Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Closed Thread
 
Thread Tools Display Modes
  #1  
Old 09-08-2015, 04:00 AM
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Posts: 90
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Forum hacked, restored, now showing bare index

Probably 10th time in 4 years, my forum has been hacked. This time Turkish hackers inserted "class.php" into the /includes directory, my provider (Webhostinghub) is adamant they came through some VB backdoor, which I doubt.

VB 4.2.3 all vanilla, no Mods.
Passwords for site and ftp different, 30-40 characters, free form text with blanks, uppercase, numbers.

Wiped the site out and restored from last good known backup.

All VB files are in ./public_html/forums, as in picture 1

Now it is showing bare index, as in picture 2.

When going into "forum", it does show the site is down and under maintenance.
But if anyone clicks on the pictures, it is free to look at them with no login.
(I have moved pictures to another directory since until this is resolved but picture 4 shows how it was).

Why is it going now into bare index not into the full site?
Attached Images
File Type: jpg 2015hacked01.jpg (84.3 KB, 0 views)
File Type: jpg 2015hacked02.jpg (29.1 KB, 0 views)
File Type: jpg 2015hacked03.jpg (84.0 KB, 0 views)
File Type: jpg 2015hacked04.jpg (70.0 KB, 0 views)
  #2  
Old 09-08-2015, 04:21 AM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Did you look under diagnostics to see what files are left and check your plug ins as well..

--------------- Added [DATE]1441693369[/DATE] at [TIME]1441693369[/TIME] ---------------

If you were hacked many times then chances are they did leave a "door" on your site which was never patched.
  #3  
Old 09-08-2015, 04:28 AM
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Posts: 90
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I wiped out the site, removed directories and created them afresh this morning.

Maintenance - diagnostics shows nothing strange.
The site is vanilla, no plugins, nothing that did not come with VB.

Hacking my site is rather like farming web services users hosted by that provider, using them as bots. Wells Fargo sent me once to stop spamming from my site.

Only 2 out of 10 times they shut down the site with some message.
  #4  
Old 09-08-2015, 04:40 AM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Sounds like you have a ton of stuff on there still Go under maintenance and run the diagnostics. Check your plug ins as well.

I really do not know what you mean by you wiped everything out. you reinstalled Vbulletin fresh or just uploaded clean files? In that case you did not overwrite the hacked files which may not only have been Vbulletin.

There are many things you need to do even after you clean this to make sure it is secure but it looks like you have a long ways to go.
  #5  
Old 09-08-2015, 06:38 AM
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Posts: 90
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This is what it was:
.htaccess file was not in the root directory. After blasting the entire installation, it of course, did not come there from VB install. Dragged it from backup and all fine.

That file contains redirection to the home page, without it it defaults to bare index.
  #6  
Old 09-08-2015, 06:48 AM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Ok good. You installed a fresh copy of Vbulletin? I am a little confused but glad it is working anyways.
  #7  
Old 09-08-2015, 08:27 AM
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Posts: 90
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Honestly, I don't know what is different this time. If the hacker who broke in yesterday is pleased to do again today, the same hole would be ready for him.

Whether they come through cPanel, site itself or through VB, nothing has changed, even if VB is fresh install. The hosting site said it was not through ftp. They also said password was not used to get in, how they know, through their logs probably.
  #8  
Old 09-08-2015, 09:40 AM
HM666's Avatar
HM666 HM666 is offline
 
Join Date: Jan 2014
Location: Little Rock, AR
Posts: 1,060
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Are you on shared hosting? That is the most common way that hackers get in and it IS the hosts fault in most cases NOT vBulletin if its a fresh install with no mods added on. Shared hosting is famous for not being very secure. I suggest if you are that you either change hosts or get a VPS instead where you can control the security.
  #9  
Old 09-08-2015, 09:57 AM
loua_oz loua_oz is offline
 
Join Date: Dec 2010
Posts: 90
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, possible.
Yes again, shared hosting, it may well be their problem. As I said, seems the hackers waltz in and farm the users and their sites without apparent problem with their sites. They (webhostinghub.com) applied some measures that alert me when (some, what their poor security can detect) it happens. They quarantine the malicious code but still - it comes through their lack of security.

Issues like this have a potential to drive a hosting company out of business.

If any, the luck is my site is not commercial, no money loss. But hours lost to restore by me for someone who had ruined my site for fun.

When I asked webhostinghub.com why don't they introduce 2 level login (with RSA dongle) they said it could fix cPanel only but not "3rd Party software", possibly implying VBulletin to be at fault.
They confirmed nobody had compromised my passwords and logged in.

I still believe it is cPanel, an independent vendor, who is at fault.
No offers for help (paid) from this site would fix it. It is not VB, I think.
  #10  
Old 09-08-2015, 12:21 PM
RichieBoy67's Avatar
RichieBoy67 RichieBoy67 is offline
 
Join Date: Apr 2004
Location: CT - Down in a hole..
Posts: 3,057
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well it could be hosting but my guess is that it is something you have missed.

Did you delete all the files on your server and reinstall fresh? Did you run the diagnostics to look for third party files?

Have you been with this same host all the other times you were hacked?
Closed Thread


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:26 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.09112 seconds
  • Memory Usage 2,273KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (4)postbit_attachment
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_attachment
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete