Announcement

Collapse
No announcement yet.

Forum hacked...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forum hacked...

    Hi, my site has been hacked and I am unsure what to do.

    I logged in today and just by concidence noticed an administrator by the name of h311-c0d3 was online,.. I checked admin permissions and logs and there where about 6-7 admin there who should not have been.

    I check logs and deleted the admin. Most had no logs but a couple had been running scripts which seems to be to do with paid subscriptions. When I tried to access this section of the admin panel it asked for a password.. (something I have never set, as I have no paid subs)

    I`m at a bit of a loss,.. what should I do? How did they get in etc?

    I`d be greatful for any advice,.. The site is http://cccam-exchange.com and its running Version 4.2.0

    Thanks invance

    Jack


  • #2
    Delete your /install folder, there has been an exploit in vB with this.
    No private support, only PM me when I ask for it. Support in the forums only.

    Comment


    • #3
      Thanks, Should I also upgrade to the latest version?

      Comment


      • Hartmut
        Hartmut commented
        Editing a comment
        Would be better in order to avoid exploits from the past.

    • #4
      Mine was hacked too - but thankfully all they did was register an admin and didn't do anything with it, so i've removed that admin account. I checked the logs and that account hadn't done anything.

      That was 3 days ago he registered it - but i've also removed /install

      Comment


      • #5
        You expect better from a paid premium product tbh.. I was with phpbb previously and never had this problem.. Only moved to vbulletin as it looks better but to me seems less secure

        Comment


        • #6
          Any idea how i can access paid subscriptions on the admin panel if I do not have the password? Is there any way to reset it?

          Comment


          • #7
            From what i can see, they have tried to run scripts and have did something with paid subscription section of the admin panel... every tab I try to access it asks for a password (which I do not know, as I have never set up any paid subscriptions).. where in the files is this password located so I can change or remove it,.. Or is there a quiery I could run to remove it?

            What I have did so far is removed the rogue admin, checked config.php to see if any superadmin have been added (which they havent), upgraded my vbulletin to the latest version and renamed the admincp... As far as I am aware they got access through the vbulletin software and not through the server.

            Is their anything else I can check for or do ?

            Comment


            • #8
              Here is a copy of my control panel log and what they have done...
              25618 N/A 16:06, 8th Sep 2013 subscriptions.php modify 37.130.224.22
              25617 N/A 16:06, 8th Sep 2013 subscriptions.php add 37.130.224.22
              25616 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
              25615 N/A 16:06, 8th Sep 2013 plugin.php add 37.130.224.22
              25614 N/A 16:06, 8th Sep 2013 plugin.php 37.130.224.22
              25613 N/A 16:06, 8th Sep 2013 plugin.php kill plugin id = 677 37.130.224.22
              25612 N/A 16:06, 8th Sep 2013 plugin.php delete plugin id = 677 37.130.224.22
              25611 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
              25610 N/A 16:06, 8th Sep 2013 plugin.php kill plugin id = 678 37.130.224.22
              25609 N/A 16:06, 8th Sep 2013 plugin.php delete plugin id = 678 37.130.224.22
              25608 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
              25607 N/A 16:06, 8th Sep 2013 plugin.php product 37.130.224.22
              25606 N/A 16:05, 8th Sep 2013 diagnostic.php payments 37.130.224.22
              25605 N/A 16:05, 8th Sep 2013 subscriptionpermission.php modify 37.130.224.22
              25604 N/A 16:05, 8th Sep 2013 plugin.php 37.130.224.22
              25603 N/A 16:05, 8th Sep 2013 plugin.php doimport 37.130.224.22
              25602 N/A 16:05, 8th Sep 2013 plugin.php files 37.130.224.22
              25601 N/A 16:05, 8th Sep 2013 plugin.php files 37.130.224.22
              25600 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
              25599 N/A 16:02, 8th Sep 2013 plugin.php product 37.130.224.22
              25598 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
              25597 N/A 16:02, 8th Sep 2013 plugin.php product 37.130.224.22
              25596 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
              25595 N/A 16:02, 8th Sep 2013 plugin.php add 37.130.224.22
              25594 N/A 16:02, 8th Sep 2013 plugin.php files 37.130.224.22
              25593 N/A 15:53, 8th Sep 2013 plugin.php 37.130.224.22
              25592 N/A 15:53, 8th Sep 2013 plugin.php doimport 37.130.224.22
              25591 N/A 15:52, 8th Sep 2013 plugin.php files 37.130.224.22
              25590 N/A 15:52, 8th Sep 2013 plugin.php updateactive 37.130.224.22
              25589 N/A 15:51, 8th Sep 2013 plugin.php 37.130.224.22
              25588 N/A 15:51, 8th Sep 2013 plugin.php update 37.130.224.22
              25587 N/A 15:51, 8th Sep 2013 plugin.php add 37.130.224.22
              25586 N/A 15:51, 8th Sep 2013 plugin.php add 37.130.224.22
              25585 N/A 15:50, 8th Sep 2013 plugin.php files 37.130.224.22
              25584 N/A 15:50, 8th Sep 2013 plugin.php modify 37.130.224.22
              25583 N/A 15:50, 8th Sep 2013 plugin.php product 37.130.224.22
              25582 N/A 15:50, 8th Sep 2013 subscriptions.php add 37.130.224.22
              25581 N/A 15:50, 8th Sep 2013 subscriptions.php modify 37.130.224.22

              Comment


              • #9
                Can anyone help me or give me any advice ?

                Comment


                • #10
                  Delete the plugins, delete the users, delete your install folder.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud demonstration site.
                  vBulletin 5 API - Full / Mobile
                  Vote for your favorite feature requests and the bugs you want to see fixed.

                  Comment


                  • #11
                    I have deleted the users and install folders but there is no extra plugins there that i havent installed myself?

                    What have they tried to do?

                    Comment


                    • #12
                      Delete the plugins and reinstall your addons from new downloads.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API - Full / Mobile
                      Vote for your favorite feature requests and the bugs you want to see fixed.

                      Comment


                      • #13
                        Ok, will do this. Thanks for the help Wayne

                        Comment


                        • #14
                          Sorry, one more thing.. any idea as to how to reset the password on paid subscriptions?

                          Comment


                          • #15
                            Jaxo:

                            You are not alone, axiomatic colleague of mine. Many, many administrators who run forums powered by vBulletin have been struck by these bunch of skumbullows (i.e. cyber criminals) located in China). I wrote about my headaches in this forum. I am posting now from a different computer and don't have my original Word documents. I showed in my thread two of the IP addresses of the skumbullows. I just found one more suspicious IP number located in Germany.

                            So, look at that repeated IP in your post: 37.130.224.22.
                            2582e016.rdns.100tb.com

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X