The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#31
|
|||
|
|||
ok, I was warned by someone via email my site had been exploited. Boooo.
flat4lv.com I should know more about this, but I don't. Anyway, 1. deleted user 2. Deleted install folder 3. Deleted user again (it had made a name again instantly) 4. Saw this thread https://vborg.vbsupport.ru/showthrea...=301892&page=3 but I don't have a Iframe, but do have a link on the bottom of my page. "something you've never seen" 5. Installed check 4 hack. (https://vborg.vbsupport.ru/showthread.php?t=265866) > Setup e-mail, enabled demo, ran task, got email with the demo (pluginlist) corrupt. Now I'm at a loss. Am I still vulnerable? Am I currently still exploited? Should I just remove the link at the bottom of my page? Thanks in advance for any advice. |
#32
|
|||
|
|||
Quote:
http://www.vbulletin.com/forum/forum...35#post3993335 |
#33
|
|||
|
|||
Hello,
I came to know of this exploit and looks like we too had this attack, we did the below: 1.Deleted install folder 2. Deleted suspicious admin user accounts 4. Refer thread - https://vborg.vbsupport.ru/showthread.php?t=301892 as mentioned there I didn't have any Iframe injection , but there was a line added in the "header" template of one of our custom style that reads as "Kindly delete "install" directory of your forums. Otherwise you will keep getting hacked" and the suspicious lines were removed. Also we notice that few templates in the custom style has edit history that says "Edited by .." the suspicious admin accounts with time stamp in the past year 2010. Is there any other precautions that need to be done. Am I currently still exploited? What are the other security measures that I need to do to protect my forums. |
#34
|
||||
|
||||
I have deleted my install directory and have been hit twice in 24 hours
|
#35
|
||||
|
||||
Wait, the same user is still getting in after the install directory has been deleted?
|
#36
|
|||
|
|||
Quote:
Code:
102106 N/A 18:13, 30th Aug 2013 user.php kill user id = 333162 198.203.28.247 102105 N/A 18:13, 30th Aug 2013 user.php remove user id = 333162 198.203.28.247 102104 N/A 18:13, 30th Aug 2013 user.php edit user id = 333162 198.203.28.247 102103 N/A 18:13, 30th Aug 2013 user.php find 198.203.28.247 102102 N/A 18:13, 30th Aug 2013 user.php modify 198.203.28.247 102101 N/A 18:13, 30th Aug 2013 plugin.php 198.203.28.247 102100 N/A 18:13, 30th Aug 2013 plugin.php kill plugin id = 8305 198.203.28.247 102099 N/A 18:13, 30th Aug 2013 plugin.php delete plugin id = 8305 198.203.28.247 102098 N/A 18:13, 30th Aug 2013 plugin.php modify 198.203.28.247 102097 N/A 18:05, 30th Aug 2013 plugin.php 198.203.28.247 102096 N/A 18:05, 30th Aug 2013 plugin.php doimport 198.203.28.247 102095 N/A 18:04, 30th Aug 2013 plugin.php files 198.203.28.247 When i saw this i deleted the install folder as advised and restored my database to the 29th of august as this had been done on the 30th i figured that it would undo any database or template alterations, Wrong, the next day the same user was back with admin access, i removed him again, and checked the admin logs and nothing had been done so i left it at that and just observed the site, the next day my templates had all been reverted to the originals so someone had access the admin cp again...... so then i figured it must be a file uploaded on the server because from what i've seen of the plugin being used gives them the ability to upload files to the server, so then i checked the file dates and found a suspicious "clock.php" file in the custom avatars folder that had been created the same day as the plugin above was installed so i removed that and restored another database backup from the 24th which is the day before the guy registered an account on my forums I've changed admin, cpanel, & ftp passwords so i'll see where it goes from here, just removing the install folder is not enough, here's an example of a file someone has uploaded as a backdoor back in to a forum http://www.paccin.org/deface.txt i guess their must be more files as well but this i all is could find on google |
#37
|
||||
|
||||
Did you try the following?
Run Suspect File Versions: > AdminCP > Maintenance > Diagnostics > Suspect File Versions > *Click Submit > Review the files listed, research and delete all files you suspect are malicious. *Also check your .htaccess file and config.php file for modified code, the suspect file versions script does not check config.php or .htaccess. |
#38
|
|||
|
|||
Quote:
|
#39
|
||||
|
||||
OK cool, here is a interesting article TheLastSuperman wrote, it way help, http://www.vbulletin.com/forum/blogs...vbulletin-site
|
Благодарность от: | ||
Toorak Times |
#40
|
|||
|
|||
If you look at the options they have once they have installed the plugin you can see how much they can do
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|