Announcement

Collapse
No announcement yet.

Database Corruption/Hacked FAQ

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Database Corruption/Hacked FAQ

    We recently came under attack where somewhere somehow our site was being reported as containing a malicious script.

    I had recently converted the entire site from straight HTML (with VB forum) to VB Publishing Suite 4.1.8 so that was the only script running. I was having an issue with some table overflow placing my navbits where they were not supposed to be after upgrading to version 4.1.10 and was politely informed by BirdOPrey5 here that he was getting an alert from Google that my site was infected with malware. He provided a link to the Google Webmaster Tools site which was most appreciated! At the same time users started contacting me due to warnings from Norton and other Anti-virus software and when I checked we were actually blacklisted.

    My first reaction was to do all the stuff that the Google Tools recommended (changing passwords, etc). I also reported it to my host (Servint), had a firewall installed, and then tried to find it it! The techs at Servint ran some searches but nothing could be found at the server level. Couldn't find a thing so the next step was to check the VB script or database.

    Since I had just upgraded I was pretty much running native except for the color scheme and whatnot....and as a last ditch effort before shutting down the site I thought I would look through the templates. Imagine my surprise when I found that the footer template was showing red (modified) when I had not modified ANY templates after the upgrade. And that's where it was....some way....some how....a URL pointing to feedyourbrain.com (don't go there) had been inserted into my footer so was then distributing malware from EVERY page on my site. I tried to revert it only to have it show up the next day and then I just deleted it outright and that cleared the site enough to have Google review it and clear it from the blacklist.

    I've been keeping an eye on that template daily and had it show up again just a few days ago. I found it before Google did and did not get blacklisted again fortunately. After reviewing the admin log, it appeared that somehow this hacker had used an email re-direct to get one of my admins password using the retrieval function and then was inserting his crap into the the template. That is at least how it appeared...now I'm not so sure....and here's why:

    To resolve my navbit issue, it was recommended that I create a brand new style with parent just to start over as it appears that my old styles were not compatible with the new 4.1.10 version. Okay....so I did that and the navbit issue did go away....this of course meant that I needed to re-skin the entire site! LOL Okay...time to re-skin the thing and with having to go through practically all of the stylevars in order to maintain our site's theme, it's really important that I go screen by screen to verify exactly what changes when I change each font, background, color, and border to my needs. This is how I found the real root cause of the issue. I had gone through the major sections (Forum, Blog, Home/News, etc) and was going through the sub sections (Private Messages, Calendar, etc) when I clicked on the FAQ and what did I get? And FAQ? No....an actual GUI interface into my entire site!

    This includes navigation into databases, user accounts, files and everything!! I've attached a screen shot so you can see it but will only give out the actual link to a VB admin if he wants to send me a PM.

    At first I thought it was just the faq.php file so I uploaded a clean version from the VB 4.1.10 zip file but that didn't work. I then re-uploaded ALL of the files excluding the Install folder and config file and that didn't work either! My only assumption now is that it is in the database somewhere and now whenever "forums/faq.PHP" is called, it pulls in that site index list instead of the actual FAQ. I mean really.....how often does somebody ever click on their own FAQ? ....smart....but still...what an a-hole!

    I know that I just wrote a book, but I wanted to make sure that this was well documented and that I was very clear on what steps were taken, etc. in case others find themselves in the same boat. I've seen a couple of other threads about malware attacks so I'm thinking that this may be spreading to other VB instances.

    I have renamed the faq.php file in order to take that crap offilne but what I need to know now is.....just how do I recover/restore/rebuild whatever...that FAQ section of the database? I'm not that technical but can follow directions. It was obviously there before the 4.1.10 upgrade so the upgrade doesn't take care of it and my back up would also be screwed. I cannot lose the existing thread and user data so I really just need to replace the one table with a clean version somehow.

    I can open a ticket if need be but like I said..I want to make sure others know about this and and solutions. Thanks much!!

    Site URL: www.warofthering.net
    Admin access: PM me if you need it.

    Click image for larger version

Name:	FAQ Screen.jpg
Views:	1
Size:	98.4 KB
ID:	3722766
    Last edited by Illuvatar; Wed 8 Feb '12, 2:46pm. Reason: spelling
    All who wander are not lost.
    - JRR Tolkien -

  • #2
    Okay....no responses yet but here's a thought....

    Using PHPMyAdmin I can completely drop that FAQ table altogether.....if I do that and run upgrade.php will it rebuild it for me?
    All who wander are not lost.
    - JRR Tolkien -

    Comment


    • #3
      Actually, the point of entrance is probably a plugin assigned to one of your FAQ hooks. The FAQ table only contains linking information and no actual code.
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API

      Comment


      • #4
        Thanks for getting back to me Luke....

        A friend here at work was just telling me the same....now....he said that it might be in my htaccess file (which I still have to figure out how to get to and check) but how do I check the FAQ hooks that you mentioned? Or is that the same as the htaccess thing?
        All who wander are not lost.
        - JRR Tolkien -

        Comment


        • #5
          Plugins would be in the Admin CP under Plugins / Products -> Plugin Manager.

          Need to review each one manually unfortunately.

          You would access .htaccess with your FTP client like Filezilla Client.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment


          • #6
            Okay...sorry....didn't see your latest reply.

            I thought about what you posted at 09:55 and logged into the AdminCP>Plugin Manager and sure as **** in the very top section of the plugin System list was one called faq with a hook location of faq_complete.

            I copied out the code inside just so I have it....won't publish it here for obvious reasons and then deleted the plugin.

            Uploaded a new faq.php file and BOOM.....we now have a working FAQ and the vulnerability has been eliminated.

            My guess is that once he had an admin pass that he installed the plugin as well as inserting the malware link into the footer template. This guy was brutal!!!!

            All is well and site is now secure. Thanks Luke for pointing me in the right direction!

            *Edit....just to finalize.....

            To all who may be getting malware warnings:
            #1. Reset all Admin passwords and change email addresses if possible as well.
            #2. Check your AdminCP>Style & Template>Style Manager>Edit Templates and look for any in red (Modified) especially global templates like Header and Footer and ensure that no malware links have been insterted without your knowledge. Remove these links.
            #3. Check your AdminCP>Plugins & Products>Plugin Manager for any plugins that might look suspicious ("faq" for example) and delete them.
            #4. Using Google Webmaster Tools, have Google review your site.

            Good luck!
            Last edited by Illuvatar; Thu 9 Feb '12, 11:36am. Reason: Added stuff
            All who wander are not lost.
            - JRR Tolkien -

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...
            X