Announcement

Collapse
No announcement yet.

Hacked, What has happened to me and questions for you!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacked, What has happened to me and questions for you!

    Hi All, though i do a quick share of my experiences in the last few days as to what i've experienced. I help run a small car club forum that i've only recently taken over. On tuesday we had the site defaced and a couple of admin accounts created. After reading the thread on what to do after being hacked, (http://www.vbulletin.com/forum/blogs...ve-been-hacked)

    I followed the steps as mentioned in the thred. In our Case the hackers created 2 Admin accounts that i removed, I've check all the accounts with admin rights and i was left with what i was expecting.

    I checked the logs and found the following:

    11196 N/A 08:05, 16th Sep 2013 plugin.php edit plugin id = 201 198.7.58.98
    11195 N/A 08:04, 16th Sep 2013 plugin.php update 198.7.58.98
    11194 N/A 08:04, 16th Sep 2013 plugin.php add 198.7.58.98
    11219 N/A 10:44, 16th Sep 2013 plugin.php 180.149.0.249
    11218 N/A 10:44, 16th Sep 2013 plugin.php doimport 180.149.0.249
    11217 N/A 10:43, 16th Sep 2013 subscriptions.php modify 180.149.0.249
    11216 N/A 10:43, 16th Sep 2013 plugin.php files 180.149.0.249
    11215 N/A 10:43, 16th Sep 2013 plugin.php edit plugin id = 202 180.149.0.249
    11214 N/A 10:43, 16th Sep 2013 plugin.php update 180.149.0.249
    11213 N/A 10:42, 16th Sep 2013 plugin.php add 180.149.0.249

    I checked the plugins 201 and 202 and found 1 called Hell and another called something else. I removed these plugins. I then ran an update on the forum and deleted / install directory to stop the current know exploit.

    The next day i had found that the site was once again defaced. I checked the admin logs, no admin accounts but yet the hackers seems to still have control of my forum. I've been trailing though database to find the following: The Call seems to be ( (strpos($_SERVER['PHP_SELF'],"subscriptions.php...) It then has a baseEncoded64 script after it. I'm not a php programer, but a quick google seem to suggest that this function will output a php file (subscription.php) that can be later called upon. ( thus creating another back door once this plugin has fired Up)

    Unfortunately I don't have a really recent backup of my forum database so i can afford to revert back to one from a few months back as a result.
    Question is to you guys, Is there somewhere i can check what plugins are legitimate and what are not? Also the tables created after this one, Can i presume these have been created by the hacker or have they been created by me updating Vbulletin?

    Any help is appreciated!

    Cheers,

    Andrew
    Last edited by aag321; Wed 18 Sep '13, 12:34am.

  • #2
    I had been hacked too, and also 2 friends of mine. There is somehow a glitch somewhere in vBulletin. Some .php file were injected uploaded (I do not know how!) between vB files some like index.php, blog.php, etc. were replaced, 5 admin accounts created, 1 plugin instaled and also Arabic translation installed.
    I believe there are some bots as they are not using the admin account to mess up the forum.

    To clean up you need to delete all files from FTP (KEEP ONLY FOLDERS THAT HAVE ATTACHMENTS OR SOME FILES THAT YOU NEED) and then re-upload all files and do an upgrade.
    Make sure you DELETE /install directory after upgrade (YES, ALL FOLDER AND IT'S CONTENT)
    Cu Respect / Best Regards / Mit freundlichen Grüßen

    roStyles Design LLC
    CEO & Founder (Design and Support)
    Romanian Translator
    Teascu Dorin
    [email protected]
    https://www.rostyles.com

    Comment


    • #3
      It seems that cleaning up your filesystem isnt enough, You need to check your database for rouge code too.

      Comment


      • #4
        http://www.vbulletin.com/forum/forum...90#post3995790

        this posts is perfect. Exactly what i was after

        Comment

        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
        Working...
        X