Announcement
Collapse
No announcement yet.
Site hacked, can someone please help?
Collapse
This topic is closed.
X
X
-
how can I clear all the usertitles at once?
also, the tools.php is the fastest way.
Leave a comment:
-
Originally posted by forex4noobs View Post1. Download the latest version of vbulletin.
2. In the zip go to the do_not_upload file and extract tools.php
3. Put tools.php it in your vb install folder via ftp.
4. Visit it in a browser.
5. You need to use the following options
[Reset Cookie Domain]
[Reset Cookie Path]
[Reset Admin Access]
6. Delete tools.php from the install directory.
7. Log in and disable all plugins quickly.
I do not know how to disable plugins first but I doubt the hackers are sitting on your server ready to hack again as soon as you fix it.
Leave a comment:
-
Originally posted by jimsflies View PostI've got mine fixed. To fix it, you have to find the user that is admin. On my forum it was TeamAnimus. Then I reset his email in phpmyadmin to my email. Then had to log in as his username...and use the forgot password link to reset his password.
Then after in, had to remove myself from undeletable users in the config.php. So that then I could use TeamAnimum's account to set myself as an admin again. Then reupload config.php with correct settings. Then I had access once again to admincp.
(Of course you also need to replace the index files on your server that were overwritten with good versions...this includes the one in admincp. There is also an extra file they placed in /includes directory that had some code in it. For me it was called vba.php.)
Oh you can also rewrite user's titles in phpmyadmin for a quick fix...to at least get rid of the hacked by under your member's names.
I'm willing to help you out if you need it. But because this took quite awhile, I'd prolly want a little something for my time.
Leave a comment:
-
NASIOC.com was hit tonight at 6:40pm EST.
We just spent the last few hours checking over the servers to ensure there weren't any other issues before going live.
We did have to roll back to a backup from Tuesday morning, I personally didn't trust that the rest of the db was good.
Oddities I found in the database after the hack:
1) The user created has a userid of 13371337 (well above my current autonumber in the users table)
2) The adminlog had been wiped clean, so no record were available of what was done in the admincp.
3) The administrators table was cleared of all admins except the 13371337 userid.
So the hack created an administrative user, through SQL injection as we are all presuming, locked me out of the admincp and cleared all trace of anything they were doing while mucking around my control panel.
A cookie to the first person who guesses what hack I also used on my site!
CYB's forum rules.
As a precautionary measure I have uninstalled the hack entirely. Looking over the code with my programmer the update looks like it corrected the issue, but with reports of people saying they are still getting hacked with the update I'm not taking any chances.
My two questions about those who have been hacked again with the update are:
1) Did you check overwrite when installing the new version of the plugin?
2) Did you ensure your servers were clear of any backdoors that may have been installed before going live again?
So we're back up as of 10:30PM EST. Hoping this wasn't the result of another hack we have installed.
Good luck to anyone else who gets hit with this, I really do hope you all have backups. And for those people that complain backups take up too much space... be thankful your db isn't 15GB.
EDIT: To those posting IPs... be careful... I actually had 5 legit registrations after the hack was planted. The user registered was TeamAnimus and there was no registration IP in the table associated with the account, which further supports the SQL injection theory. The email associated with the account was [email protected].Last edited by NickCat; Wed 4 May '11, 7:14pm.
Leave a comment:
-
The uploaded files outside of my forums root directory into my main sites directory. Is this significant? I do not see how they would do that with an sql injection, how would they upload an index.php outside of the forum root?
Leave a comment:
-
I've got mine fixed. To fix it, you have to find the user that is admin. On my forum it was TeamAnimus. Then I reset his email in phpmyadmin to my email. Then had to log in as his username...and use the forgot password link to reset his password.
Then after in, had to remove myself from undeletable users in the config.php. So that then I could use TeamAnimum's account to set myself as an admin again. Then reupload config.php with correct settings. Then I had access once again to admincp.
(Of course you also need to replace the index files on your server that were overwritten with good versions...this includes the one in admincp. There is also an extra file they placed in /includes directory that had some code in it. For me it was called vba.php.)
Oh you can also rewrite user's titles in phpmyadmin for a quick fix...to at least get rid of the hacked by under your member's names.
I'm willing to help you out if you need it. But because this took quite awhile, I'd prolly want a little something for my time.
Leave a comment:
-
Originally posted by ctrlbrk View PostDoes anyone have IP addresses yet of where the attack is coming from?
someone mentioned not having admin cp access and i know why. the hackers [if they can be called that] went into an account that had admin access, then proceeded to change the usergroup this account belonged to. once it was changed, you would not have access to the admin cp at all. i noticed they did this with my account, and the Administrator, because neither were hard coded into the config file as an "Undeleteable / Unalterable User".
since i have database access, i was able to log in securely to the db, change the usergroup for both through the user table, then i could log into the admin cp.
i should have thought something was odd when i received the quarantine email.
the IP's that i have are these:- 67.142.130.24
- 67.142.130.25
both belonging to hughesnet in MI.
i've since updated to the latest version [v4.0.3]. so far, no issues.
Leave a comment:
-
Well, the good news is it seems that they haven't touched anything except the updating user titles via query and turning off the forum. I doubt that they managed to upload a shell or else they would f*ck everything up regardless. Anyway, best of luck to all you guys in restoring your forums!
Leave a comment:
-
Originally posted by cataclyzmic View Posti'm looking into it now.
usertitle needs to be changed in the user table.
Leave a comment:
-
Originally posted by jaycob View Postits not vbulletin software, its the 3rd party addons, which basically its install at own risk.
Leave a comment:
-
i'm looking into it now.
usertitle needs to be changed in the user table.
Leave a comment:
Related Topics
Collapse
-
I just signed up for vbulletin. It is used in a lot of gaming communities. I am trying to build my own community and now have enough members to justify building a forum. So I know alot of the clans/gaming...
-
Channel: vB Cloud Support & Troubleshooting.
Wed 7 Jun '17, 8:25am -
Leave a comment: