Announcement

Collapse
No announcement yet.

Yet another hacked/malware thread

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Yet another hacked/malware thread

    I need help. My website is www.esksfans.com

    I don't know where it is coming from, but my site is loaded with malware as of today. It seems to come into play whenever I click on any links on the website and tries to direct to opimmerialtv.ru as one example. I have ran the suspicious files program but everything looks ok.

    I was going to try updating to the latest version and disabled all products. I noticed there was some kind of "links" product I had not installed so I uninstalled it. I uploaded the new files for the new version to my website but when I try to get to admincp/install/update.php it tries redirecting me to that .ru site and eventually google. I have no idea what to do...

    My site is running 4.1.9.

    Any guidance?

  • #2
    Backup the database, Reupload all the vBulletin files, Then log into ACP, check for any products that arent normal. Aswell as plugins.
    (Delete everything before you re-upload the vBulletin files)

    Comment


    • #3
      Originally posted by loaep View Post
      Backup the database, Reupload all the vBulletin files, Then log into ACP, check for any products that arent normal. Aswell as plugins.
      (Delete everything before you re-upload the vBulletin files)
      This is what I did though. I deleted the one product that I did not recognize. Disabled the rest to proceed with the update of vbulletin.

      Comment


      • #4
        Originally posted by IceFanatic View Post
        This is what I did though. I deleted the one product that I did not recognize. Disabled the rest to proceed with the update of vbulletin.
        try installing mod_security

        Comment


        • #5
          Try running this tool, they could have infected your templates in the database.

          Comment


          • #6
            No change. I still can't get to the update.php file to update the site. Not sure it would do much good anyway...

            Comment


            • #7
              You mean http://www.esksfans.com/forum/install/upgrade.php?

              Comment


              • #8
                Originally posted by IceFanatic
                No change. I still can't get to the update.php file to update the site. Not sure it would do much good anyway...
                It's upGRADe.php not update.php .

                Comment


                • #9
                  Where is mod_security ?
                  Is that a vb.org thing?
                  Regards
                  Trevor

                  Comment


                  • #10
                    Yes, sorry upgrade. I did spell it right when I was trying to upGRADE.

                    I was able to finally get to that point but then it just stalled on step 1 of 4. I am at a loss for what to do. I have opened a ticket and will see if that bears any fruit...

                    Comment


                    • #11
                      Originally posted by IceFanatic View Post
                      Yes, sorry upgrade. I did spell it right when I was trying to upGRADE.

                      I was able to finally get to that point but then it just stalled on step 1 of 4. I am at a loss for what to do. I have opened a ticket and will see if that bears any fruit...
                      Did you run that tool mentioned above?

                      if I were you I would do a thorough checkup of your database and server space. It would be best to contact your host too and ask them to check their access logs and see what happened and how it did happen. That could help in identifying the point of entry and patching it up.

                      Comment


                      • #12
                        Originally posted by borbole View Post
                        Did you run that tool mentioned above?

                        if I were you I would do a thorough checkup of your database and server space. It would be best to contact your host too and ask them to check their access logs and see what happened and how it did happen. That could help in identifying the point of entry and patching it up.
                        The tool_recompile you mean? Yeah, I ran that and it made no difference.

                        I finally got it updated to the latest version 4.1.12. I am still getting the malware warnings now from some kogrilz.ru or some **** site. So the upGRADE did not resolve the issue.

                        How do I do a thorough checkup of my database and server space? I have no idea what I am supposed to be looking for.

                        Comment


                        • #13
                          Six days later and I am still struggling with this. My host has suggested I reinstall a completely fresh copy of vBulletin. My question is, is this possible with my current database so I don't lose 10 years worth of data?

                          Comment


                          • #14
                            Originally posted by IceFanatic View Post
                            Six days later and I am still struggling with this. My host has suggested I reinstall a completely fresh copy of vBulletin. My question is, is this possible with my current database so I don't lose 10 years worth of data?
                            Do you have a recent backup? You could simply fall back to that however if this was present in the system at the time that backup was made your back to square one trying to get rid of it per say.

                            I would follow this post by Wayne Luke - https://www.vbulletin.com/forum/show...=1#post2245651 take your time and don't become too upset or frustrated with the situation, it's upsetting I know however stay level headed and maintain a "thorough" attitude and track down the issue .

                            If you run VBSEO or any other add-ons please check those for issues - http://www.vbseo.com/f5/faqs-rogue-p...release-52862/ and https://www.vbulletin.com/forum/show...ulletin-Addons


                            Former vBulletin Support Staff
                            Hacked recently? See my blog post "Recovering a Hacked vBulletin Site".
                            Thinking outside the box? Need modification support? Visit www.vBulletin.org and have at it!
                            Need a Host? - I recommend URLJet

                            Comment


                            • #15
                              Originally posted by TheLastSuperman View Post
                              Do you have a recent backup? You could simply fall back to that however if this was present in the system at the time that backup was made your back to square one trying to get rid of it per say.

                              I would follow this post by Wayne Luke - https://www.vbulletin.com/forum/show...=1#post2245651 take your time and don't become too upset or frustrated with the situation, it's upsetting I know however stay level headed and maintain a "thorough" attitude and track down the issue .

                              If you run VBSEO or any other add-ons please check those for issues - http://www.vbseo.com/f5/faqs-rogue-p...release-52862/ and https://www.vbulletin.com/forum/show...ulletin-Addons
                              I've done most of that and talked to Wayne a little as I have a ticket open but I seem to have been abandoned as he has stopped responding.

                              Here is what my host has said:

                              It looks like they used the coms.php file to change your .htaccess files to redirect users to malware sites (instead of your forums). It also looks like the commons.php file in your forums folder is similarly malicious. In addition, nearly every script in the install folder has malicious code (at least in part), along with several other scripts in the forums folder.

                              Would you be able to install a fresh, clean, up-to-date installation of vbulletin on a new account?


                              I responded that I don't want to lose all my data and they said:

                              I am not familiar with vbulletin in particular, so I can't say for sure. You'll want to confirm with whoever you were talking to with vbulletin that this is possible. But I would be surprised if it were not possible; every forum I have ever configured allowed a pre-existing database to be used with a fresh install (as long as the database is compatible with the version of vbulletin being installed).

                              Please let us know if this can work for you. We can create a new hosting account for you and put a dump of the database in your home directory. (We can also import the dump into a new database under that account if you would prefer.)


                              So I would like to try this but am unsure how to do it with my current database...can I just install a fresh copy and then point config.php to the old database? I imagine this could cause all sorts of issues...



                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X