No announcement yet.

Admin account compromised, nothing wrong, but strange thing in log file

  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Admin account compromised, nothing wrong, but strange thing in log file

    This morning, I noticed a strange thing in a "users that have visited in the last 24 hours" modification that's displayed on my forumhome- the main admin account, that really isn't used unless there are admin-things going on, was listed.. It showed that it used late last night.

    I don't use that account often, and and I asked the other admin on the site, he said he didn't use the account yesterday..

    trying to figure out what happened (the site is running as usual, no issues), I look at the admin log:

    the only things listed were for plugin.php, plugin id = 1073 & 1074 & 1075- 5 entries each: add, update, modify, delete, kill. All from an unknown IP (from the Ukraine). Spread out over 36minues.

    Taking a look through my plugin list, I don't see anything abnormal..

    everything seems to be working perfectly, just have no idea what happened / what has been changed.

    Of course I changed the PW for that admin acct, but don't know what else to do.. I banned the IP from Cpanel, and have backed up the DB..

    Do those plugin id's mean anything? or is it like a postcount, they're just sequential based on the individual install? any ideas to figure out what was done?

  • #2
    Yeah, sounds like a plugin was installed, data acquired and then all traces removed. Put an HTACCESS auth on your admincp directory and make sure all the passwords to admin accounts are changes (as you've mentioned already)
    anders | vbulletin team | check out the new vbulletin facebook app
    Proudly vBulletin'ing since 2001
    Please be my friend!
    vBulletin Performance Articles:
    Click here to read


    • #3
      The plugin ids are unique to your site. You could check your plugin table in the database to see which plugin corresponds to which ID, but it probably doesn't really matter, once they were in they could have used any plugin and changed it back.

      You should as was said change ALL your administrator account passwords.

      Change your database username and password (you will need to edit these values into config.php)

      The only "useful" info they may have gotten was a copy of your username password hashes... they may try to crack passwords of your users. You may want to tell your users to change their passwords as well.

      Finally you should secure your forum by following what it says here:

      Specifically adding an htaccess password to your admincp directory would have been another layer of security in something like this.


      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.