Announcement

**carntheroos4eva** · Thu 22 Dec '11, 4:52pm

Follow these steps.

Originally posted by Wayne Luke View Post

Here are the steps to check for hacks:

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

Query for step 4 and 5 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

7) Run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

It checks the templates for compromising code.

8) Check .htaccess to make sure there are no redirects there. This isn't a vBulletin issue but customers really don't understand that.

After a few quick checks, it looks like a basic template replacement scheme. Step 7 should expose such a scheme.

Originally posted by sdfontanini View Post

Updated again to 4.1.9 and it looks like I now have access to the AdminCP

But where to go from here???

Also make sure that your master password has been changed to something that you know but others don't. Same with your own password.

**Seo Engineer** · Thu 22 Dec '11, 5:13pm

I do not believe this is a hack, frankly, a ridiculous thread was opened, the first ad does not put any sane hackers hack the pages. The second issue here in the form of hacking a site that has been opened and the solution is not sought.

If you are really hacking, please send me the FTP details. How to Hack if a site is the site for you, I'd saved.

**TheNewOne** · Thu 22 Dec '11, 6:25pm

Originally posted by Seo Engineer View Post

I do not believe this is a hack, frankly, a ridiculous thread was opened, the first ad does not put any sane hackers hack the pages. The second issue here in the form of hacking a site that has been opened and the solution is not sought.

If you are really hacking, please send me the FTP details. How to Hack if a site is the site for you, I'd saved.

That makes no sense

**sdfontanini** · Thu 22 Dec '11, 7:37pm

I've got other sites on my server and none of them are affected by this, can't understand how this redirect works, and why it's only affecting my vbulletin page

I've checked my cpanel and no redirects were made, I'm stumped

**sdfontanini** · Thu 22 Dec '11, 8:02pm

When I ran a diagnostics on file versions I noticed

index.php - File does not contain expected contents...

this is confusing since it's a copy right from the 4.1.9 update

**sdfontanini** · Thu 22 Dec '11, 8:13pm

Every page gets redirected back to this Hacker Main Page

**sdfontanini** · Thu 22 Dec '11, 8:23pm

can someone post their .htaccess code, not sure what it's suppose to look like

**Wayne Luke** · Sat 24 Dec '11, 8:50am

Originally posted by sdfontanini View Post

I get a 404 Error in my browser when I go to www.coloradoevo.com/admincp

This is getting frustrating...

I can not find any index.html files in my root folder, not sure how this thing is working... completely baffled

Your forums are installed in http://www.coloradoevo.com/forums/. So your admincp would be http://www.coloradoevo.com/forums/admincp/

Originally posted by sdfontanini View Post

can someone post their .htaccess code, not sure what it's suppose to look like

Not sure what you mean... it will be different per site.

**BirdOPrey5** · Sun 25 Dec '11, 9:00am

Check your template spacer_open. I cleaned up a forum this morning with a similar redirect. There was base64 enocoded code in that template causing every page to rediect because every forum page uses that template.

Use phpmyadmin to check your template table manually if you have to- look for spacer_open, and see if you have encoded text.

**sdfontanini** · Sat 14 Jan '12, 10:40am

Originally posted by BirdOPrey5 View Post

Check your template spacer_open. I cleaned up a forum this morning with a similar redirect. There was base64 enocoded code in that template causing every page to rediect because every forum page uses that template.

Use phpmyadmin to check your template table manually if you have to- look for spacer_open, and see if you have encoded text.

I don't see any anomalies,


<if condition="$show['old_explorer']">
<table cellpadding="0" cellspacing="0" border="0" width="$stylevar[outertablewidth]" align="center"><tr><td class="page" style="padding:0px $stylevar[spacersize]px 0px $stylevar[spacersize]px">
<else />
<div align="center">
<div class="page" style="width:$stylevar[outerdivwidth]; text-align:$stylevar[left]">
<div style="padding:0px $stylevar[spacersize]px 0px $stylevar[spacersize]px" align="$stylevar[left]">
</if>

**4nawadir.com** · Sat 14 Jan '12, 12:25pm

Is the problem Solved !!
Cuz i was a Hacker and i know what Hackers DO
so I can Help u [email protected] !

**sdfontanini** · Sat 14 Jan '12, 12:36pm

I believe they used Perl to overwrite or mask my pages forum directory

I deleted a few directories that weren't originally in the root folder including

perl
perl5

Now I have the following additional folders

.cpan - deleted
.HttpRequest
.MirrorSearch

**sdfontanini** · Sat 14 Jan '12, 3:34pm

Went through these steps with no luck

Originally posted by wayne luke View Post

here are the steps to check for hacks:

1) run suspect file diagnostics under maintenance -> diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vbulletin and that you can't identify as belonging to your addons.

deleted all suspected files

2) check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

Updated as i updated vbulletin again to 4.1.10

3) search all templates for iframe tags. They should only appear in the following templates: Bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

there's a million templates, how would someone search through all of them?

4) check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you.

Not sure how to do this step

5) check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

Disables all plugins

6) make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

Query for step 4 and 5 -
select title, phpcode, hookname, product from plugin where phpcode like '%base64%' or phpcode like '%exec%' or phpcode like '%system%' or phpcode like '%pass_thru%' or phpcode like '%iframe%';

7) run this query: Select styleid, title, template from template where template like '%base64%' or template like '%exec%' or template like '%system%' or template like '%pass_thru%' or template like '%iframe%';

it checks the templates for compromising code.

Lost with this one

8) check .htaccess to make sure there are no redirects there. This isn't a vbulletin issue but customers really don't understand that.

my .htaccess file is completely empty, nothing in the file......

After a few quick checks, it looks like a basic template replacement scheme. Step 7 should expose such a scheme.

**sdfontanini** · Sat 14 Jan '12, 4:39pm

When I re-ran the suspect file versions,these files were again suspect

forum.php	File not recognized as part of vBulletin
index.php	File does not contain expected contents

/clientscript
vbulletin-read-marker.js	File not recognized as part of vBulletin
vbulletin-threadbit.js	File not recognized as part of vBulletin
vbulletin_global.js	File not recognized as part of vBulletin

./includes/cron
vbcms_dailycleanup.php	File not recognized as part of vBulletin

Please Help my forum has now been down almost a month and people are getting sorta upset.

**Lynne** · Sat 14 Jan '12, 5:48pm

Steps 3,4,5,6,& 7 which involve 'looking' in the templates or plugins for things mean you need to look at these things in the database. Run a query in your template table looking for 'iframe' or in your plugins looking for 'base64'. You may want to consider hiring someone to do this if you aren't wanting to learn (google is a BIG help here!) how to do this yourself.

Easiest thing would have been to upload a database backup from before you were hacked (which you seem to have never made). Please do yourself a favor and spend the time right now that you would normal spend on your forum and learn how to make database backups and how to import them into a new database. It will be time well spent for the next time this may happen.

vBulletin 4 End of Life

Announcement

Site Hacked

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment