Announcement

Collapse
No announcement yet.

Getting error on forum.php, suspect got hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Getting error on forum.php, suspect got hacked

    I have got someone which able to set himself as admin usergroup, and I got the following error on the forum.php

    Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/imforum/public_html/forum.php on line 413


    How can I solve this and also prevent this person from hacking into the admin system again, and I suspect he has uploaded some files onto the site but I don't know which one.
    The IM Forum - Where All Internet Marketers Come Together - http://www.theimforum.com

  • #2
    I presume that you have removed the install folder from your forum root?

    I hear that they install plugins. Check your plugins and products/plugin manager to see if there is anything you don't recognize..
    I also hear the Ranks are affected so check them too...
    You could also look at your statistics and logs...?

    It may be time for you to restore from a previous backup?


    Comment


    • #3
      Originally posted by DemOnstar View Post
      I presume that you have removed the install folder from your forum root?

      I hear that they install plugins. Check your plugins and products/plugin manager to see if there is anything you don't recognize..
      I also hear the Ranks are affected so check them too...
      You could also look at your statistics and logs...?

      It may be time for you to restore from a previous backup?
      When it happens, the install folder is still there, I have since deleted it, from mod log I see plugin is uploaded by the person but from manager I cannot see anything different.
      If I have no backup how to solve it?
      Where can I check Ranks?
      The IM Forum - Where All Internet Marketers Come Together - http://www.theimforum.com

      Comment


      • #4
        Ranks are in the AdminCP. Scroll down until you reach User Ranks..

        If you don't have a backup, maybe your host does? Not sure about that?
        Also check to see if you have any new users registered as admin, (CP panel Users) if yes, delete....

        For future reference to backups download this mod http://www.vbulletin.org/forum/showthread.php?t=231481

        Also, check this thread http://www.vbulletin.com/forum/forum...pe-hack-method


        Comment


        • #5
          Originally posted by DemOnstar View Post
          Ranks are in the AdminCP. Scroll down until you reach User Ranks..

          If you don't have a backup, maybe your host does? Not sure about that?
          Also check to see if you have any new users registered as admin, (CP panel Users) if yes, delete....

          For future reference to backups download this mod http://www.vbulletin.org/forum/showthread.php?t=231481

          Also, check this thread http://www.vbulletin.com/forum/forum...pe-hack-method
          I deleted the hacked admin, but he keep coming back, how he set himself as admin? is it through my admin login?
          The IM Forum - Where All Internet Marketers Come Together - http://www.theimforum.com

          Comment


          • #6
            Have you looked at your includes/config.php?

            Maybe also you should protect the admincp folder and the modcp folder with a password... Do it now... They are in your forum root...

            ht.access should also be considered but I don't know how to do that..

            An alternative would be to place the following within an .htaccess file in your /install/ folder:
            Code:
            order deny,allow
            deny from all


            Comment


            • #7
              Originally posted by DemOnstar View Post
              Have you looked at your includes/config.php?

              Maybe also you should protect the admincp folder and the modcp folder with a password... Do it now... They are in your forum root...

              ht.access should also be considered but I don't know how to do that..



              Code:
              order deny,allow
              deny from all
              I have these in my .htacess -

              Code:
              <Files 403.shtml>
              order allow,deny
              allow from all
              </Files>
              
              deny from 122.173.128.202
              The IM Forum - Where All Internet Marketers Come Together - http://www.theimforum.com

              Comment


              • #8
                Well regarding the ht.access announcement at the top of this page it says

                Code:
                order deny,allow
                deny from all
                Yours reads

                Code:
                order allow,deny
                allow from all
                Perhaps you might be wise to consider the advice in the announcement and set to 'deny from all'?


                Comment


                • #9
                  Originally posted by DemOnstar View Post
                  Well regarding the ht.access announcement at the top of this page it says

                  Code:
                  order deny,allow
                  deny from all
                  Yours reads

                  Code:
                  order allow,deny
                  allow from all
                  Perhaps you might be wise to consider the advice in the announcement and set to 'deny from all'?
                  OK I have changed it, I have the CP log as follows, the N/A is the hacker that I already deleted, any clue on what file he uploaded?
                  [ATTACH=CONFIG]n61918[/ATTACH]
                  The IM Forum - Where All Internet Marketers Come Together - http://www.theimforum.com

                  Comment


                  • #10
                    Check your plugin manager for something you do not recognize...

                    Did you block his IP?


                    Comment


                    • #11
                      Originally posted by DemOnstar View Post
                      Check your plugin manager for something you do not recognize...

