Announcement

Collapse
No announcement yet.

Site hacked, can someone please help?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Suiram
    replied
    Originally posted by Zachery View Post
    Are all of your third party addons and software up to date?
    vBadvanced
    vBSEO
    etc?

    Are you positive you were not infected PRIOR to anything being changed?
    It is very possible they built a script to infect websites but not to trigger any changes until later.
    If they have a laten phpshell on your machine, then they could do whatever the hell they wanted at anytime, if you don't get rid of that shell.
    ok, some data:
    i use vb 3.8.6 pl1 (i didn't update to 3.8.7 yet because i normally wait for a few weeks/months in case of security issues. /sigh (i'm not alone. i keep an eye on some of the big boys and they too are at 3.8.6)
    the only forum mod i ever had/installed (and i mean EVER) was the cyb advanced forums rules.
    i don't use vbseo or any other mod. basically a virgin vbulletin with the cyb advanced forum rules.


    ps: the forum is back online after the upload. my own user who is an admin, and has remained as such after this hack -thank God- can log into admin cp. first thing i did (like 15 minutes ago) was disable the mod. log out of admincp. go to the forums and check it's disabled. it was. good. i went back into admincp and uninstalled it completely. so now i have to do the following: (please tell me what to do. i can follow complex instructions just fine, as long as enough specific/detailed data is given)
    1. delete the admin user they made
    2. reset the forum userid counter from 13371337 back to it's much lower number
    3. change the user titles back to Member from Hacked by Contra


    my host is godaddy. (yes, really) i have full access to phpMyAdmin. please tell me the answers to the above 3.

    ps: my forum is not like most people's here. whilst it's "live" it's really for my own personal fun. it has like 12 members half who are real life friends and don't participate - i just pressured them to join. so it's not a major forum like most with hundreds/thousands of users.

    Leave a comment:


  • Zachery
    replied
    Are all of your third party addons and software up to date?
    vBadvanced
    vBSEO
    etc?

    Are you positive you were not infected PRIOR to anything being changed?
    It is very possible they built a script to infect websites but not to trigger any changes until later.
    If they have a laten phpshell on your machine, then they could do whatever the hell they wanted at anytime, if you don't get rid of that shell.

    Leave a comment:


  • Suiram
    replied
    also they moved my admin account to regular registered members group. a few months ago i edited the config file to make it "protected".
    i'm in admincp right now and i tried to delete the TeamAnimus admin user they created and can not do so. i can delete any other user so they somehow protected this user.

    why were they able to to do ANYTHING to my admin account when months ago i edited the config file and it was showing this message: (when i tried as another admin to change anything. i was testing to make sit was done.)

    Sorry, this user is protected from being altered in the config.php file by the $config['SpecialUsers']['undeletableusers'] variable.

    Leave a comment:


  • Suiram
    replied
    Originally posted by Zachery View Post
    Are you sure they didn't upload a shell PRIOR to you updating?
    unlikely. i was not hacked for several days after everybody else was. i'm uploading the forum software right now, and will see what the forum then.
    zach, if you're interested i can give you full access to my site/ domain. i guess i trust you. should you want to have a look. pm me if interested. fyi: i am willing to call you over the phone, should that be something you'd want.

    Leave a comment:


  • Zachery
    replied
    Are you sure they didn't upload a shell PRIOR to you updating?

    Leave a comment:


  • Suiram
    replied
    OMG, me too....

    i've just been hacked by contra. i'm livid. i'm too much in "shock" to make a lengthy post. ..and too busy cleaning "house".
    this is too much.

    history:
    i had the cyb advanced forum rules 4.0.2 since 2009 (never been hacked)
    when i read this post i updated to 4.0.3 as soon as it become available.
    then, a day later 4.0.4
    today i visit my site and it's hacked. it was not last night before going to bed.

    let me say that the website itself (domain) was accessed (hacked?). my forum is set to: forums.mydomain.com
    they replaced the index.html and also added an index.php as well in the root of the domain. i'm uploading the forum software now as i do not trust a "cleanup".
    what does that mean? does that mean that is may not be the forum or the modification? ..or it was, and that in turn then gave them access to the whole domain?

    the replaced index files are both 744kb and contain:

    Code:
    <html> 
    <head> 
    <title>Hacked by Contra</title> 
    </head> 
    <body bgcolor="black"> 
    <center>
    <font color="white"><h1>Hacked by Contra</h1></font><br />
    <embed
    src="http://www.warprecords.com/dancefloordale/mediaplayer.swf"
    width="504"
    height="400"
    id="choni"
    allowscriptaccess="always"
    allowfullscreen="true"
    flashvars="file=http://www.warprecords.com/dancefloordale/dancefloordale.flv&backcolor=0x000000&frontcolor=0xFFFFFF&image=http://www.warprecords.com/dancefloordale/dale_image.jpg&searchbar=false&showicons=false&shownavigation=false&showdigits=false&thumbsinplaylist=false&autostart=true"
    /><br />
    <font color="white">From Sweden with <3</font><br />
    </center>
    </body> 
      <!-- Contact: [email protected] -->
    </html>

    Leave a comment:


  • Alfa1
    replied
    Judging by the fact that no new reports of hacked sites have come in after Valter has fixed the exploit, it seems likely.
    I did report a possible vb vulnerability by submitting a support ticket. Its the same as this: http://www.vbulletin.com/forum/showt...=1#post2153665
    Its not clear yet if that needs to be fixed or not.

