No announcement yet.

A new type hack method?

  • Filter
  • Time
  • Show
Clear All
new posts

  • rburns
    I was hacked too, but I found so much I they had added!

    Most important, As soon as you are in using the normal method, do not re-enter your password anywhere, go straight to your user page and change it.

    Before all, delete the install folder!!!!


    1, Check the admin accounts,
    2, If unusual admins the check your permissions, you need to change them all to yes again, and change the hacker(s) to no.
    3, Ban the hacker.
    4, Check Admin Logs, Look at the user list, if you see lots of spaces before the first username (which may be the hackers), they have changed things, then deleted the user, click on each one and write down what scripts they have edited. You'll probably find it's nearly all of them. (This is how they don't show up unless you select them).
    3, Check your plugins for init_startup & ajax_complete, delete them.
    4, Search your templates for the following words "Biz", "derpina" and if you don't use iframes, do a search for "iframe" too, delete all references.
    5, Check all your headers for scripts at the bottom of their code, I found a long one there.
    6, Go to Advert manager, check all adverts & coding, I found one there (it was checked to only show if not an admin, so I wouldn't see it!).
    7, Check all your custom BB Codes are all OK.
    8, Search users signatures for code.

    IP addresses that were used (add them to banned list!):

    Hope this helps, took me about 3 hours on a small (3000 member) forum!

    Leave a comment:

  • Zachery
    Please read the following two blog posts:

    Also please see these recent security announcements:

    vBulletin 4.1.x-4.2.x & All versions of vBulletin 5:
    vBulletin 5.0.x patch released, for a different security issue:

    Leave a comment:

  • Jamsoft
    Originally posted by Reignman View Post

    Yes, that was a big mistake. I don't know why CP message didn't incluse this "added admins" warning.

    By the way, are you sure that these messages were deleted by this hacker called "abdou" ?
    I dont know who "abdou" is, but this guy apparently has a script crawling the web and looking for sites with the exploit and creating accounts. Later on (a few days sometimes), someone (or another bot) comes back and tries to do more. My admincp is locked down by IP and with a password, so I escaped with only some deleted records (and i have daily backups) that I had to restore.

    Leave a comment:

  • General Lee
    My site was hacked last night. I'm running 4.2.1 and I did have the install directory in place.

    The hacker "mast3r" made an admin account and installed some plugin titled "vbulletin"

    The plugin takes over the "subscription.php" template with some type of user-interface the hacker uses to access and edit all the files and such..

    Leave a comment:

  • WildWayz
    Originally posted by djsteve007 View Post
    Looks like I got hit with a similar exploit - they did not deface my site like the OP's - not yet anyway. They did find a way to add about 10 new users, all with the same username, (Th3H4ck) and all with admin privs.

    I would not have known about this vulnerability, or the active exploit, if they had not .. maybe I should not post what triggered my knowledge of this.

    I would of like to have received an email about this exploit. Now going to 302 redirect to my buddypress install. Hope my host has backup database and files from 5 days ago. Fingers crossed.

    vbulletin 4.2.1 running, and had new member moderation turned on -

    what I wonder is how they were able to run sql insert commands from /forums/core/install/upgrade.php --- when I do not even have a /core/ or /core/install/ folder on this server.

    Will we get an email if the exploit fix is found?
    Both sites I run were hit by this 'account' - neither have done anything apart from register an Administrator called "Th3H4ck". Looks like they do a mass script to register the account, then access it later to cause problems? Either way, both accounts had the user Th3H4ck and no changes other than that, so i've removed the /install folders. This is 4.2.1.

    Leave a comment:

  • tim.liton
    If was hacked once can be hacked allways if the tunel is not closed!

    vBulletin support how can we fix this issue?

    Leave a comment:

  • Pony
    I'd been out of town, other admins hadn't done the recommendation (remove the install directory) - so I found we'd been hacked today. Went through all the steps detailed in previous posts (only one additional admin, no other users). This person tried to run a plugin, which appears to only have tried to rewrite the ajax.php file, and then deleted the plugin. Doesn't look like they touched anything else, no other modified files that I've been able to find (looking at modified dates). The ajax.php file was completely boned, I'm attaching it in case it can be of assistance. Replaced with a backup, everything seems OK. ajax.txt

    Leave a comment:

  • Astyanax
    I have deleted the install folder but it was after my site was hacked. Now what?

