Thanks for all the help Wayne.
Announcement
Collapse
No announcement yet.
Server compromised
Collapse
X
-
Wayne Luke I have done all of this and then suddenly today the site started to get populated again with new index.php and a new .ico-file. I have also changed passwords for the db-user that is used in the config.php. Is there a chance that there could be some things in the database? And in that case, how can I locate that?
Comment
-
Originally posted by pmquist View PostWayne Luke I have done all of this and then suddenly today the site started to get populated again with new index.php and a new .ico-file. I have also changed passwords for the db-user that is used in the config.php. Is there a chance that there could be some things in the database? And in that case, how can I locate that?
Comment
-
Then you haven't completely checked your site. I can't provide instructions for what occurs outside the vBulletin directory. I have absolutely no information on how your sites are configured beyond what put into your posts on this site. 99% of all topics don't even give the basic information to resolve issues.
You will need to check files outside of the vBulletin Directory as well. I figured it was implied for anyone who has run a website for any period of time to check this.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 API
Comment
-
Originally posted by Wayne Luke View PostThen you haven't completely checked your site. I can't provide instructions for what occurs outside the vBulletin directory. I have absolutely no information on how your sites are configured beyond what put into your posts on this site. 99% of all topics don't even give the basic information to resolve issues.
You will need to check files outside of the vBulletin Directory as well. I figured it was implied for anyone who has run a website for any period of time to check this.
I have been running my site for twelve years and am doing my best. Both solving the problem and giving you the information I think you need. I am paying for ticket support but think it is better to ask questions here since it will help other people as well, even if it makes me look stupid by asking things that is obvious for you. So please help us instead of telling us that we are stupid (as you implied).
About this issue I have so before the malware popped up again I have:
- examined php-files that was created by the malware and figured out where they placed the ico-file that was a Kryptiks malware.
- I renamed the .ico-file so they could not call it anymore
- I ftp-ed all files from the server to my computer where I used notepad++ to look through all files for a part of the string that I found in the first index.php that I knew they had created.
- I I deleted all index.php that they created.
- I erased the code that they had injected in a couple of PHP-files
- I followed the instructions you gave in another post in this topic.
So, what more information do you need and what else do you think I should have done?
Comment
-
If you had uploaded a new copy of vBulletin 5.5.4 Patch Level 1 and deleted the old directory, you wouldn't have had to look through files. Did you look through every directory? My guess there is some file 5 or 6 levels deep in the /js/ckeditor directory that was missed. Or it could be in an attachment directory deep in the system if you store your attachments in the file system and they are located within the public_html directory.
In order for us to look closer, please open a Support Ticket. Reference this topic and provide SFTP, cPanel, and vBulletin AdminCP login information.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 API
Comment
-
Yes I looked through the entire system, including everything that was not vBulletin. I also removed the ico-file that the php-scripts pointed to. And still it showed up again. I am in the middle of making a complete new install together with my host so I will go through a support ticket if that does not help.
Comment
-
Originally posted by Wayne Luke View PostThe best course of action is to follow these steps:
- Download vBulletin 5.5.4 Patch Level 1.
- Create a new directory on your server (i.e. forums_new)
- Upload 5.5.4 Patch Level 1 to this new forum.
- In the new directory rename /config.php.bkp to /config.php.
- Rename /core/includes/config.php.new to /core/includes/config.php
- Rename /htaccess.txt to .htaccess
- Turn off your forums
- Create a Database Backup.
- Rename the old vBulletin directory (i.e. forums_old)
- Rename the new directory to replace your old vBulletin directory (i.e. forums)
- Run /core/install/upgrade.php in your new forum directory.
- Delete /core/install
- Turn on your forums.
- If you store attachments and avatars in the file system inspect your attachment and customavatar directories for any PHP or HTML files. Delete these Files. Move the attachments and customavatar directories to your new vBulletin forum directory.
- Delete the old vBulletin directory off the server.
Comment
-
Originally posted by elektro-kot View Post
Wayne, can I install the latest 5.5.4 version if 5.5.2 was installed during the hack? Or first I have to put 5.5.2, and then upgrade to 5.5.4?
Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 API
- 1 like
Comment
Related Topics
Collapse
-
by hienntpHow to update Security Patch Release for vBulletin 5.1.9 Patch Level 1.
Thanks.-
Channel: vBulletin 5 Upgrades
Thu 5 Nov '15, 6:22pm -
-
by unfvLast week we have received a notification about a patch. We have a Cloud site with you (unfv.net), but until now, we don't receive the patch on our site. Do we need to do anything else to get the security...
-
Channel: Support Issues & Questions
Wed 29 Apr '15, 6:01pm -
-
by sauloonHi,
I am running 5.1.2 PL2. I did not apply PL3. Now that PL4 is out, do I need to apply PL3 before applying PL4?
regards,
sl-
Channel: Support Issues & Questions
Thu 4 Sep '14, 10:13pm -
-
by webcmsWe have 5.1.2 patch level 3 installed but there is a patch level 4 and also 5.1.3 available for download on vB. Can we skip patch level 4 and install 5.1.3 or do we have to install 5.1.2 patch level 4...
-
Channel: Support Issues & Questions
Sun 14 Sep '14, 4:42am -
Comment