Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Closed Thread
 
Thread Tools Display Modes
  #41  
Old 09-08-2013, 01:44 PM
Toorak Times's Avatar
Toorak Times Toorak Times is offline
 
Join Date: Jan 2011
Posts: 436
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I've just restored twice over the last couple of days, my hosts are screaming...he is a clever bugger...I have a developer keeping an eye on my site until Sunday so I will update this thread...I am using Spam Hammer and to date it is brilliant, so I don't think it is flawed, but Steve is the expert in this stuff

--------------- Added [DATE]1378651717[/DATE] at [TIME]1378651717[/TIME] ---------------

clock.php...interesting...I have clock on my home page header, hmmm
  #42  
Old 09-08-2013, 02:43 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hopefully with Steve watching the site, he can figure out everything they are doing and share with the community on how to put a stop to him.
  #43  
Old 09-09-2013, 04:03 AM
induslady induslady is offline
 
Join Date: Jul 2006
Posts: 224
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by KissOfDeath View Post
what their doing is creating a backdoor to come back in later.

so then i figured it must be a file uploaded on the server because from what i've seen of the plugin being used gives them the ability to upload files to the server, so then i checked the file dates and found a suspicious "clock.php" file in the custom avatars folder that had been created the same day as the plugin above was installed so i removed that and restored another database backup from the 24th which is the day before the guy registered an account on my forums

I've changed admin, cpanel, & ftp passwords so i'll see where it goes from here, just removing the install folder is not enough,

here's an example of a file someone has uploaded as a backdoor back in to a forum http://www.paccin.org/deface.txt i guess their must be more files as well but this i all is could find on google
Hello,

Thank you for these details.

I was able to see these backdoor (php) files - about 4 in different names (gs.php, test.php, dyna_statistic.php) with exactly same content installed in the following folders:
customprofilepics
attachments
captcha
vba_dyna_modules


Deleted those files today.
Removed install directory the very next day of being hacked (6-Sep).
Changed cpanel/FTP, vbulletin database and admin account passwords.

I didn't find anything injected into the database, so should I restore it? Then the members posts will be lost!

What more should I do to keep the hacker away?
  #44  
Old 09-09-2013, 06:49 AM
KissOfDeath KissOfDeath is offline
 
Join Date: Dec 2008
Posts: 158
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well somethings still not right, i logged onto my site today and may account was using an un selectable style, the style options at the bottom were just showing a blank space, nothing in the control panel logs, no file edits on the server, no new admins......
  #45  
Old 09-09-2013, 09:25 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, that is certainly a strange one. Surprised there was nothing in the logs.
  #46  
Old 09-09-2013, 06:39 PM
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Posts: 65
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This guy hacked our site with 3 usernames (administrator, z3ro and Th3H4ck), all admins, and with no record of them registering, no email confirmation to admin, so it had to be manually done. I deleted them, and the contents of the install folder (all were backup files). The site crashed, so I had our ISP restore web files from before the 3 stooges registered, run a malware scan, then verified the htaccess file. Meanwhile, within minutes of being back up, we had 2 more phoney admins, and ZAP! got a message saying, "This site has been hijacked by Frozen.Heart."

I also found at CPanel that all the access logs had been locked. Going thru File Manager, I found the files empty.

Neither the ISP nor we have any idea what to do to restore the site without starting over, but they're going thru the software now. What else could he have done to hijack the site??

(I'm not much more than a glorified Mod, so hopefully I'll catch on to whatever suggestions you've got!)

One other question: How does this guy find out who vB's clients are???
  #47  
Old 09-09-2013, 06:47 PM
xenite xenite is offline
 
Join Date: Oct 2005
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I would look at the raw server logs and identify the IP addresses he is using. You can buy yourself some time by blocking those in your .htaccess or firewall.
  #48  
Old 09-09-2013, 06:57 PM
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Posts: 65
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks, Xenite, but first I need to figure out how to get the site back up, without any surprise easter eggs included. I suspended the account until we can get it fixed...we don't need to advertise his "expertise", since all you get at our URL is a flaming demon with music and his banner headline.

The ISP is asking me for any information available on what he does to the software.
  #49  
Old 09-09-2013, 07:01 PM
xenite xenite is offline
 
Join Date: Oct 2005
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This is a long, convoluted thread and I'm about to get offline to run some errands so I apologize if this is an unhelpful suggestion.

When my site was hacked this morning all they did (besides create the ADMIN account) was add a NOTICE through the ADMINCP that had HTML code embedded in it.

I found one SQL table entry for the notice and edited that but when I reactivated the forum the redirect still loaded. So then I just logged in to the ADMINCP and edited the notice.
Благодарность от:
obglobal.net
  #50  
Old 09-09-2013, 07:12 PM
CarolSEL CarolSEL is offline
 
Join Date: Aug 2010
Posts: 65
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by xenite View Post
This is a long, convoluted thread and I'm about to get offline to run some errands so I apologize if this is an unhelpful suggestion.

When my site was hacked this morning all they did (besides create the ADMIN account) was add a NOTICE through the ADMINCP that had HTML code embedded in it.

I found one SQL table entry for the notice and edited that but when I reactivated the forum the redirect still loaded. So then I just logged in to the ADMINCP and edited the notice.
Thanks. Will check it out.
Closed Thread


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:24 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04753 seconds
  • Memory Usage 2,276KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete