Announcement

Collapse
No announcement yet.

Site hacked, can someone please help?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SilentSleeper
    replied
    Originally posted by jl255 View Post
    tks for all the sharing. my sites' been affected too.

    i see the following main impacts:

    1. insertion of index.php and index.html in various folders (look at last modified dates of your folders to see which folders were touched)
    2. insertion of vba.php, which contains a trojan in varoius folders
    3. change of usertitles
    4. change of customtitles = '1'
    5. change of your administrator right to registered member
    6. insertion of new member (TeamAnimus) with administrator rights


    Are there any other impacts??? Pls share so we can all eliminate any other vulnerabilities.

    ps i think they just want to prove a point i.e. there are vulnerabilities in our mods. if they had intended to be malicious, we wld have hell lot more problems. so i guess, we shld be thankful in sense... to them.
    do not forget the /includes/vbf.php file

    Leave a comment:


  • NYCe
    replied
    Originally posted by jl255 View Post
    tks for all the sharing. my sites' been affected too.

    i see the following main impacts:

    1. insertion of index.php and index.html in various folders (look at last modified dates of your folders to see which folders were touched)
    2. insertion of vba.php, which contains a trojan in varoius folders
    3. change of usertitles
    4. change of customtitles = '1'
    5. change of your administrator right to registered member
    6. insertion of new member (TeamAnimus) with administrator rights


    Are there any other impacts??? Pls share so we can all eliminate any other vulnerabilities.

    ps i think they just want to prove a point i.e. there are vulnerabilities in our mods. if they had intended to be malicious, we wld have hell lot more problems. so i guess, we shld be thankful in sense... to them.
    They also increase your userid table auto-increment value to 13371337 (scriptkiddie speak for elite elite) for new member TeamAnimus.

    Even after deletion of the TeamAnimus member, the next user to register is given the userid 13371338

    Apparently. This was the case on my forums. I wonder what happened on forums where a userid of 13371337 already existed?

    Leave a comment:


  • jaycob
    replied
    Originally posted by jl255 View Post
    tks for all the sharing. my sites' been affected too.

    i see the following main impacts:

    1. insertion of index.php and index.html in various folders (look at last modified dates of your folders to see which folders were touched)
    2. insertion of vba.php, which contains a trojan in varoius folders
    3. change of usertitles
    4. change of customtitles = '1'
    5. change of your administrator right to registered member
    6. insertion of new member (TeamAnimus) with administrator rights


    Are there any other impacts??? Pls share so we can all eliminate any other vulnerabilities.

    ps i think they just want to prove a point i.e. there are vulnerabilities in our mods. if they had intended to be malicious, we wld have hell lot more problems. so i guess, we shld be thankful in sense... to them.
    what hack is vba.php please.

    also re-uploading all files may fix this?

    Leave a comment:


  • jaycob
    replied
    Originally posted by SilentSleeper View Post
    Code:
    UPDATE user SET customtitle = '0' where customtitle = '1'
    then: Update the counters - Update User Titles and Ranks
    worked like a charm thank you

    Leave a comment:


  • jl255
    replied
    tks for all the sharing. my sites' been affected too.

    i see the following main impacts:

    1. insertion of index.php and index.html in various folders (look at last modified dates of your folders to see which folders were touched)
    2. insertion of vba.php, which contains a trojan in varoius folders
    3. change of usertitles
    4. change of customtitles = '1'
    5. change of your administrator right to registered member
    6. insertion of new member (TeamAnimus) with administrator rights


    Are there any other impacts??? Pls share so we can all eliminate any other vulnerabilities.

    ps i think they just want to prove a point i.e. there are vulnerabilities in our mods. if they had intended to be malicious, we wld have hell lot more problems. so i guess, we shld be thankful in sense... to them.

    Leave a comment:


  • SilentSleeper
    replied
    Originally posted by jaycob View Post
    i did this as said above:
    RUN SQL Queries:
    DELETE FROM user WHERE userid='13371337';
    UPDATE user SET usertitle = '' where usertitle = 'Hacked by Team Animus';

    and now my user titles are gone completely.
    Code:
    UPDATE user SET customtitle = '0' where customtitle = '1'
    then: Update the counters - Update User Titles and Ranks

    Leave a comment:


  • moneymaker
    replied
    If your going to change the titles to nothing, you mine as well go ahead and change them for a keyword your really trying hard to rank for. Of course I made mine Make Money Online but whatever your niche is this little bit of on site seo would help. I like to turn a bad situation into a good one when ever I can. You need to make sure you have the serps spidering your profiles. You can even anchor text them back to your home page with whatever keyword you decide to use and rank for. In the end the users could still change it. Run your sitemap tonight and ping the piss out of it.

    Cheers!

    Leave a comment:


  • jaycob
    replied
    i did this as said above:
    RUN SQL Queries:
    DELETE FROM user WHERE userid='13371337';
    UPDATE user SET usertitle = '' where usertitle = 'Hacked by Team Animus';

    and now my user titles are gone completely.

    Leave a comment:


  • FallenBeauties
    replied
    It seems that problem is a bit more serious than updating user titles and removing from admin usergroup, as I have a backup I'll restore it on another server, because when I switched the database on the current server there was absolutely no effect.

    Leave a comment:


  • TAIFUN
    replied
    Search vba.php
    /includes/xml/... or another directory

    Leave a comment:


  • Umbrae
    replied
    Originally posted by OcR Envy View Post
    +1 on being hacked, was using Cyb Advanced Forum Rules.

    Hacker SQL injected admin user with userid 13371337.
    Moved all Admins to Members.
    Banned all Admins.
    Changed password on some accounts.
    Changes all user titles to 'Hacked By Team Animus'
    Turned board offline.

    Resolution:
    Login under unalterable admin account; everyone should have one of these!
    Uninstall Cyb Advanced Forums
    Restore all admin permissions

    RUN SQL Queries:
    DELETE FROM user WHERE userid='13371337';
    UPDATE user SET usertitle = '' where usertitle = 'Hacked by Team Animus';

    Rebuild Titles and Ranks
    Turn board back online

    For those saying that files were defaced my guess is they weren't he just edited the templates. I checked my logs and found no ACTUAL php file changes.
    Thank you. Very helpful.

    However, I think there might have been some code changes. I tried registering a new user and userID was set as "13371337" and userTitle was set to "Hacked by Team Animus" by default.

    Leave a comment:


  • jaycob
    replied
    its only Cyb rules hack only yeah guys????

    can we enable Cyb advanced permissions? because since disabled im getting attacked by spammers now lol.

    Leave a comment:


  • cataclyzmic
    replied
    Originally posted by OcR Envy View Post
    +1 on being hacked, was using Cyb Advanced Forum Rules.

    Hacker SQL injected admin user with userid 13371337.
    Moved all Admins to Members.
    Banned all Admins.
    Changed password on some accounts.
    Changes all user titles to 'Hacked By Team Animus'
    Turned board offline.

    Resolution:
    Login under unalterable admin account; everyone should have one of these!
    Uninstall Cyb Advanced Forums
    Restore all admin permissions

    RUN SQL Queries:
    DELETE FROM user WHERE userid='13371337';
    UPDATE user SET usertitle = '' where usertitle = 'Hacked by Team Animus';

    Rebuild Titles and Ranks
    Turn board back online

    For those saying that files were defaced my guess is they weren't he just edited the templates. I checked my logs and found no ACTUAL php file changes.
    Thank you, usertitles are fixed.

    Also, my admincp and modcp folders were renamed from the beginning but I have two folders with those names still that just log ips of those trying to access admincp or modcp. It is in those folder that there was index.html and index.php html both modified at the same time. The same two files were also found above my forum root. I would assume anyone that changed their acp and modcp folders don't see anything different. I would be interested to know if they have files above their forum root though.

    Here is the content of their files:

    Code:
    <html> 
    <head> 
    <title>Hacked by Team Animus</title> 
    </head> 
    <body bgcolor="black"> 
    <center>
    <font color="white"><h1>Hacked by Team Animus</h1></font><br /> 
    <iframe src="http://player.vimeo.com/video/17743674?title=0&amp;byline=0&amp;portrait=0&amp;color=ffffff&amp;autoplay=1&amp;loop=1" width="560" height="315" frameborder="0"></iframe> <br />
    <font color="white">Contra - Exclusive - FMC</font><br />
    <font color="white">From Sweden with <3</font><br />
    </center>
    </body> 
    <!-- All files should still be untouched. The purpose of this was not to **** anything up. -->
    <!-- We did it for the lulz. -->
    <!-- Contra @ REC or [email protected] -->
    </html>

    Leave a comment:


  • OcR Envy
    replied
    +1 on being hacked, was using Cyb Advanced Forum Rules.

    Hacker SQL injected admin user with userid 13371337.
    Moved all Admins to Members.
    Banned all Admins.
    Changed password on some accounts.
    Changes all user titles to 'Hacked By Team Animus'
    Turned board offline.

    Resolution:
    Login under unalterable admin account; everyone should have one of these!
    Uninstall Cyb Advanced Forums
    Restore all admin permissions

    RUN SQL Queries:
    DELETE FROM user WHERE userid='13371337';
    UPDATE user SET usertitle = '' where usertitle = 'Hacked by Team Animus';

    Rebuild Titles and Ranks
    Turn board back online

    For those saying that files were defaced my guess is they weren't he just edited the templates. I checked my logs and found no ACTUAL php file changes.

    Leave a comment:


  • AusPhotography
    replied
    We got hacked by Team Animus.

    We're using vB4.1.3 and VSa Advanced Forum Rules 5.0.2. I've installed the latest version 5.0.3 (just released).

    Leave a comment:

Related Topics

Collapse

  • TsG XxGHOSTxX
    I need help
    by TsG XxGHOSTxX
    I just signed up for vbulletin. It is used in a lot of gaming communities. I am trying to build my own community and now have enough members to justify building a forum. So I know alot of the clans/gaming...
    Wed 7 Jun '17, 8:25am
Working...
X