Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 09-28-2008, 07:09 PM
joethaman joethaman is offline
 
Join Date: Jan 2007
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Repeated Hacks Since Friday

So, I've been getting repeatedly hacked over the last few days. I've been hacked in the past, maybe once every month or two. They are getting into my database somehow and changing the templates to their "hacker" pages. I inspected all index files and they are all untouched and only way to repair was to recover the database from an older version.

I tracked down some files that were uploaded to my "signatures" directory yesterday but it is still happening. Went to bed last night and everything was fine and awakened to a hacked board. Yesterday, I changed my pw's for my admin account, changed login and pw for my databases, changed directory login and pw for all control panels (need 2 logins and pw's to get to admincp, etc). Added login and pw for mysqldumper, admincp, modcp, and install directories. Changed cpanel login and pw for domain control panel. Updated to latest patches of all add-ons and vbulletin. I did a diagnostics and viewed all the Suspect File Versions and found nothing out of the ordinary. The only thing I could think of doing today was remove vbadvanced cmps.

Any advice would be greatly appreciated.. The next step I am going to take if it gets hacked again is to delete all files on the server and do a fresh install and restore the database to that install.

The first was from T3eS_hack@hotmail.com or http://www.alboraaq.net/t3es. The ones following the first did not say who it was but i am assuming the same person.
Reply With Quote
  #2  
Old 09-28-2008, 10:32 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Not sure if you are on a PC or not, but have you considered a keylogger? Have you done a complete scan of your system at home?
Reply With Quote
  #3  
Old 09-30-2008, 10:12 PM
joethaman joethaman is offline
 
Join Date: Jan 2007
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I've been doing some more searching and found some more files. I'm slowly combing through all the files to find the hidden ones. Here is what I've found so far and have deleted them.

forum/customavatars/sni.php
classifieds/uploads/sni.php
reviewpost/data/sni.php
gallery/files/sni.php
forum/imagehosting/sni.php

These appear to be for the Sniper-SA Shell.

forum/customavatars/libe.php

And I've at least got the IP address so I can search the log files to find out what they are accessing.

Is there another way to track down suspicious files? I haven't been able to find out how they are actually making it on my server. I retreived the contents of one file, sni.php but not of the libe.php.

I'm going to keep searching for files, but until I'm done I'm not going to log on to the forums.

What I've also done since then is made sure all the config files are 600 and the others are 644.

--------------- Added [DATE]1222817131[/DATE] at [TIME]1222817131[/TIME] ---------------

I've also noticed all the directories the files are showing up in are 777, mainly gallery directories and such.
Reply With Quote
  #4  
Old 09-30-2008, 11:16 PM
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Location: Indianapolis
Posts: 2,451
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You're wasting your time combing thru directories looking for files.

The only way to remedy this situation is to completely clean the server off (or if your on shared hosting it maybe time to move)

Next reupload all the original vBulletin files, dont copy from your hosting account and yadayadayada, download a fresh copy from vBulletin.com exttract and upload.

Remove all unnecessary modifications and make sure you're running the most up to date versions of whatever you must have.

Audit your database for potential extra tables, rows, and admin accounts that could be lurking inside of them.

Rather than operating files and folders in 777 permissions, try 755
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:33 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06863 seconds
  • Memory Usage 2,188KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (4)post_thanks_box
  • (4)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (4)post_thanks_postbit_info
  • (4)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete