Announcement

Collapse
No announcement yet.

Site hacked, can someone please help?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • TAIFUN
    replied
    Originally posted by cataclyzmic View Post
    I still can't clear all the user titles. anyone have a solution?
    http://www.vbulletin.com/forum/showt...=1#post2154348

    Leave a comment:


  • cataclyzmic
    replied
    I still can't clear all the user titles. anyone have a solution?

    Leave a comment:


  • jaycob
    replied
    Originally posted by FallenBeauties View Post

    @jaycob
    It's really weird, but there's nothing in the logs.. Neither they were deleted, it shows my IP. I think they only did it via query.. Set the bbactive to 0 and updated all user titles..
    mate, i had a hidden admin account that they hacked into, i changed my admin hidden user to another user. 5 minutes later the hacker logged in to my old admin user trying to log into the admincp. by them my admincp folder i changed the folder name. but its strange the hackers logged in with my old admin user.

    i have my forum set as, user ID1 is the webmaster but it has no permissions. i have a random hidden user for admincp access. the hacker some how found my hiddin user and logged into it.

    FallenBeauties
    how can i set (Set the bbactive to 0) please mate? thanks for your help.

    Leave a comment:


  • jimsflies
    replied
    Originally posted by forex4noobs View Post
    Nice work around but the tools.php method I posted is faster.
    I did that first and was still unable to login. Had to go the db route to gain full access again on my site.

    Leave a comment:


  • airborneCAL
    replied
    I found bad index.html files in admincp and modcp. I deleted them but in the admincp I still see the hack video on the left column where all the controls are supposed to be. Help?

    Leave a comment:


  • Herzog
    replied
    Anybody else notice any strange references to "bendercrawler" in their server log files?
    It's a very new crawler and it's showing up suspiciously checking /misc.php?do=cfrules right around the time this happened. Might be irrelevant but it could be their discovery bot.
    Last edited by Herzog; Wed 4 May '11, 7:23pm. Reason: clarification

    Leave a comment:


  • FallenBeauties
    replied
    @Herzog
    I'm doing the same thing right now as thank God I do backups each day, so everything's cool I guess.

    @jaycob
    It's really weird, but there's nothing in the logs.. Neither they were deleted, it shows my IP. I think they only did it via query.. Set the bbactive to 0 and updated all user titles..

    Leave a comment:


  • jaycob
    replied
    Originally posted by FallenBeauties View Post
    @cataclyzmic
    Mine weren't modified either, just all the user titles were updated and forum was turned off.
    yeah its crazy, why didnt they stuff up our forums, like delete stuff. maybe they just wanted to make it onto google for the attention lol.
    i just cant get ride of the user titles.
    my board is live and i have looked everywhere, everything seems fine. but one thing i dont think they had was full admincp permissions, like super admin.

    it sucks that we are all talking about this and giving them the satisfaction of sitting back and reading all the attention they are getting.

    does anyone know the hackers site/forums? pm me is so thanks.

    Leave a comment:


  • NickCat
    replied
    Originally posted by ctrlbrk View Post
    Clarify -- Advanced Forum Rules, or Advanced Permissions? Because so far only people are reporting the first...
    Mistake by me... too tired... I edited my post, it was the Adv forum rules, same as everyone else.

    Leave a comment:


  • Herzog
    replied
    Originally posted by FallenBeauties View Post
    @cataclyzmic
    Mine weren't modified either, just all the user titles were updated and forum was turned off.
    Same. Also restored to a backup from this morning and audited all the files & folders. We are back up and running.

    edit: uninstalled advanced forum rules

    Leave a comment:


  • AusPhotography
    replied
    4.1.3 using vSA Advanced Forum Rules - hacked by - TeamAnimus.
    Turned off for now. Checking the code.

    Leave a comment:


  • TAIFUN
    replied
    1. Go in PMA (phpMyAdmin) or SSH connecting
    2. Open table user
    3. Search your account in forum database ang change usergroupid for your account (set ID 6)
    Click image for larger version

Name:	Snap_2011.05.05_06h07m12s_007.png
Views:	1
Size:	12.1 KB
ID:	3682131
    4. Go in Admin CP and delete product Cyb - Advanced Forum Rules
    5. Delete administrator Team Animus
    6. Reupload forum files
    7. Run SQL query
    Code:
    UPDATE user SET [COLOR=red]prefix_[/COLOR]customtitle = 0 WHERE usergroupid = '[COLOR=red]X[/COLOR]';
    Because all users have option "Can Use Custom Title" - Hacked by Team Animus
    Click image for larger version

Name:	Snap_2011.05.05_03h29m48s_006.png
Views:	1
Size:	67.8 KB
ID:	3682130

    8. Update the counters - Update User Titles and Ranks

    Last edited by TAIFUN; Wed 4 May '11, 7:15pm.

    Leave a comment:


  • FallenBeauties
    replied
    @cataclyzmic
    Mine weren't modified either, just all the user titles were updated and forum was turned off.

    Leave a comment:


  • jaycob
    replied
    Originally posted by NickCat View Post

    My two questions about those who have been hacked again with the update are:
    1) Did you check overwrite when installing the new version of the plugin?
    2) Did you ensure your servers were clear of any backdoors that may have been installed before going live again?
    i am still live, i never closed my forum. i disabled all CYB's hacks. but the strange thing i did find was a tools.php uploaded in my admin folder. i was trying to fight them off, every time i changed my password they were back again. theres like an army of them, up to 8 users. i ended up changing the name of my admin folder to something silly and random, i sat online list watching them trying to hack but so far the folder change has kept them out. but mind you, while i was fighting them off on my main forum, they hit my others! im yet to see what damage is done. my last back up was today, but they started hacking me before it was done. i have a few gig database. im freaking out, everything now seems to be normal, im posting and stuff, but im sure something is hiddin, hopfully some fresh vbulletin upgrade may help. i ran a repair thats about it.

    Leave a comment:


  • cataclyzmic
    replied
    Originally posted by krazeguy View Post
    None of my physical files on my server were modified with this exploit.
    Check your index.html and index.php files in your folders like admin and modcp folders.

    Leave a comment:

Related Topics

Collapse

  • TsG XxGHOSTxX
    I need help
    by TsG XxGHOSTxX
    I just signed up for vbulletin. It is used in a lot of gaming communities. I am trying to build my own community and now have enough members to justify building a forum. So I know alot of the clans/gaming...
    Wed 7 Jun '17, 8:25am
Working...
X