    Leave a comment:


  • 0ptima
    replied
    Originally posted by BirdOPrey5 View Post
    There has not been a single forum reported hacked by these people not running the mod in question. When investigated the mod had a flaw that could exactly allow this kind of attack. Unless we talk to the actual hacker (and believe him) we can never be 100% sure but what we do know is good enough for me.
    Still safe to assume the hack was caused by the Advanced Forum Rules hack on vb.org?

    Leave a comment:


  • BirdOPrey5
    replied
    Originally posted by Videx View Post
    I don't they he was asking if it was patched. Like everyone else, they were wondering if fixing this mod has fixed the problem. Really, one wouldn't think it would be so hard to get straight reports from actual forum admins, but so far post-patch hackees have failed to give some simple information in a simple straightforward way. i.e., Were you running this mod at all when hacked, which version of vb and the mod?

    Personally, I don't see any big hacking going on today, so I've re-enabled the mod.
    The updated mod fixes the issue originally reported in this thread. No one can promise you won't get hacked if you install the new version, it is and always is "use at your own risk." But the flaw reported here was acknowledged and fixed.

    Leave a comment:


  • Videx
    replied
    Originally posted by Zachery View Post
    The addon has been atched, get it updated.
    I don't they he was asking if it was patched. Like everyone else, they were wondering if fixing this mod has fixed the problem. Really, one wouldn't think it would be so hard to get straight reports from actual forum admins, but so far post-patch hackees have failed to give some simple information in a simple straightforward way. i.e., Were you running this mod at all when hacked, which version of vb and the mod?

    Personally, I don't see any big hacking going on today, so I've re-enabled the mod.

    Leave a comment:


  • Zachery
    replied
    Originally posted by Jenlm View Post
    We were running the mod and we were hacked.

    I'm sorry if I've missed this, but has anyone put the modification back and done OK with it? I'm afraid to put it back... even if it's patched. Yikes! That was a hassle!
    The addon has been atched, get it updated.

    Leave a comment:


  • Jenlm
    replied
    We were running the mod and we were hacked.

    I'm sorry if I've missed this, but has anyone put the modification back and done OK with it? I'm afraid to put it back... even if it's patched. Yikes! That was a hassle!

    Leave a comment:


  • MikesSite
    replied
    Originally posted by BirdOPrey5 View Post
    There has not been a single forum reported hacked by these people not running the mod in question. When investigated the mod had a flaw that could exactly allow this kind of attack. Unless we talk to the actual hacker (and believe him) we can never be 100% sure but what we do know is good enough for me.

    This was a very popular mod, over 14,000 downloads someone mentioned... It is also an important mod for larger communities. I'd imagine if you tried 5 active VB 3.x forums at random you'd find 1 running it. It wouldn't be hard to make a list of who runs it and exploit it. Also if the hacker has access to vBulletin.org he could see anyone who posted in the mod thread and follow links in their signatures or profile to their sites and make a list that way.

    vBulletin Solutions/IB/ or XF had nothing to do with this. Believe me I believe A LOT of conspiracies but this was just a mod with a flaw that went unnoticed for a long time.
    Agree 100% with everything you said (except maybe 1 out of 5 forums would be running that hack )

    Leave a comment:


  • BirdOPrey5
    replied
    There has not been a single forum reported hacked by these people not running the mod in question. When investigated the mod had a flaw that could exactly allow this kind of attack. Unless we talk to the actual hacker (and believe him) we can never be 100% sure but what we do know is good enough for me.

    This was a very popular mod, over 14,000 downloads someone mentioned... It is also an important mod for larger communities. I'd imagine if you tried 5 active VB 3.x forums at random you'd find 1 running it. It wouldn't be hard to make a list of who runs it and exploit it. Also if the hacker has access to vBulletin.org he could see anyone who posted in the mod thread and follow links in their signatures or profile to their sites and make a list that way.

    vBulletin Solutions/IB/ or XF had nothing to do with this. Believe me I believe A LOT of conspiracies but this was just a mod with a flaw that went unnoticed for a long time.
    Last edited by BirdOPrey5; Fri 6 May '11, 7:41am.

    Leave a comment:


  • cbiweb
    replied
    Originally posted by Videx View Post
    Nobody's out of the woods yet since we haven't figured out how it's being done. Can you tell us at least if you had the Advanced Registration mod installed?
    Not that one, but I do have Advanced Forum Rules, which I updated when Valter patched it, but haven't re-enabled it just yet, until I'm sure everything is locked down tight.

    During the attack I didn't see anything different than what's described in this thread, so hopefully that's the extent of it.

    Leave a comment:

Related Topics

Collapse

  • TsG XxGHOSTxX
    I need help
    by TsG XxGHOSTxX
    I just signed up for vbulletin. It is used in a lot of gaming communities. I am trying to build my own community and now have enough members to justify building a forum. So I know alot of the clans/gaming...
    Wed 7 Jun '17, 8:25am
Working...
X