Announcement

Collapse
No announcement yet.

Forum Hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forum Hacked

    Hi
    This morning our site was hacked. When you click on the forum link the window shrinks and moves around in circles before going full screen and it has a message saying:

    Sorry admin protection was skipped
    Nacked by Saudi injector.

    Im using 4.2.1 and there was a new admin user created too.

    I had deleted the install directory.

    Can anyone help me with what to do please?
    Batter Late than ....... pregnant

  • #2
    Originally posted by Bone Head View Post
    I had deleted the install directory.
    What about the new admin?



    vB5 is unequivocally the best forum software, but not yet...

    Comment


    • #3
      It was a user called I so I deleted it.
      Batter Late than ....... pregnant

      Comment


      • #4
        I found 3 files in the root of the attachments directory cp.php injector.php and php.ini
        Batter Late than ....... pregnant

        Comment


        • #5
          This had happened to our site twice within a few days.

          They gained access to admin by logging in to one of the 3 admin accounts and created a new one. Then they installed a Subscription through the add on which did a bunch of stuff. It can also be done through attachments and plugins. You need to make sure your admins are changing their passwords regularly and that they are good. My site had 5 additional Admins listed. I banned them rather than deleted. 2 of my admins are listed in the Config.php file so those no one can change. Yours will be set up the same way. Your admin url you should know so you can get in if they totally take over the site.

          The quickest fix is to ftp your root directory back up to your server. You don't have to do your database generally and if you keep backups there don't do those or it will take too long. Once it is back up ban the extra admins and change your passwords.
          Last edited by Scottt; Fri 20 Sep '13, 2:57am.

          Comment


          • #6
            ~Please read the following two blog posts:
            http://www.vbulletin.com/forum/blogs...ve-been-hacked
            http://www.vbulletin.com/forum/blogs...vbulletin-site
            Also please see these recent security announcements:
            vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
            vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

            Comment


            • #7
              Hi
              I deleted the \install directory ages ago when I upgraded, so any idea how this has happened?
              Batter Late than ....... pregnant

              Comment


              • #8
                Thre were only ever 2 admin accounts too, mine and the one you guys set up years ago to work on our forums in the early days (we have been using your products since day one almost)
                Batter Late than ....... pregnant

                Comment


                • #9
                  I think I have fixed my forum.

                  Just to confirm, I had removed my install directory, when I upgraded which must have been a couple of months ago. There are only 2 admins on my forums (one now as I have removed the vbulletin account that they used to fix something years ago).

                  I would like to know how they managed to hack my site?
                  Batter Late than ....... pregnant

                  Comment


                  • #10
                    If they never got in through the install directory, it must be a completly different hack, mabye a plugin or something.

                    Comment


                    • #11
                      Yeah, we got hacked too, in the last 48 hours Indonesian Defacer.
                      Re installed the files. DB seems OK.
                      Even when the re installation was done I could see the forum and see the threads but when I clicked on the thread the only thing I could see on the screen was "Choose File- No File Chosen"
                      Turn the plugin/hook system off and regained control of the site.
                      There was nothing in the manage products but in plugin manager there was a plugin called "Indonesian Defacer" Deleted that plugin, turned the Hook/plugin system back on and all seems well.
                      Not 100% certain I'm out of the woods yet but fingers Xed.
                      Was running 4.2.0 Now running 4.2.1
                      ttttt

                      Comment


                      • #12
                        well the INSTALL directory if deleted does NOT stop these people. I had vb staf do an upgrade (yes I paid for one) they removed the install directory - two days later the hackers do there trash. SO I preform an upgrade (no changes other than redo the templates) - and all works fine - and Yes I DELETED the install folder, and removed the Admin they added - changed the PWD on every account from root up to the domain account (and all db accounts, admin accounts, etc.). ONE day later they are back and the forum.php is redirected tho there paid advertising. Suggestions?

                        Comment


                        • #13
                          I'm wondering if you protected your admincp and modcp directories, if yes, I have something to worry about also.

                          Comment


                          • #14
                            I think we all have something to worry about.
                            Batter Late than ....... pregnant

                            Comment


                            • #15
                              Although my forum seems to be running OK I still get suspect file versions when I check them via the admin CP
                              Namely index.php and forums.php
                              I have uploaded a complete new install again and nothing has changed.
                              Any help from anyone (not least the VB team) would be greatly appreciated
                              Batter Late than ....... pregnant

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X