Announcement

Collapse
No announcement yet.

Please help - Malicious code inserted into my forum!!

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mark.B
    replied
    This thread is almost five years old....no real benefit in bumping it now.

    Leave a comment:


  • Mattwhf
    replied
    xrayhead you can try Mod_Security Rules from Malware.Expert and install it on WHM/cPanel, Plesk or Directadmin here https://forumweb.hosting/marketplace...ty-rules.1620/ to protect your forum from malware and viruses.

    Hope it helps!

    Leave a comment:


  • Zachery
    replied
    1. Not really.
    2. Not unless your webhost has binary logging on, and that is very unlikely.
    3. It will update the site, but it will not explicitly remove malicious things he has done. Though you should still upgrade. you still need to do the rest of the cleanup steps.

    Leave a comment:


  • xrayhead
    replied
    Originally posted by Zachery View Post
    Wayne went though in COMPLETE detail on how to fix the issue, did you not follow that? Does that not count as help? I'm confused

    http://www.vbulletin.com/forum/forum...89#post4002489
    And I'm VERY grateful for that!

    QUESTIONS?

    1. Before I deleted the plugin "Product : vBulletin" I took detailed screen captures and notes of the scripts that were run. Would it help if I added this information here?
    It may benefit other user's with the same issue and also enable some investigation into what the attack was trying to do and also achieve!

    2. Can I view a log of any database changes that were added by the hacker?
    looking at the scripts I think I was lucky as the attack failed at some point and only my templates were changed, not sure about .php edits so I just deleted all of them and started again

    3. "Restoring the default vBulletin files"

    If I delete all my vBulletin files Version "4.1.5" on the server and upload "the latest stable version 4.2.2", then run the upgrade (Basically following the upgrade procedure) will this error or clear any database changes the hacker has done, or am I better to just re-upload and overwrite all the 4.1.5 files I have on there at present to see if that clears it?
    I deleted ALL the vBulletin files on the server and copied back up the 4.1.5 files, removed my styles and re-installed them. I plan to upgrade to 4.2.2 this week.

    Regards

    Lee

    Leave a comment:


  • Zachery
    replied
    Wayne went though in COMPLETE detail on how to fix the issue, did you not follow that? Does that not count as help? I'm confused

    http://www.vbulletin.com/forum/forum...89#post4002489

    Leave a comment:


  • xrayhead
    replied
    Well I don't see any vBulletin staff helping out with this thread! I'm sure there are many other people in the same boat as me that had there site hacked.

    I managed to get a security guy to have a look at the code that was inserted, is was encrypted but he managed to decrypt and look more it to what it was doing. After looking into it more it would seem I was more fortunate than others and the database was not compromised, however I still cant be 100% sure of this.

    I have now removed ALL the files from the server and replaced with fresh one's, deleted the styles I had (lost all my hard work) and added new one's! This seems to have cleared the site up and Its now scanning as clean from mailware.

    PS: I noticed I'm not getting any news post's in my ACP?

    Leave a comment:


  • semprot
    replied
    Originally posted by xrayhead View Post
    Still looking into this and still waiting for some advise!

    This is a list of the actions performed by the plugin listed - Product: vBulletin





    Here's a complete list of the plugins I have at present:

    http://i38.photobucket.com/albums/e1...ps3a31cc3e.png



    PS: Waiting for advice before I upgrade to 4.2.2
    1. make sure all FTP, SSH, cpanel access has been secured (password changed) & main admin password has been changed to avoid direct file change / file upload to your forum.
    2. Open your includes/config.php, add this somewhere after <?php

    (for example on 10th line)

    PHP Code:
    define('DISABLE_HOOKS'true); 
    That will make sure all plugins will be disabled. Make sure the hacker doesn't have access to file edit so he won't edit your config.php to delete this line.

    3. Do the rest, cleaning up malicious accounts, plugins, template edits.
    4. Inspect all modified PHP files in your forum. admincp > diagnostic (i think) > suspect file version
    5. do the first step once again.
    6. when you are sure you are safe, delete line which was added on 2nd step.

    Leave a comment:


  • xrayhead
    replied
    Still looking into this and still waiting for some advise!

