Announcement

Collapse
No announcement yet.

jforjustice.co.uk/banksters - Hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    Originally posted by pgowder View Post
    I just got hit. I had vBSEO installed but not turned on.

    I've turn off plugins, but still can't get into the site?

    Any ideas?
    Even if VBSEO is turned off the php files are still on your server.

    Do you have any other admins that can change your password for you?

    Comment


    • #47
      I've been following this thread after some posts in our forum were hijacked and a simple Javascript reditect was setup to forward members attempting to view thread to the jforjustice website. We updated our forum to v3.8.7 PL2 and the latest version of VBSEO, which is the only plugin we use. I checked for any new plugins and none exist. Problem is that I couldn't find any reference to the javascript code anywhere so I downloaded all files to my PC and Microsoft Security Essentials picked up the following 2 suspicious files, which were identified as backdoor scripts:

      <vb root>/images/avatars/b.php
      <vb root>/images/avatars/_error.php

      I'm now going to scan all files and see if I can find the Javascript code embedded somewhere.

      vB has been a nightmare of late, with 3 of our sites falling victim to uploaded phising site attacks and now the justice league. Pain in the butt!

      Regards,
      Asim

      Comment


      • #48
        Found the following in pagetext_html field of the postparsed table:

        <SCRIPT language="JavaScript">window.location="http://jforjustice.co.uk/banksters";</SCRIPT>

        How can I prevent this happening again?

        Comment


        • #49
          Need to remove the primary point of infection. If it is the vBulletin software or one of your addons, the steps previously posted will expose it. Until you find that point of infection, you will see this over and over and over again. Removing that line just removes the result of the infection, not the infection itself.

          Going from other comments, the primary point seems to be insecure addons so you should either remove your addons or verify that they are free from exploitable issues.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud customization and demonstration site.
          vBulletin 5 Documentation - Updated every Friday. Report issues here.
          vBulletin 5 API - Full / Mobile
          I am not currently available for vB Messenger Chats.

          Comment


          • #50
            Thanks for the advice, but we couldn't find any primary point of infection, but believe it may have been in the outdated version of VBSEO. All files are patched now so it's a matter of wait and see.

            Comment


            • #51
              See: http://www.vbseo.com/f5/faqs-rogue-p...release-52862/
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud customization and demonstration site.
              vBulletin 5 Documentation - Updated every Friday. Report issues here.
              vBulletin 5 API - Full / Mobile
              I am not currently available for vB Messenger Chats.

              Comment


              • #52
                I have run the vBSEO check utility and it reports everything is OK. The thread highlights all the issues with vBSEO and they have also kindly provided a suspicious activity tracking plugin, which I have installed. I guess the next thing is to password protect the admincp directory using .htaccess

                Thanks again for your advice, it's been very useful...

                Comment


                • #53
                  Originally posted by asimj View Post
                  I guess the next thing is to password protect the admincp directory using .htaccess
                  I suggest this for the first thing after a new installation. Renaming it helps a bit as well but isn't as important.
                  Translations provided by Google.

                  Wayne Luke
                  The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                  vBulletin 5 Documentation - Updated every Friday. Report issues here.
                  vBulletin 5 API - Full / Mobile
                  I am not currently available for vB Messenger Chats.

                  Comment


                  • #54
                    Informative link. Thank you!
                    Five Star Review Script - Add reviews to your website!
                    Mixed Martial Arts - Houston MMA Training
                    Women's Self-Defense - Courses and DVDs available

                    Comment


                    • #55
                      Make sure to patch your vBulletin tonight with the new patch release. It will help secure things.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                      vBulletin 5 Documentation - Updated every Friday. Report issues here.
                      vBulletin 5 API - Full / Mobile
                      I am not currently available for vB Messenger Chats.

                      Comment


                      • #56
                        Our vb site fishsniffer.com was hacked as well by the same install...and redirect. It is proving to be a real cluster to try and repair all the damage done. We are now on day three of attempting to repair and restore. None of these tweaks and tricks are making headway. Suspect is the hack installed with the vBSEO upgrade. Many very unhappy campers! :-(

                        Comment


                        • #57
                          Turn off JavaScript in your browser, then view your site. With JavaScript off you won't be forwarded to the hacker's site.

                          Then view HTML Source of your page and find instances of jforjustice.co.uk that will give you some clue where they are. I cleaned up a site last week the code was in the "Forum Name" setting in Admin CP -> Settings -> Options -> Site Name / URL / Contact Details AND in the setting for the mod VB Ad Management.

                          Comment


                          • #58
                            I was hit again, this is getting old now..

                            Comment


                            • #59
                              Originally posted by motoxer311 View Post
                              I was hit again, this is getting old now..

                              Did you password protect the admincp directory?

                              Also, if any admin accounts have been compromised you need them to reset their password, and make sure their email address is correct. When you password protect the admincp directory, only give the login details to your admins via a contact method where you can be sure you are talking to them. Posting the details in a private message or usergroup specific forum is going to allow the hackers to see the login details.

                              You'll also want to password protect any phpmyadmin installations, look in your customavatar dir for any php files (there should be NONE, delete if there are any).

                              You can set usergroups up to require a password change every X amount of days, this is probably a good practice too.

                              Comment


                              • #60
                                How can you pw protect a directory?

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X