Th3H4ck hacked hundreds of VB forums over the last two days.

[TheLastSuperman]

Quote:

Originally Posted by CarolSEL

5. Host restored a web file backup from 2 days prior to hacker reg, ran malware checks; site crashed and I cannot access ACP.

When I refer to backups I always say database backup and filesystem backup, one being a copy of your database at the time the backup was made and the other being the actual folders with files.

When you say they restored a web backup do you mean they had a full database(1)
AND filesystem(2) backup and restored both(3)?

1 If the host restored then they know to drop the tables in fact the entire database depending on restore method. The issue here for some site owners who attempt this themselves is the fact they tend to import a backup onto a populated database i.e. overwriting newer data with older data and that can cause issues. The proper way to do it is to drop all tables from the database then import the backup into the now empty database thereby restoring it.

2 If the host restored a filesystem backup, it must be BOTH filesystem AND database because the two must match each other i.e. timeframe, if the database backup was made at 5pm your time then the filesystem backup should be from that same time and by disabling the forum before a backup you ensure no activity is taking place i.e. avatar/image uploads so the two will in fact match what the database knows is within the filesystem.

3 If only one was done, as I said above in note #2 it must be both. Now is there an exception? Yes! The inability to access the admincp could be modification related, if you restored fresh files only and forgot to upload all the missing plugin files then that can cause inability to access, if you feel that is the case locate the missing modification files and upload them (you can still access the database via phpmyadmin so check the product and plugin tables). If you have issues tracking down the files OR truly believe this is the issue then start disabling each plugin one by one using this article until you find the culprit as not all plugins disable when you disable mods via the config file, I've seen some odd situations and scenarios with certain third-party modifications/plugins.

Quote:

Originally Posted by CarolSEL

6. Following instructions from this site, I downloaded a fresh copy of 4.2.1 and uploaded the files to the server, overwriting the old ones.

Was the version you were running at the time of the hacking in fact 4.2.1? If you were lets say for example running 4.2.0 and then overwrote those files with 4.2.1 files without running the upgrade script then issues can occur and if that is the case simply run the upgrade script to resolve (and on that note, when you uploaded those 4.2.1 files you did delete the /install/ folder before uploading the contents of the .zip correct? See where I'm headed with this ).

Quote:

Originally Posted by CarolSEL

So how do I know if the db is clean? If not, have I lost all the member data? Is there a way to delete all the files except the forum and membership?

You need to manually inspect it, there are queries listed in some of the articles and blog entries we linked you to prior in this thread, you can modify those queries i.e. for example you can search in the database for http://adf.ly/VRrrp as mentioned in this post. Edit: Removed some info I was mistaken and needed to clarify.

Your site is more than likely intact, other than one site where they edited the master style I have only seen defacement no thread or post deletions but make sure to check regardless.

[Zachery]

Deleting your install folder had nothing to do with your new error:

'max_connections_per_hour'

Your MySQL user has used all of the queries they're allowed to be hour.

[CarolSEL]

Quote:

Originally Posted by TheLastSuperman

When you say they restored a web backup do you mean they had a full database(1)
AND filesystem(2) backup and restored both(3)?

Host had a full database and filesystem backup, and (as I understand) restored filesystem, when I asked if new data entered between the last good backup (3 days prior) and restore could be salvaged. Host's reply was

Quote:

We can restore the web files without restoring the mysql databases. If that's okay with you, just let us know and we'll start on that.

Quote:

Originally Posted by TheLastSuperman

Was the version you were running at the time of the hacking in fact 4.2.1? If you were lets say for example running 4.2.0 and then overwrote those files with 4.2.1 files without running the upgrade script then issues can occur and if that is the case simply run the upgrade script to resolve (and on that note, when you uploaded those 4.2.1 files you did delete the /install/ folder before uploading the contents of the .zip correct? See where I'm headed with this ).

I see, and we were running 4.1.x, patch level 3), but the upgrade instructions said different:

Quote:

After an upgrade or installation, it is important that you delete the /install/ folder. This is necessary to provide proper security to your installation.

I'm understanding that the install.php prompts the upgrade script, correct? The instructions with the download said:

Quote:

1. Close your board via the Admin Control Panel.
2. Delete install/install.php from your upload directory
3. Upload all remaining files from the 'upload/' folder in the zip.

Since the site is inaccessible via browser, I followed these instructions:
http://www.vbulletin.com/vbcms/conte...to-vBulletin-4 and transferred files via FTP. (To complicate it more, the FTP manager showed I was in the web root directory, but it turns out my ftp account directs the files to "my" folder, so they were moved by host.) I obviously blew it somewhere...so how do I fix it now? Is it smarter to simply do another db restore (and can that be done without losing the interim data), then redo the upgrade?

[TheLastSuperman]

Quote:

Originally Posted by CarolSEL

Host had a full database and filesystem backup, and (as I understand) restored filesystem, when I asked if new data entered between the last good backup (3 days prior) and restore could be salvaged. Host's reply was



I see, and we were running 4.1.x, patch level 3), but the upgrade instructions said different:

I'm understanding that the install.php prompts the upgrade script, correct? The instructions with the download said:


Since the site is inaccessible via browser, I followed these instructions:
http://www.vbulletin.com/vbcms/conte...to-vBulletin-4 and transferred files via FTP. (To complicate it more, the FTP manager showed I was in the web root directory, but it turns out my ftp account directs the files to "my" folder, so they were moved by host.) I obviously blew it somewhere...so how do I fix it now? Is it smarter to simply do another db restore (and can that be done without losing the interim data), then redo the upgrade?

Oye... this is making me want more coffee lol...

