Announcement

Collapse
No announcement yet.

Forum hacked...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wayne Luke
    replied
    Originally posted by Jaxo View Post
    Sorry, one more thing.. any idea as to how to reset the password on paid subscriptions?
    I am not sure what you mean. There are no passwords on paid subscriptions.

    Leave a comment:


  • Zachery
    replied
    I'd suggest looking over these two blog posts:
    http://www.vbulletin.com/forum/blogs...ve-been-hacked
    http://www.vbulletin.com/forum/blogs...vbulletin-site

    Leave a comment:


  • Ion Saliu
    replied
    Jaxo:

    You are not alone, axiomatic colleague of mine. Many, many administrators who run forums powered by vBulletin have been struck by these bunch of skumbullows (i.e. cyber criminals) located in China). I wrote about my headaches in this forum. I am posting now from a different computer and don't have my original Word documents. I showed in my thread two of the IP addresses of the skumbullows. I just found one more suspicious IP number located in Germany.

    So, look at that repeated IP in your post: 37.130.224.22.
    2582e016.rdns.100tb.com

    Leave a comment:


  • Jaxo
    replied
    Sorry, one more thing.. any idea as to how to reset the password on paid subscriptions?

    Leave a comment:


  • Jaxo
    replied
    Ok, will do this. Thanks for the help Wayne

    Leave a comment:


  • Wayne Luke
    replied
    Delete the plugins and reinstall your addons from new downloads.

    Leave a comment:


  • Jaxo
    replied
    I have deleted the users and install folders but there is no extra plugins there that i havent installed myself?

    What have they tried to do?

    Leave a comment:


  • Wayne Luke
    replied
    Delete the plugins, delete the users, delete your install folder.

    Leave a comment:


  • Jaxo
    replied
    Can anyone help me or give me any advice ?

    Leave a comment:


  • Jaxo
    replied
    Here is a copy of my control panel log and what they have done...
    25618 N/A 16:06, 8th Sep 2013 subscriptions.php modify 37.130.224.22
    25617 N/A 16:06, 8th Sep 2013 subscriptions.php add 37.130.224.22
    25616 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
    25615 N/A 16:06, 8th Sep 2013 plugin.php add 37.130.224.22
    25614 N/A 16:06, 8th Sep 2013 plugin.php 37.130.224.22
    25613 N/A 16:06, 8th Sep 2013 plugin.php kill plugin id = 677 37.130.224.22
    25612 N/A 16:06, 8th Sep 2013 plugin.php delete plugin id = 677 37.130.224.22
    25611 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
    25610 N/A 16:06, 8th Sep 2013 plugin.php kill plugin id = 678 37.130.224.22
    25609 N/A 16:06, 8th Sep 2013 plugin.php delete plugin id = 678 37.130.224.22
    25608 N/A 16:06, 8th Sep 2013 plugin.php modify 37.130.224.22
    25607 N/A 16:06, 8th Sep 2013 plugin.php product 37.130.224.22
    25606 N/A 16:05, 8th Sep 2013 diagnostic.php payments 37.130.224.22
    25605 N/A 16:05, 8th Sep 2013 subscriptionpermission.php modify 37.130.224.22
    25604 N/A 16:05, 8th Sep 2013 plugin.php 37.130.224.22
    25603 N/A 16:05, 8th Sep 2013 plugin.php doimport 37.130.224.22
    25602 N/A 16:05, 8th Sep 2013 plugin.php files 37.130.224.22
    25601 N/A 16:05, 8th Sep 2013 plugin.php files 37.130.224.22
    25600 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
    25599 N/A 16:02, 8th Sep 2013 plugin.php product 37.130.224.22
    25598 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
    25597 N/A 16:02, 8th Sep 2013 plugin.php product 37.130.224.22
    25596 N/A 16:02, 8th Sep 2013 plugin.php modify 37.130.224.22
    25595 N/A 16:02, 8th Sep 2013 plugin.php add 37.130.224.22
    25594 N/A 16:02, 8th Sep 2013 plugin.php files 37.130.224.22
    25593 N/A 15:53, 8th Sep 2013 plugin.php 37.130.224.22
    25592 N/A 15:53, 8th Sep 2013 plugin.php doimport 37.130.224.22
    25591 N/A 15:52, 8th Sep 2013 plugin.php files 37.130.224.22
    25590 N/A 15:52, 8th Sep 2013 plugin.php updateactive 37.130.224.22
    25589 N/A 15:51, 8th Sep 2013 plugin.php 37.130.224.22
    25588 N/A 15:51, 8th Sep 2013 plugin.php update 37.130.224.22
    25587 N/A 15:51, 8th Sep 2013 plugin.php add 37.130.224.22
    25586 N/A 15:51, 8th Sep 2013 plugin.php add 37.130.224.22
    25585 N/A 15:50, 8th Sep 2013 plugin.php files 37.130.224.22
    25584 N/A 15:50, 8th Sep 2013 plugin.php modify 37.130.224.22
    25583 N/A 15:50, 8th Sep 2013 plugin.php product 37.130.224.22
    25582 N/A 15:50, 8th Sep 2013 subscriptions.php add 37.130.224.22
    25581 N/A 15:50, 8th Sep 2013 subscriptions.php modify 37.130.224.22

    Leave a comment:


  • Jaxo
    replied
    From what i can see, they have tried to run scripts and have did something with paid subscription section of the admin panel... every tab I try to access it asks for a password (which I do not know, as I have never set up any paid subscriptions).. where in the files is this password located so I can change or remove it,.. Or is there a quiery I could run to remove it?

    What I have did so far is removed the rogue admin, checked config.php to see if any superadmin have been added (which they havent), upgraded my vbulletin to the latest version and renamed the admincp... As far as I am aware they got access through the vbulletin software and not through the server.

    Is their anything else I can check for or do ?

    Leave a comment:


  • Jaxo
    replied
    Any idea how i can access paid subscriptions on the admin panel if I do not have the password? Is there any way to reset it?

    Leave a comment:


  • Jaxo
    replied
    You expect better from a paid premium product tbh.. I was with phpbb previously and never had this problem.. Only moved to vbulletin as it looks better but to me seems less secure

    Leave a comment:


  • Hartmut
    commented on 's reply
    Would be better in order to avoid exploits from the past.

  • WildWayz
    replied
    Mine was hacked too - but thankfully all they did was register an admin and didn't do anything with it, so i've removed that admin account. I checked the logs and that account hadn't done anything.

    That was 3 days ago he registered it - but i've also removed /install

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X