Announcement

Collapse
No announcement yet.

Please Help!! Hacked by Exploit Linux!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Please Help!! Hacked by Exploit Linux!

    I am REALLY hoping somebody can help me out. One of my forum members sent me an email last night mentioning that my forum (www.ausdisciples.com.au/forum) has been hacked. Sure enough, I checked today and I got the following message when attempting to go to the index page of my forum....

    *ow3nd*
    hi admin

    r
    hacked by Exploit Linux

    Nothing delete Just Edit your index no more
    greets to :u see index
    I am running vBulletin 3.8.2 and have deleted the entire /forum folder and re-uploaded from a backup to no avail. I am guessing they have gained access via the SQL database but I have no idea where to look. I do have a few addons installed on my forum so I guess it is possible that one of those had a vulnerability but I really don't know which one.



    One thing I am nervous about is logging into my admin CP while things are compromised. Would that be a potential risk?
    If one of the addons has a known vulnerability, obviously I'll be removing it but where do I start? I've been running this forum as it is now for a few years with the same addons without issue and I really have no idea how the hackers did what they have done so I really don't know where to start here.

    I contacted my web host tech support team and they said they cannot offer any assistance with this and I need to contact the vBulletin team, hence this topic.

    I have database backups from a few days ago but how do I know that restoring the database will fix things? The database seems to still be functioning and the posts and topics all appear to be intact at this point (here's a direct link to one of the forum sections... http://www.ausdisciples.com.au/forum...splay.php?f=28) so I'd really like to be able to fix this without having to restore a previous database backup. I realise that may not be possible but I am hoping!! Besides, if restoring a previous backup does restore my forum, surely the same vulnerability will still be present. I'd really appreciate any assistance anyone can offer me with this issue.

    Thank you kindly in advance,
    Dannii.
    Christian Disciple
    Psalm 23:4 Yea, though I walk through the valley of the shadow of death, I will fear no evil: for thou art with me; thy rod and thy staff they comfort me.

  • #2
    Originally posted by AusDisciple View Post
    I contacted my web host tech support team and they said they cannot offer any assistance with this and I need to contact the vBulletin team, hence this topic.
    That right there, would make me start looking for another host. Have you checked to see if there is a modified index.html file in your forums directory?
    "Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time!"
    "It's important to only think about what you desire, not what you fear to achieve your ultimate goal!!"
    "When doors close, tear down the walls. Never give up!"

    Comment


    • #3
      Restoring a database might fix the current issue, but it won't stop them from doing it again. You need to find out how they did this. Looking through your access_logs (if you don't now where they are, ask your host) may give you a clue how they did this. I'm surprised your host won't help you find how you were compromised - usually they will help if you are on a managed server. Are you are on a shared server? Were any other sites on the server hacked? You should definitely start by changing all your server and site passwords.

      Please don't PM or VM me for support - I only help out in the threads.
      vBulletin Manual & vBulletin 4.0 Code Documentation (API)
      Want help modifying your vbulletin forum? Head on over to vbulletin.org
      If I post CSS and you don't know where it goes, throw it into the additional.css template.

      W3Schools <- awesome site for html/css help

      Comment


      • #4
        Originally posted by HMBeaty View Post
        That right there, would make me start looking for another host. Have you checked to see if there is a modified index.html file in your forums directory?
        I realise I should've looked at my index files BEFORE I replaced them with the backups on my hard drive!!! The hackers probably left a clue there. In my haste to try to restore things though, I replaced everything before I thought of that. Doh!!

        My host has been very good with their tech support previously but their response to this issue has really disappointed me. I am with www.webcity.com.au
        Originally posted by Lynne View Post
        Restoring a database might fix the current issue, but it won't stop them from doing it again. You need to find out how they did this. Looking through your access_logs (if you don't now where they are, ask your host) may give you a clue how they did this. I'm surprised your host won't help you find how you were compromised - usually they will help if you are on a managed server. Are you are on a shared server? Were any other sites on the server hacked? You should definitely start by changing all your server and site passwords.
        Yeah, the first thing I did was change my cPanel password. I am on a shared server and I personally have two sites on this one. Neither of the HTML sections of my sites appear to be hacked. I don't know if anyone else using this same shared server has been hacked.

        I know enough to write and edit HTML, css and javascript to create my own sites but I don't know what to look for interpreting the raw access logs. I have downloaded them though but there are MANY entries over the last two days and I have no idea where to start.
        Last edited by AusDisciple; Sun 19 Jun '11, 6:16pm. Reason: Typo
        Christian Disciple
        Psalm 23:4 Yea, though I walk through the valley of the shadow of death, I will fear no evil: for thou art with me; thy rod and thy staff they comfort me.

        Comment


        • #5
          I downloaded the current database via MySQL and then uploaded the most recent backup I had on my hard drive and the forum is running again. I have opened the hacked database and have found the section the hackers edited. I have changed all the passwords and temporarily turned the forum off while I compare the hacked database to the previous undamaged one which is older than I thought (about a month old!!). Hopefully I'll be able to restore the posts by removing the hacked code and re-uploading it.
          I know WHAT they've done now but the most important thing though is to some how find out HOW they did this. Perhaps it is time to remove some of the vB mods I've installed. This will obviously remove some of the customisations but if it will prevent future hacks, it is worth it.
          Christian Disciple
          Psalm 23:4 Yea, though I walk through the valley of the shadow of death, I will fear no evil: for thou art with me; thy rod and thy staff they comfort me.

          Comment


          • #6
            Perhaps one of the following addons has a known vulnerability. If anyone is aware of such a vulnerability, that would help greatly. I'd like to keep as many of these active as possible (see attachment).

            Perhaps I should make a similar post on vBulletin.org. I realise the vBulletin staff are not responsible for third party modifications but I'm hoping somebody spots a known risk in my screen grab.
            Attached Files
            Christian Disciple
            Psalm 23:4 Yea, though I walk through the valley of the shadow of death, I will fear no evil: for thou art with me; thy rod and thy staff they comfort me.

            Comment


            • #7
              You should go look up each of those addons on the site you got them from and see if you are running the latest version. If you aren't, then you should read the thread and see if people have posted about problems with the version you are running.

              Please don't PM or VM me for support - I only help out in the threads.
              vBulletin Manual & vBulletin 4.0 Code Documentation (API)
              Want help modifying your vbulletin forum? Head on over to vbulletin.org
              If I post CSS and you don't know where it goes, throw it into the additional.css template.

              W3Schools <- awesome site for html/css help

              Comment


              • #8
                Do you have html enabled anywhere on site? You have an enable html by usergroup mod. HTML is an extreme vulnerability...

                Comment


                • #9
                  Originally posted by Lynne View Post
                  You should go look up each of those addons on the site you got them from and see if you are running the latest version. If you aren't, then you should read the thread and see if people have posted about problems with the version you are running.
                  There was indeed a few that were out of date. I have just updated them all and checked the .org forums for any known vulnerabilities with the updated versions and found none known.
                  Originally posted by traen View Post
                  Do you have html enabled anywhere on site? You have an enable html by usergroup mod. HTML is an extreme vulnerability...
                  I only had that enabled for admin group which only consists of me. I have disabled it completely now though.


                  Thanks everyone for the suggestions. One thing I have learned from this is that I need to do more regular database backups. At least that way, if this reoccurs, I can restore things reasonably quickly with a minimum of loss. Hopefully the outdated plugins were the area of vulnerability. I guess time will tell!!
                  Christian Disciple
                  Psalm 23:4 Yea, though I walk through the valley of the shadow of death, I will fear no evil: for thou art with me; thy rod and thy staff they comfort me.

                  Comment

                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                  Working...
                  X