Announcement

Collapse
No announcement yet.

4.1.1 Forum HACKED by Syrian Sympathizers

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • 4.1.1 Forum HACKED by Syrian Sympathizers

    When you enter my forum at: http://www.nhtourguide.com/forums/forum.php after the page load a user is transferred to this site: http://www.cadiroig.cat/ - Some sort of a Syrian Sympathizer Hack page called SECURITY LION H4CK3RS T34M

    I found there were some new admins added in the last week that I knew nothing about. 4 of them actually. I deleted them and I deleted the /install folder that I am now seeing is an exploit. But now I still have the forward in the forum. Anyone have any ideas how to get rid of it?
    Last edited by NHTourGuide; Mon 9 Sep '13, 9:49am.
    NHTourGuide.com

  • #2
    First you should upgrade to 4.2.1 as the supported version.

    When done upgrading delete your install directory.

    Next read this: http://www.vbulletin.com/forum/blogs...vbulletin-site
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.

    Comment


    • #3
      Thanks but right now I just want to remove the forwarding that was installed by the hackers. I read this section of the link you posted:

      Help, I’ve been hacked!

      If you’ve already been exploited, we’d suggest taking a look at this guide on helping to clean up your site. (coming shortly)

      But it just says "coming shortly"

      I don't mind upgrading but I just want this removed asap first.
      NHTourGuide.com

      Comment


      • #4
        We;re in the same boat - have uploaded all new files, upgraded, removed the /install directory, there are no additional admins that should't be there, but did delete a suspeicious regular user .. still have the exploit forward ... hope someone can help.

        Comment


        • #5
          Im sure there will be more of us that got hacked, just a matter of time.

          I did find this in the control panel log...

          5541 N/A 07:00, 9th Sep 2013 notice.php modify 91.144.37.48
          5540 N/A 06:59, 9th Sep 2013 notice.php update 91.144.37.48
          5539 N/A 06:59, 9th Sep 2013 notice.php add 91.144.37.48
          NHTourGuide.com

          Comment


          • #6
            Look under "notices" in your Control panel... Delete the one that was added by the hacker. My problem is solved (I think)
            NHTourGuide.com

            Comment


            • #7
              http://www.vbulletin.com/forum/blogs...ve-been-hacked

              Delete the install folder, delete any extra files, delete any extra admins, delete any extra plugins.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API - Full / Mobile
              Vote for your favorite feature requests and the bugs you want to see fixed.

              Comment


              • #8
                This has just happened to me - it is a problem with a vulnerability the /install directory on 4.x (or /core/install on 5.x). You need to remove the /install directory from your server, remove the additional admin accounts that have been created and remove the notice added.

                http://blog.sucuri.net/2013/08/poten...4-1-and-5.html

                Comment


                • #9
                  Did they need to be a member to achieve this ? I've had to put my board in an email request for membership only because of repeated fake signups that just take too much time to deal with.. I've had several recently that I've added.. would like to know, do they have to be members to use this exploit?

                  Comment


                  • #10
                    Originally posted by One-Take View Post
                    would like to know, do they have to be members to use this exploit?
                    No they do not, they just need access to your install folder. Remove that and the exploit is gone.

                    You should also protect your admin cp folder with an htaceess user/password, so even if they create an admin account, they cannot get into the ACP.
                    Baby, I was born this way

                    Comment


                    • #11
                      Originally posted by Paul M View Post
                      No they do not, they just need access to your install folder. Remove that and the exploit is gone.
                      You should also protect your admin cp folder with an htaceess user/password, so even if they create an admin account, they cannot get into the ACP.
                      I was hacked also yesterday and today! The hacker replaced (index.php and forum.ph and activity.php) by his own
                      I solved the issue by:
                      1- re-uploading the original files again, re-writing the hackers files
                      2- I deleted also the install folder
                      3- I changed my passwords

                      Now I have some questions:
                      1- How can some reach the install folder , without knowing my ftp username and pass?
                      2- If they can reach the admincp, can they reach this install folder?
                      3- If install folder has no value,why vbulletin team did not instruct to delete it after installation. They instruct to delet only the install.php

                      thank you

                      Comment


                      • #12
                        In my case they added 3 admins and one of the new admins posted a notice.

                        I deleted the extra admins and took down the notice and now my forum looks normal again.

                        I am now upgrading to the latest version...

                        Comment


                        • #13
                          I've been hacked as well, but I also run a wordpress on the main directory while the forum is at .com/forum and it seems like the entire site (both wordpress and vbulletin) were affected. The hackers message is showing on the home page and the forum home page. My hosting provider also said that their weekly backups for the site are also corrupted and that I'll have to pay for them to do a malware scan! - does that make any sense? If both wordpress and vbulletin are hacked, doesn't that mean the hackers got into the server?

                          Comment


                          • #14
                            I have followed all the steps outlined..

                            Removed admins added
                            Removed noticed and plugins
                            Full file restore of pre hacked flesystem
                            removed install directory
                            Changed ALL passwords.., admin, ftp, mysql, etc

                            And still they are back in 4 times in 2 days..

                            Comment


                            • #15
                              Maybe the backdoor file was placed elsewhere. If you have ssh access, use "find" command to examine recently changed/added files.

                              Comment

                              Related Topics

                              Collapse

                              Working...
                              X