    This is a list of the actions performed by the plugin listed - Product: vBulletin





    Here's a complete list of the plugins I have at present:

    http://i38.photobucket.com/albums/e1...ps3a31cc3e.png



    PS: Waiting for advice before I upgrade to 4.2.2

    Leave a comment:


  • xrayhead
    replied
    Originally posted by stevectaylor View Post
    Upload the latest version, should overwrite the files. Not sure if restore files you actually mean revert templates in the admincp ?
    I've updated my post so it makes more sense...

    Also this really isn't looking very good at all :-( http://vbtechsupport.com/2355/4/
    Last edited by xrayhead; Sat 19th Oct '13, 3:51am.

    Leave a comment:


  • stevectaylor
    replied
    Upload the latest version, should overwrite the files. Not sure if restore files you actually mean revert templates in the admincp ?

    Leave a comment:


  • xrayhead
    replied
    Hi Guy's

    I am struggling with a couple of things here, so far I have done the following by reading this thread: http://www.vbulletin.com/forum/blogs...ve-been-hacked but have a couple of questions as well.

    1. I have deleted the "Install" folder and all of it's contents
    2. I changed my CPanel, FTP and Admincp passwords
    3. I have removed 8 "Admin User Accounts " that where defiantly used buy the attacker
    4. I have disabled and removed the plugin titled "Product : vBulletin"

    Next steps I will need some help with!

    At present I do not have a database backup, I have sent a support request to my hosting company and am awaiting a reply on that.

    QUESTIONS?

    1. Before I deleted the plugin "Product : vBulletin" I took detailed screen captures and notes of the scripts that were run. Would it help if I added this information here?

    2. Can I view a log of any database changes that were added by the hacker

    3. "Restoring the default vBulletin files"

    If I delete all my vBulletin files Version "4.1.5" on the server and upload "the latest stable version 4.2.2", then run the upgrade (Basically following the upgrade procedure) will this error or clear any database changes the hacker has done, or am I better to just re-upload and overwrite all the 4.1.5 files I have on there at present to see if that clears it?

    I plan to dump the database and back that up before I run any upgrade.

    Many thanks for your help so far.
    Last edited by xrayhead; Sat 19th Oct '13, 3:25am.

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by xrayhead View Post
    Thanks for the site above! This looks to be more complicated than I first thought :-( I checked the register.php, content.php and forum.php with a text compare tool as I still have the files from when I built the site and there is no changes in them files :-(

    Any ideas where I start looking for this peace of **** script some little tosser has inserted?
    It is usually in the footer template. People like this aren't very creative.

    There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

    Close the hole... This has three subparts in this instance.
    1. Delete your install folder
    2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
    3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.
    Fill the Hole... There are seven subparts in this instance.
    1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
    2. Delete any Suspect Files.
    3. Replace any files marked as "Does not contain expected contents"
    4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
    5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
    6. Update your Addon Products.
    7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.
    Secure the Hole
    Parts of this were done by closing the hole but there are still things to do here.
    1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
    2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
    3. Create a lower permission Administrator for every day use.
    4. Review your permissions in the system.
    5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
    6. Move your attachments outside the forum root directory.
    7. Create a complete backup of your site. Make database backups weekly.
    Vigilance
    You need to keep active on the security of the site.
    1. Give out the fewest permissions necessary for anyone to do their job
    2. Make sure your hosting provider updates the software.
    3. Update to the latest vBulletin when it is released.
    4. Make sure your addons are always up to date.

    Leave a comment:


  • xrayhead
    replied
    Thanks for the site above! This looks to be more complicated than I first thought :-( I checked the register.php, content.php and forum.php with a text compare tool as I still have the files from when I built the site and there is no changes in them files :-(

    Any ideas where I start looking for this peace of **** script some little tosser has inserted?

    Leave a comment:


  • stevectaylor
    replied
    And always update your software to the latest. I noticed you are using 4.13

    Leave a comment:


  • stevectaylor
    replied
    you have this?

    http://labs.sucuri.net/db/malware/ma...-mwjsiframe213

    your scan here http://sitecheck.sucuri.net/results/...anoeclub.co.uk

    Leave a comment:

Related Topics

Collapse

Working...
X