    Leave a comment:

  • nerbert
    From what has been said so far this hack apparently uses a plugin to do its mischief. Could vBulletin issue a patch that would add userid, username and date fields to the plugin table and modify the queries to record any new plugins created or edits to existing plugins? None of the new fields would need to show on the plugin page but you could at least go through the plugin table with phpMyAdmin and find the problem. Maybe even create a patch later that could seek out and fix the problem.

    Leave a comment:

  • Robbed
    Originally posted by Zachery View Post
    We've advised customers to remove the install folder, that is our response. Once you remove it the exploit vector is gone. In the past it wasn't required to remove the install folder based on how the install/upgrade system worked. Overtime the system changed which allowed an issue to crop back up.
    We still should of had some type of notification. This thread was created on 27th, it happened to my forum last night. Most of us receive email on our phones so if we received notification we could of fixed the issue. With the type of access they had I think we are lucky they were only editing templates, they could of deleted data, threads forums etc. I hope you will also look at securing the admin group and not just fix install source issue. New member with 0 posts should never be able to be in this group if you have some checks around that and maybe have extra approvals so this doesn't happen again.

    Leave a comment:

  • y2ksw
    Originally posted by kiss of death View Post

    Yeah but a few comments i read said that people had had their index.php and forum.php files switched and they just put the originals back i and everything was fine,

    Also it wan't vbseo itself i was suspecting, it was the vbseo sitemap generator which people can use without vbseo,, before vb4 vbulletin had no built in sitemap generator and everyone was using the vbseo one because it was free, when vb4 came out a lot of people continued to use itand i do;t beleive their is a problem with it, only the fact that some people use the same passwords and it's clearly shown in a normal field in admincp,

    yours was obviously done via style manager or it wouldn't still say vbseo at the bottom of the page, i was just curious

    i'm just really confused as to why someone with that level of access would try and cover their tracks by removing the plugin and user account but not prune the logs?
    They just moved to another site and left your's alone. Their main interest is to use a server as a spam-door and this is what they tried to do at my place. surely nobody ever should mention that they take part of the category of hackers, since I'll literally nail them into the ground.

    Leave a comment:

  • induslady

    I came to know of this exploit and looks like we too had this attack, we did the below:

    1.Deleted install folder
    2. Deleted suspicious admin user accounts
    4. Refer thread - as mentioned there I didn't have any Iframe injection , but there was a line added in the "header" template of one of our custom style that reads as "Kindly delete "install" directory of your forums. Otherwise you will keep getting hacked" and the suspicious lines were removed.

    Also we notice that few templates in the custom style has edit history that says "Edited by .." the suspicious admin accounts with time stamp in the past year 2010.

    Is there any other precautions that need to be done. Am I currently still exploited? What are the other security measures that I need to do to protect my forums.

    Leave a comment:

  • DemOnstar
    Originally posted by Birdman View Post
    how do i remove the install directory...where is it in the root folders...cant seem to locate. However, our site has not been a victim "yet". Maybe it's because the human verification registration security protocols i have in place are preventing. Running 4.2.0
    Unless you have or somebody else has removed it, it should be at your forum root. With me, it comes after the includes folder. Alphabetical order I assume.

    Leave a comment:

  • induslady
    We suspected if they changed something in the styles / templates.

    Looking at the templates (both in parent style and other styles), reviewing the 'Edit history', some of the templates show
    'Edited by Jelsoft', 'Edited by vBulletin' which are vbulletin edits
    Some show 'Edited by' our own admin accounts - probably some template customizations
    While some templates show as below:
    blog_blog_rown - Last edited December 15 2010 at 13:29 by ksours
    blog_comment_profile -
    Last edited December 21 2009 at 16:59 by freddie
    blog_cp_manage_categories -
    Last edited December 9 2010 at 16:32 bymichael.lavaveshkuli

    Are these something that we should suspect? Could it be possible they changed the edit date and time?

    Leave a comment:

  • induslady
    commented on 's reply
    Hi Ambro,
    Our site was a hacked. We just removed the 'install' directory. There were Admin accounts created. Removed and blocked IP.
    We also see via Control panel log (for the date on which these admin accounts got created) there were few more usernames (edit and killed) and plugins touched (displays plugin id).

    But when we ran your above query in plugin table in vB DB, it returned no results.

    We did not see anything weird so far in the front end or any redirect of 'index.php'. However, in one of the style we use, got a message at the top of the header:
    "Kindly delete your install directory of forums. Otherwise, you will keep getting hacked".

    Did the hacker put up this message? Wierd? However, this message was not displaying in other styles we use.
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.