Announcement

Collapse
No announcement yet.

Server compromised

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server compromised

    We applied the patch for the VB compromise that happened last week but our server was compromised again today. Is the patch not a 100% fix?

  • #2
    Did you follow all of the recommended steps or did you only apply the patch?

    Comment


    • #3
      I only see a patch download in the members area, are there more instructions? We only applied the patch.

      Comment


      • #4
        Originally posted by rjh View Post
        We applied the patch for the VB compromise that happened last week but our server was compromised again today. Is the patch not a 100% fix?
        I'm in same boat. My forum, Mets Global got hit on Friday. A friends forum, Mets Refugees, apparently also recently got hit.
        Drew
        Running vB v5.5.4 at Mets Global

        Comment


        • #5
          Hit here too. I only see notes to install the patch. What other items need checked afterwards, excluding making sure forum is a clean copy with no extra files?

          Comment


          • #6
            Did you do a clean install with the patch or did you apply it to your compromised files?

            If you didn't do a clean install, you must also find and remove files that the hackers added to the site. You can use the Suspect File Version command under Maintenance/Diagnostics in the AdminCP or use a diff tool to compare your site files with the files found in the patch Upload folder.

            There may be malicious files that will not be found by the comparison tools above. For example, I found backdoor files in the UserAttachments folder. Since the files here are added by your users, you must find these by comparing to a non-infected backup of this folder or by running a virus scanning tool. A malware scanning tool found these in that folder in my case.
            VB 5.5.4
            PHP 7.2
            MySQL 5.7.24

            Comment


            • #7
              I think I got hit as well. I have found several index.php files with just a few lines in, in different folders. I am about to do a clean install but i have a couple of questions. I am a newbie on this so excuse me for maybe asking dumb questions.

              1. Can other files than php-files be infected? If so, what file type is most likely to be infected?
              2. Will the date be a good way to determine if a file is hacked? Like, if a file have a date that is one year old would that be a sign that it is safe and a file that is changed or created on september 25 is a good sign for it to be a bad file?

              Comment


              • OrganForum
                OrganForum commented
                Editing a comment
                Any type of file can be infected but script file types such as .php and .js are the most common targets.. File dates can be manipulated and are not a reliable way of determining whether a file has been altered.

            • #8
              Originally posted by pmquist View Post
              1. Can other files than php-files be infected? If so, what file type is most likely to be infected?
              Yes. In fact those index.php files most likely load other files either from a remote location or on your server.
              2. Will the date be a good way to determine if a file is hacked? Like, if a file have a date that is one year old would that be a sign that it is safe and a file that is changed or created on september 25 is a good sign for it to be a bad file?
              The best course of action is to replace all vBulletin files with new copies in a new directory. Then you can delete the old directory.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud customization and demonstration site.
              vBulletin 5 Documentation - Updated every Friday. Report issues here.
              vBulletin 5 API - Full / Mobile
              I am not currently available for vB Messenger Chats.

              Comment


              • #9
                Originally posted by Wayne Luke View Post
                Yes. In fact those index.php files most likely load other files either from a remote location or on your server.


                The best course of action is to replace all vBulletin files with new copies in a new directory. Then you can delete the old directory.
                Namecheap says i was hacked. Im guessing this is what is happening to most of us? Anyways Glenn used to help me with this stuff. Can you maybe suggest a VB tech i can have help me? We are going to have to shut our forum down since i cant moderate members.

                Sorry to quote you here. But im desperate. I cant do this...

                ​​​​​​The best way to handle this is to:
                1. Create a new directory.
                2. Upload the files from a new patched vBulletin Package to this directory.
                3. Point the /core/includes/config.php to your database.
                4. Make sure there are no PHP or Javascript files in the attachment or customavatar directories.
                5. Copy over your attachment and customavatar directories.
                6. Run /core/install/upgrade.php
                7. Revert any template customizations that you have not documented as creating.

                Comment


                • #10
                  One more question:
                  For me they have added dozens of index-files and also included in the modcp-script some code that says "@include" and a path to an ico-file that is placed in the javascript directory. What I wonder is if the code in the .ico-file does something with the users or on the server? Or could it be any of the two?

                  Comment


                  • #11
                    I would guess that the ico file isn't really an ico file and has additional code within it.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                    vBulletin 5 Documentation - Updated every Friday. Report issues here.
                    vBulletin 5 API - Full / Mobile
                    I am not currently available for vB Messenger Chats.

                    Comment


                    • #12
                      You probably still had infected files when you applied the patch. Like other said do a fresh clean install OR easier option is live chatting my host (namecheap) for them to do a full cpanel reset to a backup they have, that way you don't have to search your database for stuff the virus might have changed. I have namecheap and they had a cpanel backup on around September 21th that I chose for them to reset it to (which resets the hosting and database). My site was hacked around September 25th so the 21st should be fine....if you want to be safer and don't have much new content on your site you could even do a earlier backup like September 6th. Just make sure to turn your site off immediately after they restore it, and patch it ASAP to the new version.

                      Here are some quick update instructions I made:
                      1. Turn off your forums.
                      2. Create a database backup via putty/ssh with this command: mysqldump --opt -Q -u databaseUser -p databaseName > backup1.sql
                      this command sends backup database to the root directory of your hosting account with the filename backup1.sql. the password. replace databaseUser/databaseName with your details.
                      3. Upload the contents of UPLOAD folder except favicon.ico (also check .htaccess) with FTP client.
                      4. Run /core/install/upgrade.php in your browser.
                      5. Delete the /core/install folder
                      6. Turn on your forums.
                      Last edited by mna; Sun 29th Sep '19, 2:54pm.

                      Comment


                      • #13
                        My vbulletin has also been continuously hit

                        Comment


                        • #14
                          I rolled my whole server back to a snapshot previous to when the exploit reportedly made it into the wild, disabled Apache, applied the patch and then started Apache.
                          This seems to have been successful for me so far (I hope) I had to take a little post hit obviously but I thought it was more important to get things back up and running securely again.

                          Comment


                          • #15
                            The best course of action is to follow these steps:
                            1. Download vBulletin 5.5.4 Patch Level 1.
                            2. Create a new directory on your server (i.e. forums_new)
                            3. Upload 5.5.4 Patch Level 1 to this new forum.
                            4. In the new directory rename /config.php.bkp to /config.php.
                            5. Rename /core/includes/config.php.new to /core/includes/config.php
                            6. Rename /htaccess.txt to .htaccess
                            7. Turn off your forums
                            8. Create a Database Backup.
                            9. Rename the old vBulletin directory (i.e. forums_old)
                            10. Rename the new directory to replace your old vBulletin directory (i.e. forums)
                            11. Run /core/install/upgrade.php in your new forum directory.
                            12. Delete /core/install
                            13. Turn on your forums.
                            14. If you store attachments and avatars in the file system inspect your attachment and customavatar directories for any PHP or HTML files. Delete these Files. Move the attachments and customavatar directories to your new vBulletin forum directory.
                            15. Delete the old vBulletin directory off the server.
                            Outside of vBulletin, you should review any files that you have for other services as well.
                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                            vBulletin 5 Documentation - Updated every Friday. Report issues here.
                            vBulletin 5 API - Full / Mobile
                            I am not currently available for vB Messenger Chats.

                            Comment


                            • elektro-kot
                              elektro-kot commented
                              Editing a comment
                              ..........
                              Last edited by elektro-kot; Wed 2nd Oct '19, 8:05am.

                          Related Topics

                          Collapse

                          Working...
                          X