Announcement

Collapse
No announcement yet.

Site hacked by P0wersurge.com user(s)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] Site hacked by P0wersurge.com user(s)

    Hi,

    My forum was hacked on the 26th October, my admin account was hacked, and the ftp passwords changed.
    After eventually getting our hosts to change the password, I was finally able to start work on the repair.

    I have looked at the p0wersurge deface thread and run all the counter measures mentioned, except for the htaccess ones listed at the bottom (still to do)

    All plugins and products have been removed, and a fresh upgrade of vb4.2PL3 has been made.
    However, there are still some spurious files listed in the admincp|Statistics & Logs|Transaction Log (MySQL Tool) and under the Maintenance|Diagnostics (MadShell) (See attached pics)

    I have edited my config.php to run the 'disable hooks' code, and the above files seem now to be disabled.

    I have scanned my existing .htaccess file and the only thing in there is a redirect to my index.php - so that looks ok

    I have downloaded all the ftp files and run a virus scan on them, and they were clean.

    One member has suggested running the following: -

    Originally posted by snakes1100 View Post
    If the files are scanned & verified as clean, w/ either a tool or because you have deleted all files & replaced them, including htaccess files, then you will need to scan the DB & verify its clean as well, id start by scanning the db for ifram, exec code in your template & plugin tables.
    Trouble is I am not that clued up on running queries on the database, I can do it if I know the query format to run, but am unable to write the query myself. If the above queries mentioned are the ones listed in the p0wersurge thread, then they have already been undertaken.

    If anyone can offer any further advice on how to remove the tools, it would be very much appreicated.

    Thanks

    James
    Attached Files

  • #2
    Delete those shell files a.s.a.p. Also there is no mysql management in the default vb.

    Contact your host and ask them to check their access logs to see the point of entry and patch it up.

    In meanwhile change all the forum/ftp/cp login infos, and db user and password as well (but don''t forget to update the config.php file with the new info)

    But the point of entry should be discovered a.s.a.p and patched up otherwise no matter what you do you will always risk of getting hacked again. Hope it helped.

    Comment


    • #3
      Originally posted by borbole View Post
      Delete those shell files a.s.a.p. Also there is no mysql management in the default vb.

      Contact your host and ask them to check their access logs to see the point of entry and patch it up.

      In meanwhile change all the forum/ftp/cp login infos, and db user and password as well (but don''t forget to update the config.php file with the new info)

      But the point of entry should be discovered a.s.a.p and patched up otherwise no matter what you do you will always risk of getting hacked again. Hope it helped.
      Would the point of entry not have been the Arcade.php script?

      Comment


      • #4
        Thanks Borbole,

        How do we find those tools to delete them?
        They are not on the FTP side, and our hosts say that they are not server side, which leaves only the db.
        Without knowing what the tools are called in terms of filename, I have no idea on what too look for...

        Everything else has been re-secured, ftp passwords, db passwords, admin a/c pass etc

        We used to have the IBProArcade plugin installed, which is how the hackers got in. this has long since been removed, but I'm assuming that these two tools will allow backdoor access to the forum so that they can re-hack if they feel the need?

        - - - Updated - - -

        ok I have, traced the tools back to subscriptions.php and diagnostics.php. now going to look through them and see if I can find the redirect...

        Comment


        • #5
          Did you already download vBulletin from you customer area again and re-upload it to your server in order to make sure you have original files on there?
          No private support, only PM me when I ask for it. Support in the forums only.

          Comment


          • #6
            Yes I did Hartmut.
            I've opened those two php files in notepad and searched for anything untoward, but didn't find anything. I just wanted to prove to myself that the scripts are embedded in the database, somewhere...

            Comment


            • #7
              Hm... And even when uploading the actual files you will still get those two screens?
              No private support, only PM me when I ask for it. Support in the forums only.

              Comment


              • #8
                yes

                Comment


                • #9
                  Could that be a redirect in somewhere like the header in Admincp? Kinda hard to find...
                  No private support, only PM me when I ask for it. Support in the forums only.

                  Comment


                  • #10
                    Not sure how it can be?
                    all the headers, styles etc are a brand new installation.

                    Comment


                    • #11
                      Could you provide me access to admincp via PM?
                      No private support, only PM me when I ask for it. Support in the forums only.

                      Comment


                      • #12
                        PM Sent Hartmut
                        Thanks

                        James

                        Comment


                        • #13
                          Nice one Hartmut.

                          Comment


                          • #14
                            Hi Hartmut,
                            did you get the PM?
                            It's not saved in my sent items.... which leads me to believe it hasn't gone...

                            Please can you confirm?

                            Comment


                            • #15
                              Nope, nothing yet.
                              No private support, only PM me when I ask for it. Support in the forums only.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X