Announcement

Collapse
No announcement yet.

Site Hacked! Need Help With Clean-Up & Ongoing Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Site Hacked! Need Help With Clean-Up & Ongoing Security

    One of my vbulletin websites was hacked and infected with the file2store.info redirection malware - and the shared VPS I was on got compromised so at least one other site was affected.

    I am well on the way towards cleaning-up the site, but the conversations related to "how to clean up a hacked vbulletin website" are scattered across here (and other sites) so much so that I found pieces of good information across maybe 75 threads in 500+ posts. I'd like to get focused in this thread if we can so people running vbulletin 4.1.x can get help in 2012 on how to clean up their hacked site.

    CLEAN UP
    So the question is - how do I go about cleaning up the site of all malware and how can I know when I'm done?
    So I've identified that I was hacked. I saw the redirection happen on the site, I saw the code added to my server and I had my web host scan the entire server to check for compromised files (and they found some).

    SCOPE: I assume this means that I will have to deal with:

    1. vBulletin website files
    2. vBulletin plug-ins
    3. database content
    4. Server files not related to vbulletin.


    PROCESS: what's the first thing to focus on? Where do I start?

    1. I removed the compromised .htaccess file and replaced it with a backup.
    2. The robots.txt file was changed so I pretty much cut that down to nothing.
    3. I got so freaked out that I moved from a VPS to a dedicated server
    4. I had my host install a new firewall and antivirus/malware software that runs nightly


    CHECKING FOR HACKS: Once the obvious stuff is fixed, how do I work through potentially compromised files?

    1. This post on "Steps to check for hacks" gives a lot of the steps, but it doesn't tell me what to do with the information that I find.
    2. I ran Maintenance > Diagnostics > Suspect File Versions and at least 200 total files that show me notes like this:

    1. README.txt - File not recognized as part of vBulletin
    2. blog_subscription.php - File does not contain expected contents
    3. blog_search.php - File version mismatch: found 4.0.8 Patch Level 2, expected 2.0.0


    How can I tell what all of these mean? There are just simply too many of them (200+?) for me to quickly go through.
    I assume most of them are remnants from old versions of vb or plug-ins that didn't get removed properly. Some could be hacks though.

    Should I just upload a new copy of vbulletin and nuke the old one?
    - Should I just start over with a new copy of the vb files (4.1.11 - the latest version as of this writing)?
    - Move over the images that are related to the site (attachments, avatars, etc - what should I look for?)
    - Put my plug-ins back one at a time
    - anything else that needs to be done if I do this? I assume I would look at the config.php file pretty hard to make sure that it's not compromised.

    What about the Database?
    - I ran the steps that include database checks, and it did come back with a few results -- but are they normal or not?
    - The SQL statement for steps 4&5 came back with 3 results.
    - The SQL statement for step 7 came back with nearly 30 results.
    - How can I know if these are clearly hacks or if they are normal? I don't really want to upload chunks of code, but I don't know for sure that they are hacks so I don't want to delete them (and I don't want to ignore them either).

    ANYTHING ELSE?
    - I'm pretty familar with all of this, but like a lot of people I'm stuck where I'm not sure if I need a server management companies to do all of this for me ($300/month - although it would have been worth it for sure) or if I can take care of it myself and be 99.5% confident that I won't get hacked again.

    Thanks! I look forward to hearing from people on how I can work through
    sigpic
    Life is just a Big Skid

  • #2
    * File not recognized as part of vBulletin
    That means it is not a default vbulletin file.

    *File does not contain expected contents
    That means it is a recognized file but it doesn't contain the expected default text.

    *File version mismatch: found 4.0.8 Patch Level 2, expected 2.0.0
    That means it sees an older version of the file that is the wrong version for the database version you have.

    It is a good idea after you get hacked to download a new copy of your version of vbulletin from the members area and reupload all new default files.

    It would also be a good idea to reupload all new modification files/plugins. This will allow you to make sure you are running the most recent version of the modifications.

    It is also a good idea if you don't know how to clean up your database, then you should start with the last known backup of your database.

    Please don't PM or VM me for support - I only help out in the threads.
    vBulletin Manual & vBulletin 4.0 Code Documentation (API)
    Want help modifying your vbulletin forum? Head on over to vbulletin.org
    If I post CSS and you don't know where it goes, throw it into the additional.css template.

    W3Schools <- awesome site for html/css help

    Comment


    • #3
      Thanks for this. I have downloaded a good copy of the files and am working to scrub the database.
      sigpic
      Life is just a Big Skid

      Comment


      • #4
        I re-installed the entire new 4.1.11 version of vb and I am still getting the *File does not contain expected contents warning on dozens (maybe hundreds) of files. What table is this checking against? I went and manually deleted a few files and now it shows those as missing.
        sigpic
        Life is just a Big Skid

        Comment


        • #5
          Make sure you only have one file called md5_sum_*.php in the /includes directory (unless it is for a modification).

          Please don't PM or VM me for support - I only help out in the threads.
          vBulletin Manual & vBulletin 4.0 Code Documentation (API)
          Want help modifying your vbulletin forum? Head on over to vbulletin.org
          If I post CSS and you don't know where it goes, throw it into the additional.css template.

          W3Schools <- awesome site for html/css help

          Comment


          • #6
            Site Hacked! Need Help With Clean-Up & Ongoing Security

            Make sure you have got a good quality anti virus software installed on your pc.
            Aussiefootyforums

            New Site New forum
            Come and talk sports all day long


            Comment


            • #7
              Originally posted by Lynne View Post
              Make sure you only have one file called md5_sum_*.php in the /includes directory (unless it is for a modification).
              Not sure I understand.

              There are 6 total files that look similar. md5_sums_crawlability_sitemap.php for example. There is no 'md5_sum_*.php'
              sigpic
              Life is just a Big Skid

              Comment


              • #8
                Also, when reuploading files to the server, I got an odd message returned from the FTP software.

                My host said:

                >>> So, in the last attempt(it means today), you got that warning due to
                >>> modification in the file picture.php.

                When I was uploading the vb 4.1.11 I got this message returned on a dozen files or more. I'm not an FTP expert, was this blocking the files from being uploaded?

                >>> # grep /home/steve//public_html/forum/picture.php
                >>> /var/log/messages*|grep upload
                >>> /var/log/messages:Mar 30 23:04:34 host pure-ftpd: ([email protected])
                >>> [NOTICE] /home/account//public_html/forum/picture.php uploaded (4053 bytes,
                >>> 29.69KB/sec)
                >>> /var/log/messages:Mar 30 23:27:29 host pure-ftpd: ([email protected])
                >>> [NOTICE] /home/account//public_html/forum/picture.php uploaded (4067 bytes,
                >>> 29.55KB/sec)
                >>> /var/log/messages:Mar 30 23:43:38 host pure-ftpd: ([email protected])
                >>> [NOTICE] /home/account//public_html/forum/picture.php uploaded (4067 bytes,
                >>> 29.26KB/sec)
                >>> /var/log/messages:Mar 31 13:10:33 host pure-ftpd: ([email protected])
                >>> [NOTICE] /home/account//public_html/forum/picture.php uploaded (4067 bytes,
                >>> 16.78KB/sec)
                sigpic
                Life is just a Big Skid

                Comment


                • #9
                  When you reuploaded your files, are you making sure you only have files that you are uploading to the site? Make sure all files on your site are ones you recognize. You need to remove all files that you did not upload yourself and that you don't recognize as vb files or modification files.

                  Please don't PM or VM me for support - I only help out in the threads.
                  vBulletin Manual & vBulletin 4.0 Code Documentation (API)
                  Want help modifying your vbulletin forum? Head on over to vbulletin.org
                  If I post CSS and you don't know where it goes, throw it into the additional.css template.

                  W3Schools <- awesome site for html/css help

                  Comment


                  • #10
                    No, there is all sorts of garbage up there. I think I need to probably make a new folder, upload to that, then swap it out quickly with the existing /forum folder and see if that helps.
                    sigpic
                    Life is just a Big Skid

                    Comment


                    • #11
                      Ok, we're getting away from my last point.

                      I uploaded all of the files and it's still showing as not being the correct version.

                      What is the system checking against on a file-by-file level to see what the correct version is? Maybe that location is corrupted and not the files. ??
                      sigpic
                      Life is just a Big Skid

                      Comment


                      • #12
                        When you download the files, an md5 checksum is created of each of them and put into the file md5_sums_vbulletin.php and that is the file that is run to check all the files to make sure they are exactly the same as when you downloaded them.

                        Please don't PM or VM me for support - I only help out in the threads.
                        vBulletin Manual & vBulletin 4.0 Code Documentation (API)
                        Want help modifying your vbulletin forum? Head on over to vbulletin.org
                        If I post CSS and you don't know where it goes, throw it into the additional.css template.

                        W3Schools <- awesome site for html/css help

                        Comment


                        • #13
                          Originally posted by Lynne View Post
                          When you download the files, an md5 checksum is created of each of them and put into the file md5_sums_vbulletin.php and that is the file that is run to check all the files to make sure they are exactly the same as when you downloaded them.
                          Ok cool, I'll try that again and see if it fixes anything.
                          sigpic
                          Life is just a Big Skid

                          Comment


                          • #14
                            I had the same hack on my site. I'm still in the process of having my host look over the server. This may help you... http://www.vbseo.com/f77/google-redi...tml#post315178

                            Comment


                            • #15
                              This hack is back on my site now running v4.1.12. This time google is flagging my site now for malicious url redirects.

                              Comment

                              Related Topics

                              Collapse

                              Working...
                              X