The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#1
08-10-2014, 04:44 PM
|
|||
|
|||
4.2.1 PL1 hacked, what to look for in logs
Recently I started finding new admin users that appear to be injected into my database. They don't have any associated IP addresses. So far they have not been able to do anything in admincp, presumably because I have the directory password protected. I did an extensive file check and nothing seems to be out of the ordinary.
What can I search for in raw access logs to determine how this is happening? 
|
|
#2
08-10-2014, 04:48 PM
|
||||
|
||||
|
Please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked http://www.vbulletin.com/forum/blogs...vbulletin-site Also please see these recent security announcements: vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
|
|
#3
08-10-2014, 05:03 PM
|
|||
|
|||
|
Thanks ozzy. I'm familiar with those (and also this) but didn't find (or maybe I missed) what to search for in the access logs.
I have already taken all steps in the guide "Fixing your site after you have been hacked" several times, but continue to get admin users injected in my database. Any help with searching raw access logs to determine how it's being done would be appreciated.
|
|
#4
08-10-2014, 05:23 PM
|
||||
|
||||
|
It sounds like there is still a backdoor somewhere. Remember that they probably can't access the admincp, but they can still insert data via whatever method they are using to get in. It could be something appended to a plugin or template. I would install the plugin search mod and search plugins and templates for things like base64 and display:none (which is actually used in some templates)
Make sure you look carefully at Maintenance > Diagnostics > Suspect file versions for unexpected contents. You should update to 4.2.2 pl1. Also, if you have wordpress installed - I recently restored a hacked vbulletin and found that their WP install even had things inserted into the files/templates. Make sure to take a close look at WP or any other software packages if you have them. I'm assuming you already removed the install directory...
|
|
#5
08-10-2014, 05:40 PM
|
|||
|
|||
|
Thanks tpearl5. Yes, install dir was already removed.
I also suspect there is a backdoor somewhere, or a file that is vulnerable to sql injection. I'm wondering if there are some strings I can search my apache raw access logs for to identify the culprit. I thoroughly checked all files identified in Maintenance > Diagnostics > Suspect file versions. I found and removed a number of files that were left over from previous versions of VB and old/uninstalled mods. All the files left (current mods I am using) seem to be ok, I didn't see anything unusual in them. I replaced all VB core files with freshly downloaded copies. VB 4.2.1 PL1 is not known to have security vulnerabilities as far as I am aware. I'll probably upgrade to 4.2.2 anyway, but I'm not sure it will fix this.
|
|
#7
08-10-2014, 05:47 PM
|
|||
|
|||
|
I've been keeping an eye on plugins and don't see anything unusual.
|
|
#9
08-10-2014, 05:57 PM
|
|||
|
|||
|
I did have VBSEO installed the first time this happened. I suspected it might be the culprit so I switched to DBSEO and removed VBSEO and all it's files. Unfortunately it continued after removing VBSEO.
|
|
#10
08-10-2014, 06:00 PM
|
||||
|
||||
|
Then there might be something lurking around from when you had vBSEO installed.
What other modifications have you got installed? And are all the modifications from official vB sites?
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 02:11 AM.