                      Did you block his IP?
                      There is one call VBulletin product with hook location: init_startup , should I delete it or disable it, I don't know whether this is the one though.
                      The IM Forum - Where All Internet Marketers Come Together - http://www.theimforum.com

                      Comment


                      • #12
                        I have replaced the forum.php and it came back ok again, how to stop being hacked again?
                        The IM Forum - Where All Internet Marketers Come Together - http://www.theimforum.com

                        Comment


                        • #13
                          I have seen this one before....
                          Now, if you can copy it, I would copy it to a text editor and then delete from plugins...

                          If after this you are getting no problems, I would assume it is done...
                          If you do get problems, you could always put it back from your text editor...

                          You have to understand that I am not sure here...I look at my plugin manager currently I have 3 instances of init_startup, they all seem to be attached to a product.

                          Example: Product : vBulletin Blog
                          Example: Product : vBulletin CMS
                          Example: Product : Spam Hammer 1-Series

                          Hope that helps.....
                          If you have a backup of the database that may also be a boon. (Useful)

                          Perhaps make a backup now? The guy will still be in there on restore but you will be well ahead of him.

                          http://www.vbulletin.org/forum/showthread.php?t=231481


                          Comment


                          • DemOnstar
                            DemOnstar commented
                            Editing a comment
                            Have you blocked his IP?

                        • #14
                          Originally posted by DemOnstar View Post
                          I have seen this one before....
                          Now, if you can copy it, I would copy it to a text editor and then delete from plugins...

                          If after this you are getting no problems, I would assume it is done...
                          If you do get problems, you could always put it back from your text editor...

                          You have to understand that I am not sure here...I look at my plugin manager currently I have 3 instances of init_startup, they all seem to be attached to a product.

                          Example: Product : vBulletin Blog
                          Example: Product : vBulletin CMS
                          Example: Product : Spam Hammer 1-Series

                          Hope that helps.....
                          If you have a backup of the database that may also be a boon. (Useful)

                          Perhaps make a backup now? The guy will still be in there on restore but you will be well ahead of him.

                          http://www.vbulletin.org/forum/showthread.php?t=231481
                          If you have read the previous post, I said that it's back online after I replace the forum.php, now all I need is to prevent such incident to happen again.
                          The IM Forum - Where All Internet Marketers Come Together - http://www.theimforum.com

                          Comment


                          • #15
                            The previous post was being composed as I was figuring out how to help you... We posted around the same time...

                            Anyway, aside... If your (entire) install folder has been deleted, that is allegedly the end of your concern...

                            Something to consider. You may want to look at your config.php?

                            Mine looks like this..

                            Code:
                                //    ****** USERS WITH ADMIN LOG VIEWING PERMISSIONS ******
                                //    The users specified here will be allowed to view the admin log in the control panel.
                                //    Users must be specified by *ID number* here. To obtain a user's ID number,
                                //    view their profile via the control panel. If this is a new installation, leave
                                //    the first user created will have a user ID of 1. Seperate each userid with a comma.
                            $config['SpecialUsers']['canviewadminlog'] = '1';
                            
                                //    ****** USERS WITH ADMIN LOG PRUNING PERMISSIONS ******
                                //    The users specified here will be allowed to remove ("prune") entries from the admin
                                //    log. See the above entry for more information on the format.
                            $config['SpecialUsers']['canpruneadminlog'] = '1';
                            
                                //    ****** USERS WITH QUERY RUNNING PERMISSIONS ******
                                //    The users specified here will be allowed to run queries from the control panel.
                                //    See the above entries for more information on the format.
                                //    Please note that the ability to run queries is quite powerful. You may wish
                                //    to remove all user IDs from this list for security reasons.
                            $config['SpecialUsers']['canrunqueries'] = '1';
                            
                                //    ****** UNDELETABLE / UNALTERABLE USERS ******
                                //    The users specified here will not be deletable or alterable from the control panel by any users.
                                //    To specify more than one user, separate userids with commas.
                            $config['SpecialUsers']['undeletableusers'] = '1';
                            
                                //    ****** SUPER ADMINISTRATORS ******
                                //    The users specified below will have permission to access the administrator permissions
                                //    page, which controls the permissions of other administrators
                            $config['SpecialUsers']['superadministrators'] = '1';
                            Not sure if that is of any use but I have not been bothered by any hacker types so something is going my way...

                            Copy your database and copy your forum root....

                            Back it up.......................You never know..


                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X