Let me re-phrase:

• Never restore one, restore both database and files at the same time.
• The upgrade instructions did not say differently, you misinterpreted what I meant. You either download the vbulletin.zip to your pc and extract then upload or you upload the .zip and extract it on your server - if you saved to pc then delete the /install/ folder before uploading all of the files.
• Actually install.php prompts the installation script, upgrade.php processes the upgrade respectively.

The best way to fix this now is to ask you host to restore the database AND the files from three days prior at the same time however you will lose all data from the time of the backup to date. Unless you have a custom script written and possible edits to the database to merge in the data taking into account new data from the time you start using the forum after the restore then the data is lost forever after restoration.

[CarolSEL]

OK, thanks.

--------------- Added [DATE]1378918449[/DATE] at [TIME]1378918449[/TIME] ---------------

Does this sound correct, please?

From host:

Quote:

Sorry for delay in my response, we have finished up backing up your account in it's current state.

We will be unable to restore the account to it's state on September 3rd or 4th. However, since there is a backup of the database from Sep. 3rd we recommend installing a fresh vBulletin. We have created the subdirectory [/home/catho11/public_html/vb/] for you to install vBulletin to. Once you have installed a fresh copy we can attempt to import the database from September 3rd.

It would be best to install the version of vBulletin that you were using previously to avoid issues. Please let us know if you have any questions.

Sept. 5 was when the site was hijacked, and the 4th was when the exploit occurred. Apparently, the full system backups through 9/4 have been overwritten on the server.

[Divvy]

Hello guys,

Here is my feedback running vBulletin 4.2.0 Patch Level 3

Today I received a phone call of a moderator of mine saying that the forum was hacked.
Immediately I logged as admin and turn the forum off.

I have vBa CMPS installed in the root of the forum and the index is working fine, only when we go to forum.php is redirecting to this page:
http://i.imgur.com/JingJTM.png

Showing a Brazilian message:

Quote:

Desculpe o transtorno estamos invadindo seu site
Sabe por que? porque eu quis.

@Nega_cabelo_duro

The source code of that page is:
http://paste2.org/YeFAjz9m

I have found this in my forumhome template:
http://paste2.org/Mw7snpxK

I also have found a new admin in the administrators group:
ID: 136733
username: polter
email: pulodentrodurio@hotmail.com
join and last activity date: 11-09-2013

Does someone know exactly what the hacker changed?
Until now only found:

1- a new admin (already deleted)
2- forumhome templatechanged (already reverted)

I already deleted the install folder also like Wayne Luke said here:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5

Just a quick note. I saw the logs on
And found what he did:
http://i.imgur.com/pJRBdfi.png

So, If I am right, he only modified template files right?
Is possible to know if was only forumhome or more?

UPDATE: I have checked all template files one by one in the Last edited information and the only template file that was edit by the hacker was FORUMHOME in all templates that I have installed.
It says: Last edited September 11 2013 at 05:51 by polter

UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video
It says: Last edited September 11 2013 at 05:49 by
Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME
My bbcode_video file code: http://paste2.org/5bP0w05b

UPDATE3: Just cant find the template file that he inserted on style 2 (default):
http://i.imgur.com/pJRBdfi.png
I saw the files one by one and cant find the today date...

Anymore changes that anyone have notice?

Thanks!

[hsoen]

My vBulletin forum was also hacked via Symlink. My forum was on shared hosting server.

This tutorial article (http://www.securitygeeks.net/2012/08...-tutorial.html ) shows how easy it is for hacker to hack into your vBulletin forum.

The hacker installed symlink plugin into my forum and use it to access other accounts configuration information in the shared server.

Now, I have a hard time to clean up the symlink plugin software and any files that were installed and modified by the hacker.

Anybody can help me or provide advice on how to clean up the software installed/modified by the hacker?

[Paul M]

Quote:

Originally Posted by Divvy

UPDATE2: I notice a new template file that was edit today (the day that my vb was hacked) and the file was bbcode_video
It says: Last edited September 11 2013 at 05:49 by
Note that don't appear the username, but the file was edit today and 2 minutes before he change FORUMHOME

bbcode_video is built (and rebuilt) by a function, its not likely they changed it, esp as there is no username, but rather they triggered a rebuild of it (no idea why they would bother).

[bremereric]

Quote:

Originally Posted by hsoen

My vBulletin forum was also hacked via Symlink. My forum was on shared hosting server.

This tutorial article (http://www.securitygeeks.net/2012/08...-tutorial.html ) shows how easy it is for hacker to hack into your vBulletin forum.

The hacker installed symlink plugin into my forum and use it to access other accounts configuration information in the shared server.

Now, I have a hard time to clean up the symlink plugin software and any files that were installed and modified by the hacker.

Anybody can help me or provide advice on how to clean up the software installed/modified by the hacker?

Two things I had to do yesterday. No roll back required. I know the two hackers were in Friday night. I saw what they changed and it only had to do with the forumhome template. Easy to roll back the database from a prior backup. I just copied the good code from another style and pasted it in the hacked one. This fixed the forum redirect. Then if I would hit the home tab it would also do a redirect. This time I restored the program files from a backup from early Friday morning, this corrected that. Hope it helps you. I also bought a month of SiteLock firewall. Will probably keep on using it.

[sd_slim]

This thread was very useful. Thank you to everyone that has contributed. We also were breached and I found about 7 new admin accounts from the past three weeks but only three of them had bothered to do anything. I had several new plugins and some Base64 encoded PHP tied to the subscriptions.php. I tried to decode the php but it is a file within a file, within a file and my day is only so long. I haven't seen others mentioning this. Has anyone seen this or can speculate on why this php file would be targeted?

UPDATE: after 10 rounds of decode we found a hacker tool called c99madshell.php was what the plugin was. A description of what it does is here: http://www.derekfountain.org/security_c99madshell.php

We are digging deeper into what may have been accessed in the DB.