Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page My forum admin CP changed by hacker
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 10-13-2013, 03:49 AM
hinomaru hinomaru is offline
 
Join Date: Apr 2009
Posts: 60
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default My forum admin CP changed by hacker
Hello,

Im using vbulletin 3.8.4 PL2 and havent, I found that my admincp>>statistic&log> transaction log... have been changed like the pic below :



how to fix that?

Thanks
Reply With Quote
  #2  
Old 10-13-2013, 03:58 AM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Ask your host if they are running MySQL Tool. It looks like that and vBulletin are crossing wires somewhere.
Reply With Quote
  #3  
Old 10-14-2013, 04:13 AM
hinomaru hinomaru is offline
 
Join Date: Apr 2009
Posts: 60
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Digital Jedi View Post
Ask your host if they are running MySQL Tool. It looks like that and vBulletin are crossing wires somewhere.
They are not running any mysql tool like at that picture.
Reply With Quote
  #4  
Old 10-14-2013, 05:32 AM
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Posts: 6,357
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
the text at the bottom of that picture ask your host is that theres
Reply With Quote
  #5  
Old 10-14-2013, 09:47 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Do you still have your /install directory uploaded? Do you have any added Administrators? Any plugins you don't recognize?
Reply With Quote
  #6  
Old 10-15-2013, 02:19 AM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Digital Jedi View Post
Ask your host if they are running MySQL Tool. It looks like that and vBulletin are crossing wires somewhere.
Look at very bottom of screenshot, dodos have to put copyright in hacking tools they too want credit basically it gives his name and to visit the powerterds site .

@hinomaru - looks like you've been hacked try these tutorials:

http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
http://www.vbulletin.com/forum/blogs...vbulletin-site
Reply With Quote
Благодарность от:
Max Taxable
  #7  
Old 10-15-2013, 09:35 AM
hinomaru hinomaru is offline
 
Join Date: Apr 2009
Posts: 60
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Lynne View Post
Do you still have your /install directory uploaded? Do you have any added Administrators? Any plugins you don't recognize?
Install directory deleted a long time. And also administrator account only me and there is a suspected plugin but already deleted.

--------------- Added [DATE]1381833486[/DATE] at [TIME]1381833486[/TIME] ---------------

Quote:
Originally Posted by TheLastSuperman View Post
Look at very bottom of screenshot, dodos have to put copyright in hacking tools they too want credit basically it gives his name and to visit the powerterds site .

@hinomaru - looks like you've been hacked try these tutorials:

http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
http://www.vbulletin.com/forum/blogs...vbulletin-site
I already follow the instruction from the link u gave. But the one thing that I dont have is the backed up database. And so with the old database it still show the pic like the first post. I dont know how to find the injected file or database or something like that
Reply With Quote
  #8  
Old 10-15-2013, 11:16 AM
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
Senior Member
  
Join Date: Sep 2008
Location: North Carolina
Posts: 5,844
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Hmm don't be so hard on yourself, you can check all of this at least, if you're not comfortable removing it then fine but you can surely do some sifting and find what is wrong. It's easy enough to run those queries listed in my blog post because those type of sql statments using select in the code do just that i.e. they only select and show you said code you can't mess anything up by just "checking" so run the queries then post the results here for one of us to assist.

Not sure what files if any were uploaded or infected, you can check for spare admin accounts and delete asap, now check the control panel log and all entries by said hacker will have N/A beside them and their ip address is listed so ban that pronto (open a ticket with host, ask them to ban ip at server level). To check the files go to maintenance in admincp and run the suspect files tool, that will show you more info to go by as well and also feel free to post that as well.

The main point of you posting this info, results of queries etc is to receive assistance from our community... you can use the links provided and assistance by a few of us to come out on top here without the need to hire someone (yes at the moment it seems over your head, a little practice and a little patience and next thing you know you're unhacking your site not us!).
Reply With Quote
  #9  
Old 10-15-2013, 09:41 PM
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Location: California/Idaho
Posts: 41,180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
All default files on the site?
Reply With Quote
  #10  
Old 10-16-2013, 12:14 AM
create365 create365 is offline
 
Join Date: Aug 2013
Posts: 15
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Look in plugins for a suspicious code, mostly on init_startup.
It contains code like
You can also perform a query to search for this part of string in plugins db.
Code:
ev__al(gzin__fla__te(base64_decode('
(remove __ from eval and gzinflate - this board can't save the post when this string occurs)
Most of shells I have spotted is installed like this. As opposite to leaving some exploit on server, but this is not the case.

Also if you're running VPS/dedicated - make sure chmod is set as it should be, and if webserver user has privileges to write/execute files (should not have, this way even if someone upload a shell, he can't execute an exploit).

Greetings.
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 09:25 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04029 seconds
  • Memory Usage 2,262KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (1)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete