Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page Cannot Setup Paid Subscriptions
FAQ Community Calendar Today's Posts Search

Reply
Page 3 of 3 12 3
 
Thread Tools Display Modes
  #21  
Old 10-15-2014, 06:01 PM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by ozzy47 View Post
As I asked in post #13
Yes but that was after I made the post. Enough said this get back to helping the op
Reply With Quote
  #22  
Old 10-16-2014, 10:43 AM
plumwd's Avatar
plumwd plumwd is offline
 
Join Date: Dec 2013
Posts: 14
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
How can I determine if the installation has been compromised by hackers?

--------------- Added [DATE]1413478591[/DATE] at [TIME]1413478591[/TIME] ---------------

What else does disabling the hooks turn off? Is it more than just plugins? I have combed through all the plugins in this board and no luck. The subscriptions are only available if I disable via the config.
Reply With Quote
  #23  
Old 10-16-2014, 04:17 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by plumwd View Post
How can I determine if the installation has been compromised by hackers?

--------------- Added [DATE]1413478591[/DATE] at [TIME]1413478591[/TIME] ---------------

What else does disabling the hooks turn off? Is it more than just plugins? I have combed through all the plugins in this board and no luck. The subscriptions are only available if I disable via the config.
I told you what to do here:

Quote:
Originally Posted by Lynne View Post
Anyway.... you've already tried disabling the products and that didn't fix it. My guess is the hackers created a single plugin that will show up in your Plugin Manager.
You need to go to Plugins & Products > Plugin Manager, not Manage Plugins. Look at the plugins listed at the very top under the heading "vbulletin". Those are single plugins that won't be disabled when you disable your products.
Reply With Quote
  #24  
Old 10-16-2014, 06:49 PM
plumwd's Avatar
plumwd plumwd is offline
 
Join Date: Dec 2013
Posts: 14
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Thanks! I assumed that Manage Plugins and Plugin Manager were the same thing. Just looked and found some encrypted code that is probably the culprit.
Reply With Quote
  #25  
Old 10-16-2014, 07:02 PM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by plumwd View Post
Thanks! I assumed that Manage Plugins and Plugin Manager were the same thing. Just looked and found some encrypted code that is probably the culprit.
Can you show a screenshot of it
Reply With Quote
  #26  
Old 10-17-2014, 09:52 AM
plumwd's Avatar
plumwd plumwd is offline
 
Join Date: Dec 2013
Posts: 14
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I deleted it from vbulletin, but in the Plugin Manager is was listed as VBulletin.

I do have a copy of the code, it also existed as a file named zasdfe.php.

When I unencrypted it, it showed it as a backdoor called FilesMan.
Reply With Quote
  #27  
Old 10-17-2014, 10:00 AM
Black Snow Black Snow is offline
 
Join Date: Jul 2012
Location: Scotland
Posts: 471
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by plumwd View Post
I deleted it from vbulletin, but in the Plugin Manager is was listed as VBulletin.

I do have a copy of the code, it also existed as a file named zasdfe.php.

When I unencrypted it, it showed it as a backdoor called FilesMan.
I had this on an old install. did it look like this?

http://pastebin.com/pQAkDrY1
Reply With Quote
  #28  
Old 10-17-2014, 10:27 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by plumwd View Post
I deleted it from vbulletin, but in the Plugin Manager is was listed as VBulletin.

I do have a copy of the code, it also existed as a file named zasdfe.php.

When I unencrypted it, it showed it as a backdoor called FilesMan.
That is what I asked in post #13, but it seems it was overlooked.

Now you need to clean up the site.

Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Reply With Quote
Reply
Page 3 of 3 12 3

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 06:41 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05589 seconds
  • Memory Usage 2,238KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete