Announcement

Collapse
No announcement yet.

Site was hacked again!!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Zachery
    replied
    There isn't much we can do if you don't have complete backups.

    Leave a comment:


  • เคอุน
    replied
    Thanks for all of you.

    I tried to restore my back up database but all of the attachments is not shown, any suggestion?

    I stored my attachment in file system and it was gone by the hacker. I used the recover software and looked like most of files are corrupted.

    Leave a comment:


  • purplesage
    replied
    look at your admin cp logs as well. you might see when the plugins were installed and ip addresses of the hacker, it can give you some idea of what was installed.
    systematically follow the guidelines. look at your index and content.php files on your server. in all directories

    Leave a comment:


  • aag321
    replied
    I had the same problem. What Zachery said is perfect. I followed the hacked guide and have been fine since.

    http://www.vbulletin.com/forum/forum...oting/3995869-

    watch out for code in the plugins that has self generating php code. ( yes the C99 shell is what i found too)

    Once you have cleaned plugins, make sure the hacker hasn't created another backdoor in another php file that dosent live in the vBulletin directory.

    Cheers,

    AAG

    Leave a comment:


  • เคอุน
    replied
    At least you should inform your customer about the script that hacker use is c99madshell !! . From my research this script can do more than you explain, read http://www.derekfountain.org/security_c99madshell.php.

    I have backed up the vBulletin database and restored on my notebook. I found that this script can access to every drive, every folder on my notebook. The script can also access MySQL directly!!. I have 8 websites on my server. they can get everything, every password!!

    This is the worst day from vBulletin!!.
    Last edited by เคอุน; Sun 8 Dec '13, 9:44pm.

    Leave a comment:


  • Zachery
    replied
    First you need to follow our advisory about deleting the install folder off your forums.
    Then please read the following two blog posts:
    http://www.vbulletin.com/forum/blogs...ve-been-hacked
    http://www.vbulletin.com/forum/blogs...vbulletin-site
    Also please see these recent security announcements:
    vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
    vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions
    There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.
    Close the hole...
    This has three subparts in this instance.
    1. Delete your install folder
    2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
    3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.
    Fill the Hole...
    There are seven subparts in this instance.
    1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
    2. Delete any Suspect Files.
    3. Replace any files marked as "Does not contain expected contents"
    4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
    5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
    6. Update your Addon Products.
    7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.
    Secure the Hole
    Parts of this were done by closing the hole but there are still things to do here.
    1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
    2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
    3. Create a lower permission Administrator for every day use.
    4. Review your permissions in the system.
    5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
    6. Move your attachments outside the forum root directory.
    7. Create a complete backup of your site. Make database backups weekly.
    Vigilance
    You need to keep active on the security of the site.
    1. Give out the fewest permissions necessary for anyone to do their job
    2. Make sure your hosting provider updates the software.
    3. Update to the latest vBulletin when it is released.
    4. Make sure your addons are always up to date.

    Leave a comment:


  • เคอุน
    started a topic Site was hacked again!!

    Site was hacked again!!

    I used VB 4.1.12

    Last time they just changed index.php and inserted user that has administrator level into database. I followed your instruction to delete the install folder and looking for suspicion files. I also deleted those suspicion user. Everything look fine after that.


    This time they deleted all files in root directory. How could this happen?!!!

Related Topics

Collapse

Working...
X