Announcement

**donald1234** · Fri 18th Oct '13, 4:27am

Have you deleted your install folder?

**xrayhead** · Fri 18th Oct '13, 4:49am

I just FTP into the site and no the install folder is still there with a shed load of files in it!!

**DemOnstar** · Fri 18th Oct '13, 4:52am

Delete install folder, all of it.

**donald1234** · Fri 18th Oct '13, 5:02am

Here is vbulletins advisary for cleaning up after this hack.

First you need to follow our advisory about deleting the install folder off your forums.
Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions

**DemOnstar** · Fri 18th Oct '13, 5:10am

It is a lot to read..but useful.

Basically delete the install folder.
Check your admncp/users and delete any new admins that may have registered.
Then check your plugins to see if any have been created that you don't recognize..Delete them..

Also read the material donald1234 has been kind enough to link for you..They will help you tidy up the place.

**DemOnstar** · Fri 18th Oct '13, 5:17am

See this also..

http://www.vbulletin.com/forum/forum...80#post3995980

http://www.vbulletin.com/forum/forum...47#post3996047

**xrayhead** · Fri 18th Oct '13, 9:48am

I found this in the log files!

And this in the plugins (I have disabled them whilst I try to fix this mess)...

**stevectaylor** · Fri 18th Oct '13, 11:26am

you have this?

http://labs.sucuri.net/db/malware/ma...-mwjsiframe213

your scan here http://sitecheck.sucuri.net/results/...anoeclub.co.uk

**stevectaylor** · Fri 18th Oct '13, 11:29am

And always update your software to the latest. I noticed you are using 4.13

**xrayhead** · Fri 18th Oct '13, 12:19pm

Thanks for the site above! This looks to be more complicated than I first thought :-( I checked the register.php, content.php and forum.php with a text compare tool as I still have the files from when I built the site and there is no changes in them files :-(

Any ideas where I start looking for this peace of **** script some little tosser has inserted?

**Wayne Luke** · Fri 18th Oct '13, 1:59pm

Originally posted by xrayhead View Post

Thanks for the site above! This looks to be more complicated than I first thought :-( I checked the register.php, content.php and forum.php with a text compare tool as I still have the files from when I built the site and there is no changes in them files :-(

Any ideas where I start looking for this peace of **** script some little tosser has inserted?

It is usually in the footer template. People like this aren't very creative.

There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

Close the hole... This has three subparts in this instance.

Delete your install folder
Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

Fill the Hole... There are seven subparts in this instance.

Review your files for changes. You can do this under Maintenance -> Diagnostics.
Delete any Suspect Files.
Replace any files marked as "Does not contain expected contents"
Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
Update your Addon Products.
Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

Secure the Hole
Parts of this were done by closing the hole but there are still things to do here.

Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
Create a lower permission Administrator for every day use.
Review your permissions in the system.
Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
Move your attachments outside the forum root directory.
Create a complete backup of your site. Make database backups weekly.

Vigilance
You need to keep active on the security of the site.

Give out the fewest permissions necessary for anyone to do their job
Make sure your hosting provider updates the software.
Update to the latest vBulletin when it is released.
Make sure your addons are always up to date.

**xrayhead** · Sat 19th Oct '13, 12:06am

Hi Guy's

I am struggling with a couple of things here, so far I have done the following by reading this thread: http://www.vbulletin.com/forum/blogs...ve-been-hacked but have a couple of questions as well.

1. I have deleted the "Install" folder and all of it's contents
2. I changed my CPanel, FTP and Admincp passwords
3. I have removed 8 "Admin User Accounts " that where defiantly used buy the attacker
4. I have disabled and removed the plugin titled "Product : vBulletin"

Next steps I will need some help with!

At present I do not have a database backup, I have sent a support request to my hosting company and am awaiting a reply on that.

QUESTIONS?

1. Before I deleted the plugin "Product : vBulletin" I took detailed screen captures and notes of the scripts that were run. Would it help if I added this information here?

2. Can I view a log of any database changes that were added by the hacker

3. "Restoring the default vBulletin files"

If I delete all my vBulletin files Version "4.1.5" on the server and upload "the latest stable version 4.2.2", then run the upgrade (Basically following the upgrade procedure) will this error or clear any database changes the hacker has done, or am I better to just re-upload and overwrite all the 4.1.5 files I have on there at present to see if that clears it?

I plan to dump the database and back that up before I run any upgrade.

Many thanks for your help so far.

**stevectaylor** · Sat 19th Oct '13, 2:26am

Upload the latest version, should overwrite the files. Not sure if restore files you actually mean revert templates in the admincp ?

**xrayhead** · Sat 19th Oct '13, 3:25am

Originally posted by stevectaylor View Post

Upload the latest version, should overwrite the files. Not sure if restore files you actually mean revert templates in the admincp ?

I've updated my post so it makes more sense...

Also this really isn't looking very good at all :-( http://vbtechsupport.com/2355/4/

vBulletin 4 End of Life

Announcement

Please help - Malicious code inserted into my forum!!

Please help - Malicious code inserted into my forum!!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics