010
Posts: 595
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by kh99 View Post
Not that I'm an expert on the subject, but the only thing I can think of other than your host server having been hacked is that they could have added a plugin. Seems unlikely though.

You said you scanned for non vbulletin software, how did you do that?
In the admincp, looking for suspicious files... unless that is not a good indicator of looking for non vb files...

When it first happened, I went into FTP and looked at all the files. Especially looking for modification dates, in the last day or so. Deleted all the files that were added on the day of the initial hack, and also uploaded clean files like the index file. Would this be a good indicator for looking at suspect files - by looking at the DAY they were uploaded or altered?

I hate to be paranoid, but could this be something on my home computer that malware software is not finding? I have firewalls, etc. so I don't know how they are getting new PW information.

It looks like these +++++++s are an Egyptian hacker group...
Reply With Quote
  #17  
Old 01-20-2015, 04:41 PM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by pityocamptes View Post
In the admincp, looking for suspicious files... unless that is not a good indicator of looking for non vb files...
I think that's OK, although I'm not sure offhand if it will find hidden files. But if you have any web directories outside the vbulletin directory then you'd have to check there too, and you want to make sure you're seeing hidden files (I don't know if your ftp shows you by default or not).
Reply With Quote
  #18  
Old 01-20-2015, 04:44 PM
pityocamptes's Avatar
pityocamptes pityocamptes is offline
 
Join Date: Apr 2010
Posts: 595
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by kh99 View Post
I think that's OK, although I'm not sure offhand if it will find hidden files. But if you have any web directories outside the vbulletin directory then you'd have to check there too, and you want to make sure you're seeing hidden files (I don't know if your ftp shows you by default or not).
Ok, this iw what I am wondering. So it is possible to physically hide a file from physical view, sort of like Windows does? Because I would think if they buried code in a vbulletin required file, the date stamp should have changed for its modification, which I would have seen in FTP, correct?

Since the database has not been screwed with, I assume they did not get access to that, but would be easily available considering the access info would be in a file....
Reply With Quote
  #19  
Old 01-20-2015, 06:01 PM
nhawk nhawk is offline
 
Join Date: Jan 2011
Posts: 1,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I know this won't be helpful but...

$5 will get you $10 that your host is GoDaddy.

I've found that a good majority of hacked sites are hosted on GoDaddy.
Reply With Quote
  #20  
Old 01-20-2015, 06:19 PM
pityocamptes's Avatar
pityocamptes pityocamptes is offline
 
Join Date: Apr 2010
Posts: 595
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by nhawk View Post
I know this won't be helpful but...

$5 will get you $10 that your host is GoDaddy.

I've found that a good majority of hacked sites are hosted on GoDaddy.
You would be correct. I have a few months left on hosting and will be leaving to another provider. Unless of course this goes $hit south, in which case I will be punching out sooner than later...

So, are you indicating that the issue is on their end, or my end? Like I said, I have no idea how my original account was hacked, too much info they would have had to have had. Now this time around could be explained by something still on the server that I did not clean up, or perhaps, they are having issues??? Thoughts?
Reply With Quote
Reply
Page 2 of 3 1 2 3

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 03:37 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04225 seconds
  • Memory Usage 2,259KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete