Announcement

Collapse
No announcement yet.

AdminCP Comprimised and Fixed-Need Advice

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] AdminCP Comprimised and Fixed-Need Advice

    A comprise to my forum was discovered this morning after a non-authorized mass email was sent out. When I logged into the forum and looked at the control panel log, I found one of the admin accounts was used and referenced plugin.php and subscriptions.php. When I went to the subscription section I found !C99madShell v. 2.0 madnet edition! in its place. After a quick search here in support I found other threads with information to delete fraudulent plugins that were installed on the system. I also changed all of the admin account passwords and the database username and password. From other threads I have read, it seems this vulnerability has existed for a while as other threads mention VB 3.6.8 and 4.1.4 (I am running 4.0.8 PL1), is there more that I can do to keep this from happening again such as changing permissions on directories in the file system or change options in the CP? Upgrading to the current version of VB would be a last resort at this time of year or require weeks of testing before attempting the upgrade (last attempt, not so well). Any advice or direction would be helpful.

  • #2
    http://www.logect.com/content.php?r=...-Online-Editor

    Comment


    • #3
      Here is a thread about making your forum more secure: https://www.vbulletin.com/forum/showthread.php/172234-How-To-Make-My-Forums-More-Secure

      E
      specially helpful is adding the htaccess password to your admincp, install, and include directories.

      Remember when making passwords (for both htaccess and your forum/database) LENGTH is vastly more important than Complexity... "WhereInTheWorldIsYOUR_DOGS_NAME" is orders of magnitude harder to crack than "d#[email protected]!!zSgX"

      Comment


      • #4
        Originally posted by markpg47 View Post
        A comprise to my forum was discovered this morning after a non-authorized mass email was sent out. When I logged into the forum and looked at the control panel log, I found one of the admin accounts was used and referenced plugin.php and subscriptions.php. When I went to the subscription section I found !C99madShell v. 2.0 madnet edition! in its place. After a quick search here in support I found other threads with information to delete fraudulent plugins that were installed on the system. I also changed all of the admin account passwords and the database username and password. From other threads I have read, it seems this vulnerability has existed for a while as other threads mention VB 3.6.8 and 4.1.4 (I am running 4.0.8 PL1), is there more that I can do to keep this from happening again such as changing permissions on directories in the file system or change options in the CP? Upgrading to the current version of VB would be a last resort at this time of year or require weeks of testing before attempting the upgrade (last attempt, not so well). Any advice or direction would be helpful.
        How did you fix it? I am having the same kind of issue, though It all happened instantly after I upgrade the software to 4.1.6 I dont have a admincp and the site header has disappeared? I have already changed all the passwords. Any help would be greatly appreciated.

        Comment


        • #5
          Originally posted by Bergler View Post
          How did you fix it? I am having the same kind of issue, though It all happened instantly after I upgrade the software to 4.1.6 I dont have a admincp and the site header has disappeared? I have already changed all the passwords. Any help would be greatly appreciated.
          I wish I had more information for you, but my was fix was to delete the fraudulent plugin and change admin/sql passwords. Now I'm following the advice here by setting up htaccess. My AdminCP was accessible, so it was not as bad as your situation. Maybe you can edit the config files to disable all plugins to get your CP running or get around it by editing the DB.

          Comment


          • #6
            I fixed the issue by going into manage plugins, look at the very first plugin which will be listed as vbulletin . Just delete it then make sure you follow the advice of the other posts on here for securing your site.

            Hope this helps

            For your information I have included a screenshot of what I removed...

            Click image for larger version

Name:	problem.jpg
Views:	1
Size:	30.4 KB
ID:	3685633

            Comment


            • #7
              Bump.
              7 Years hack free and we just got done over by this script.

              Comment


              • #8
                You really need to start your own thread with your own details about the issues.

                Comment


                • #9
                  That's just the thing mate the issue is resolved. This happened to us last Thursday where all of our php files were modified. We though we had cleaned it out then I found this chestnut when I clicked on subscriptions in the control panel and we are running 4.2.0 PL2.
                  Not sure its even worth starting a new thread, this one told me about the plugin that was affected.
                  Our host sent you guys the report.

                  Comment

                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                  Working...
                  X