Announcement

Collapse
No announcement yet.

Site hacked, can someone please help?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • krazeguy
    replied
    None of my physical files on my server were modified with this exploit.

    Leave a comment:


  • ctrlbrk
    replied
    Originally posted by NickCat View Post
    A cookie to the first person who guesses what hack I also used on my site!
    CYB's forum permission.
    Clarify -- Advanced Forum Rules, or Advanced Permissions? Because so far only people are reporting the first...

    Leave a comment:


  • cataclyzmic
    replied
    how can I clear all the usertitles at once?

    also, the tools.php is the fastest way.

    Leave a comment:


  • Umbrae
    replied
    Originally posted by forex4noobs View Post
    1. Download the latest version of vbulletin.
    2. In the zip go to the do_not_upload file and extract tools.php
    3. Put tools.php it in your vb install folder via ftp.
    4. Visit it in a browser.
    5. You need to use the following options

    [Reset Cookie Domain]
    [Reset Cookie Path]

    [Reset Admin Access]

    6. Delete tools.php from the install directory.
    7. Log in and disable all plugins quickly.

    I do not know how to disable plugins first but I doubt the hackers are sitting on your server ready to hack again as soon as you fix it.
    Thank you very much.

    Leave a comment:


  • forex4noobs
    replied
    Originally posted by jimsflies View Post
    I've got mine fixed. To fix it, you have to find the user that is admin. On my forum it was TeamAnimus. Then I reset his email in phpmyadmin to my email. Then had to log in as his username...and use the forgot password link to reset his password.

    Then after in, had to remove myself from undeletable users in the config.php. So that then I could use TeamAnimum's account to set myself as an admin again. Then reupload config.php with correct settings. Then I had access once again to admincp.

    (Of course you also need to replace the index files on your server that were overwritten with good versions...this includes the one in admincp. There is also an extra file they placed in /includes directory that had some code in it. For me it was called vba.php.)

    Oh you can also rewrite user's titles in phpmyadmin for a quick fix...to at least get rid of the hacked by under your member's names.

    I'm willing to help you out if you need it. But because this took quite awhile, I'd prolly want a little something for my time.
    Nice work around but the tools.php method I posted is faster.

    Leave a comment:


  • jaycob
    replied
    Originally posted by forex4noobs View Post
    I understand that but regardless vbulletin has been a headache for 5 years and this is the final straw. Anyway, I should shut up this is no place or time to rant or cry like a baby.
    yeah fare enough mate. cheers.

    Leave a comment:


  • NickCat
    replied
    NASIOC.com was hit tonight at 6:40pm EST.

    We just spent the last few hours checking over the servers to ensure there weren't any other issues before going live.

    We did have to roll back to a backup from Tuesday morning, I personally didn't trust that the rest of the db was good.

    Oddities I found in the database after the hack:
    1) The user created has a userid of 13371337 (well above my current autonumber in the users table)
    2) The adminlog had been wiped clean, so no record were available of what was done in the admincp.
    3) The administrators table was cleared of all admins except the 13371337 userid.

    So the hack created an administrative user, through SQL injection as we are all presuming, locked me out of the admincp and cleared all trace of anything they were doing while mucking around my control panel.

    A cookie to the first person who guesses what hack I also used on my site!
    CYB's forum rules.

    As a precautionary measure I have uninstalled the hack entirely. Looking over the code with my programmer the update looks like it corrected the issue, but with reports of people saying they are still getting hacked with the update I'm not taking any chances.

    My two questions about those who have been hacked again with the update are:
    1) Did you check overwrite when installing the new version of the plugin?
    2) Did you ensure your servers were clear of any backdoors that may have been installed before going live again?

    So we're back up as of 10:30PM EST. Hoping this wasn't the result of another hack we have installed.

    Good luck to anyone else who gets hit with this, I really do hope you all have backups. And for those people that complain backups take up too much space... be thankful your db isn't 15GB.

    EDIT: To those posting IPs... be careful... I actually had 5 legit registrations after the hack was planted. The user registered was TeamAnimus and there was no registration IP in the table associated with the account, which further supports the SQL injection theory. The email associated with the account was [email protected].
    Last edited by NickCat; Wed 4 May '11, 7:14pm.

    Leave a comment:


  • forex4noobs
    replied
    The uploaded files outside of my forums root directory into my main sites directory. Is this significant? I do not see how they would do that with an sql injection, how would they upload an index.php outside of the forum root?

    Leave a comment:


  • jimsflies
    replied
    I've got mine fixed. To fix it, you have to find the user that is admin. On my forum it was TeamAnimus. Then I reset his email in phpmyadmin to my email. Then had to log in as his username...and use the forgot password link to reset his password.

    Then after in, had to remove myself from undeletable users in the config.php. So that then I could use TeamAnimum's account to set myself as an admin again. Then reupload config.php with correct settings. Then I had access once again to admincp.

    (Of course you also need to replace the index files on your server that were overwritten with good versions...this includes the one in admincp. There is also an extra file they placed in /includes directory that had some code in it. For me it was called vba.php.)

    Oh you can also rewrite user's titles in phpmyadmin for a quick fix...to at least get rid of the hacked by under your member's names.

    I'm willing to help you out if you need it. But because this took quite awhile, I'd prolly want a little something for my time.

    Leave a comment:


  • dmark101
    replied
    Originally posted by ctrlbrk View Post
    Does anyone have IP addresses yet of where the attack is coming from?
    i had this happen to me with the one forum i manage that has the Cyb - Advanced Forum Rules v4.0.1 mod installed.

    someone mentioned not having admin cp access and i know why. the hackers [if they can be called that] went into an account that had admin access, then proceeded to change the usergroup this account belonged to. once it was changed, you would not have access to the admin cp at all. i noticed they did this with my account, and the Administrator, because neither were hard coded into the config file as an "Undeleteable / Unalterable User".

    since i have database access, i was able to log in securely to the db, change the usergroup for both through the user table, then i could log into the admin cp.

    i should have thought something was odd when i received the quarantine email.


    the IP's that i have are these:
    • 67.142.130.24
    • 67.142.130.25


    both belonging to hughesnet in MI.

    i've since updated to the latest version [v4.0.3]. so far, no issues.

    Leave a comment:


  • FallenBeauties
    replied
    Well, the good news is it seems that they haven't touched anything except the updating user titles via query and turning off the forum. I doubt that they managed to upload a shell or else they would f*ck everything up regardless. Anyway, best of luck to all you guys in restoring your forums!

    Leave a comment:


  • forex4noobs
    replied
    Originally posted by cataclyzmic View Post
    i'm looking into it now.

    usertitle needs to be changed in the user table.
    Yep I know they need to be changed and a sql query was run to blank the user title field but what do i need to insert in there to allow the normal user titles to appear?

    Leave a comment:


  • forex4noobs
    replied
    Originally posted by jaycob View Post
    its not vbulletin software, its the 3rd party addons, which basically its install at own risk.
    I understand that but regardless vbulletin has been a headache for 5 years and this is the final straw. Anyway, I should shut up this is no place or time to rant or cry like a baby.

    Leave a comment:


  • jaycob
    replied
    Originally posted by cataclyzmic View Post
    i'm looking into it now.

    usertitle needs to be changed in the user table.
    user table as in where please mate?

    Leave a comment:


  • cataclyzmic
    replied
    i'm looking into it now.

    usertitle needs to be changed in the user table.

    Leave a comment:

Related Topics

Collapse

  • TsG XxGHOSTxX
    I need help
    by TsG XxGHOSTxX
    I just signed up for vbulletin. It is used in a lot of gaming communities. I am trying to build my own community and now have enough members to justify building a forum. So I know alot of the clans/gaming...
    Wed 7 Jun '17, 8:25am
Working...
X