Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 11-03-2008, 08:56 PM
terracore terracore is offline
 
Join Date: Dec 2007
Posts: 35
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default We've been hacked and I don't know the first thing about it

Here is the link to my site:

www.AvianNation.com

And it's been hacked. Any suggestions on how to fix this? I'm afraid to log into my admin panel as I have to enter my password and I don't know who's password that they might have. Obviously it is one of the admins. Right?

This sucks, so any help would be good.

New info:

The site was hacked by ALQAISER and the hack "theme" was some sort of pro-muslim thing complete with graphics and music and some kind of warning.

I'm not sure who they are or their motivation (it's a forum about parrots, hardly controversial). I also don't know how the hack occured. The database seemed untouched. I really know nothing about computers or coding. I was already running the latest version of VB (3.7.3 patch 1) and wasn't sure what to do to fix this problem or get the board running again so I went through the motions like I was upgrading it (even though its already the latest version) and thankfully that seemed to restore everything to normal. Since I don't know the vulnerability that caused this, and may still exist, I did the common sense things like changing passwords, etc. I also deactivated the following mods:

CYB- CHATBOX
CYB- PAYPAL DONATE
CYB- AUTO BIRTHDAY GREETER
WHO HAS VISITED TODAY
PASSIVE VID

If anybody can look at the board aviannation.com and see if there is anything I can do to close a vulnerability let me know. Also if they think one of those mods had anything to do with it? Can I reactivate them?
Reply With Quote
  #2  
Old 11-03-2008, 09:15 PM
UKBusinessLive UKBusinessLive is offline
 
Join Date: Sep 2008
Location: Essex, United Kingdom
Posts: 1,637
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

have you a backup made of your site, normally they just change the index.php file, Change this first and see, but if you do regular backups of your server, then upload this backup and you'll find everything will be OK. You need to double check all your FTP accounts and change your Passwords, Also make sure of the types of uploads members can do.

These types of hacking often happen when a hacker uploads a piece of code in the gist of an image

good luck with the backup, or if you have an index.php file add that first see what happens

keep us up to date
Reply With Quote
  #3  
Old 11-03-2008, 09:16 PM
Blaine0002's Avatar
Blaine0002 Blaine0002 is offline
 
Join Date: Jul 2003
Location: Wisconsin.
Posts: 1,350
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What i would reccommend is that you restore one of the mysql databases (that you of course made right?) and remove all addons you have. Request that your other admins change their passwords immediately, or change them for them.
Reply With Quote
  #4  
Old 11-03-2008, 09:17 PM
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Location: Michigan
Posts: 3,733
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, unfortunately its hard to tell what method he used to get in, that looks like either a template hack via the db or a file hack, typically global.php seeing as its every page.

If its a tempalte hack, do a search on the DB via phpmyadmin with keywords from the page source of the hacked page.

Logging into your admincp will most likely not work anyways.

I would suggest you globally disable your hacks in config.php, which is most likely the way he got in anyways.

Upload the default vb files and upgrade the site to the latest version of vb.

THERE IS NO NEED TO RESTORE FROM A BACKUP, THIS IS A EASY TO FIX.
Reply With Quote
  #5  
Old 11-04-2008, 03:30 AM
terracore terracore is offline
 
Join Date: Dec 2007
Posts: 35
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

New info:

The site was hacked by ALQAISER and the hack "theme" was some sort of pro-muslim thing complete with graphics and music and some kind of warning.

I'm not sure who they are or their motivation (it's a forum about parrots, hardly controversial). I also don't know how the hack occured. The database seemed untouched. I really know nothing about computers or coding. I was already running the latest version of VB (3.7.3 patch 1) and wasn't sure what to do to fix this problem or get the board running again so I went through the motions like I was upgrading it (even though its already the latest version) and thankfully that seemed to restore everything to normal. Since I don't know the vulnerability that caused this, and may still exist, I did the common sense things like changing passwords, etc. I also deactivated the following mods:

CYB- CHATBOX
CYB- PAYPAL DONATE
CYB- AUTO BIRTHDAY GREETER
WHO HAS VISITED TODAY
PASSIVE VID

If anybody can look at the board aviannation.com and see if there is anything I can do to close a vulnerability let me know. Also if they think one of those mods had anything to do with it? Can I reactivate them?

--------------- Added [DATE]1225776663[/DATE] at [TIME]1225776663[/TIME] ---------------

Quote:
Originally Posted by UKBusinessLive View Post
have you a backup made of your site, normally they just change the index.php file, Change this first and see, but if you do regular backups of your server, then upload this backup and you'll find everything will be OK. You need to double check all your FTP accounts and change your Passwords, Also make sure of the types of uploads members can do.

These types of hacking often happen when a hacker uploads a piece of code in the gist of an image

good luck with the backup, or if you have an index.php file add that first see what happens

keep us up to date
The index.php file wasn't the problem- it appeared unchanged. I changed it out with an older backup version and it didn't help.

--------------- Added [DATE]1225776773[/DATE] at [TIME]1225776773[/TIME] ---------------

Quote:
Originally Posted by snakes1100 View Post
Well, unfortunately its hard to tell what method he used to get in, that looks like either a template hack via the db or a file hack, typically global.php seeing as its every page.

If its a tempalte hack, do a search on the DB via phpmyadmin with keywords from the page source of the hacked page.

Logging into your admincp will most likely not work anyways.

I would suggest you globally disable your hacks in config.php, which is most likely the way he got in anyways.

Upload the default vb files and upgrade the site to the latest version of vb.

THERE IS NO NEED TO RESTORE FROM A BACKUP, THIS IS A EASY TO FIX.
I did the phpmyadmin you suggested, I could not find any keywords.

You are right, I could not log into the admincp.

I couldn't figure out what you meant by the config.php.

Your comment about easy fix didn't lead directly to a solution but it certainly helped me.
Reply With Quote
  #6  
Old 11-04-2008, 03:39 AM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
I'm not sure who they are or their motivation (it's a forum about parrots, hardly controversial).
They don't need any. Seldom is it a personal attack. They just see a site, see a vulnerability and abuse it...because they can. Hacking is usually out of the most childish of motivations. The same thing that makes a bully pick on smaller kids in school.

I don't think any of those mods have security vulnerabilities, as quite a large number of sites use them. Make sure all of your sites folders are protected by an index file. Changing your administrators passwords was a good idea as well, in case one of them was compromised.
Reply With Quote
  #7  
Old 11-04-2008, 04:59 AM
UKBusinessLive UKBusinessLive is offline
 
Join Date: Sep 2008
Location: Essex, United Kingdom
Posts: 1,637
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi terracore

Just checked this morning and see you got your site back

Quote:
it's a forum about parrots, hardly controversial
Perhaps they don't like parrots

Seriously its good that you managed to fix it, as for your mods I've used CYB's mods on my site and i've never had a problem with them,

Might be an idea to check your file/folders permissions on your server also

FILE permissions shouldn't be higher than 644

FOLDER permissions shouldn't be higher than 755
Reply With Quote
  #8  
Old 11-04-2008, 10:31 AM
AzaDiyaR AzaDiyaR is offline
 
Join Date: Oct 2006
Posts: 84
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

FILE permissions 444

FOLDER permissions 555

never be hacked
Reply With Quote
  #9  
Old 11-04-2008, 10:35 AM
snakes1100 snakes1100 is offline
 
Join Date: Dec 2001
Location: Michigan
Posts: 3,733
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by AzaDiyaR View Post
FILE permissions 444

FOLDER permissions 555

never be hacked
Those file & folder permissions will NOT work on every server, especially cheap anal vhosted servers.

--------------- Added [DATE]1225802852[/DATE] at [TIME]1225802852[/TIME] ---------------

Quote:
Originally Posted by terracore



I did the phpmyadmin you suggested, I could not find any keywords.

You are right, I could not log into the admincp.

I couldn't figure out what you meant by the config.php.

Your comment about easy fix didn't lead directly to a solution but it certainly helped me.
Sorry Terra

To better explain it, typically those hackers are using injection & i would guess there is a security hole in your system some place, either a addon mod or another php file for a script unrelated to vb actually.

1. Search your DB using keywords fro mthe hackers page he has put up on your site, view the page source and search for instance, the name of the hack/group or anyother keyword you find in the source, like "hacked", typically you'll find them in the template table.

2. Seeing as it was every page of your site, if a php file was modified, its typically global.php, not index.php as ALL the pages are changed.
Reply With Quote
  #10  
Old 11-04-2008, 03:13 PM
Alfa1's Avatar
Alfa1 Alfa1 is offline
 
Join Date: Dec 2005
Location: Netherlands
Posts: 3,537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Contact your host. browse the logs and make sure to secure all security risks. Even if they do not want to.

Remove all unneeded files and programs from your server.
Close all ports that do not need to be open and restrict ports that only you need to your IP. Only allow ftp from your IP address.

Follow these instructions as well: http://www.vbulletin.com/forum/showthread.php?t=172234

For everything that you install, check http://www.securityfocus.com/vulnerabilities and also search google for the name of the software and the words 'exploit OR vulnerability'
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:10 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04644 seconds
  • Memory Usage 2,261KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (6)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete