Announcement

Collapse
No announcement yet.

Server compromised

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Thanks for all the help Wayne.

    Comment


    • #17
      Wayne Luke I have done all of this and then suddenly today the site started to get populated again with new index.php and a new .ico-file. I have also changed passwords for the db-user that is used in the config.php. Is there a chance that there could be some things in the database? And in that case, how can I locate that?

      Comment


      • #18
        Originally posted by pmquist View Post
        Wayne Luke I have done all of this and then suddenly today the site started to get populated again with new index.php and a new .ico-file. I have also changed passwords for the db-user that is used in the config.php. Is there a chance that there could be some things in the database? And in that case, how can I locate that?
        Exactly the same happened to me.

        Comment


        • #19
          Then you haven't completely checked your site. I can't provide instructions for what occurs outside the vBulletin directory. I have absolutely no information on how your sites are configured beyond what put into your posts on this site. 99% of all topics don't even give the basic information to resolve issues.

          You will need to check files outside of the vBulletin Directory as well. I figured it was implied for anyone who has run a website for any period of time to check this.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API - Full / Mobile
          Vote for your favorite feature requests and the bugs you want to see fixed.

          Comment


          • #20
            Originally posted by Wayne Luke View Post
            Then you haven't completely checked your site. I can't provide instructions for what occurs outside the vBulletin directory. I have absolutely no information on how your sites are configured beyond what put into your posts on this site. 99% of all topics don't even give the basic information to resolve issues.

            You will need to check files outside of the vBulletin Directory as well. I figured it was implied for anyone who has run a website for any period of time to check this.
            You have a lot of different levels on your customers. It does not help the situation to tell me what you implied. It would be much better if you spelled it out.
            I have been running my site for twelve years and am doing my best. Both solving the problem and giving you the information I think you need. I am paying for ticket support but think it is better to ask questions here since it will help other people as well, even if it makes me look stupid by asking things that is obvious for you. So please help us instead of telling us that we are stupid (as you implied).

            About this issue I have so before the malware popped up again I have:
            - examined php-files that was created by the malware and figured out where they placed the ico-file that was a Kryptiks malware.
            - I renamed the .ico-file so they could not call it anymore
            - I ftp-ed all files from the server to my computer where I used notepad++ to look through all files for a part of the string that I found in the first index.php that I knew they had created.
            - I I deleted all index.php that they created.
            - I erased the code that they had injected in a couple of PHP-files
            - I followed the instructions you gave in another post in this topic.

            So, what more information do you need and what else do you think I should have done?

            Comment


            • #21
              If you had uploaded a new copy of vBulletin 5.5.4 Patch Level 1 and deleted the old directory, you wouldn't have had to look through files. Did you look through every directory? My guess there is some file 5 or 6 levels deep in the /js/ckeditor directory that was missed. Or it could be in an attachment directory deep in the system if you store your attachments in the file system and they are located within the public_html directory.

              In order for us to look closer, please open a Support Ticket. Reference this topic and provide SFTP, cPanel, and vBulletin AdminCP login information.
              Translations provided by Google.

              Wayne Luke
              The Rabid Badger - a vBulletin Cloud demonstration site.
              vBulletin 5 API - Full / Mobile
              Vote for your favorite feature requests and the bugs you want to see fixed.

              Comment


              • #22
                Yes I looked through the entire system, including everything that was not vBulletin. I also removed the ico-file that the php-scripts pointed to. And still it showed up again. I am in the middle of making a complete new install together with my host so I will go through a support ticket if that does not help.

                Comment


                • #23
                  Originally posted by Wayne Luke View Post
                  The best course of action is to follow these steps:
                  1. Download vBulletin 5.5.4 Patch Level 1.
                  2. Create a new directory on your server (i.e. forums_new)
                  3. Upload 5.5.4 Patch Level 1 to this new forum.
                  4. In the new directory rename /config.php.bkp to /config.php.
                  5. Rename /core/includes/config.php.new to /core/includes/config.php
                  6. Rename /htaccess.txt to .htaccess
                  7. Turn off your forums
                  8. Create a Database Backup.
                  9. Rename the old vBulletin directory (i.e. forums_old)
                  10. Rename the new directory to replace your old vBulletin directory (i.e. forums)
                  11. Run /core/install/upgrade.php in your new forum directory.
                  12. Delete /core/install
                  13. Turn on your forums.
                  14. If you store attachments and avatars in the file system inspect your attachment and customavatar directories for any PHP or HTML files. Delete these Files. Move the attachments and customavatar directories to your new vBulletin forum directory.
                  15. Delete the old vBulletin directory off the server.
                  Outside of vBulletin, you should review any files that you have for other services as well.
                  Wayne, can I install the latest 5.5.4 version if 5.5.2 was installed during the hack? Or first I have to put 5.5.2, and then upgrade to 5.5.4?

                  Comment


                  • #24
                    Originally posted by elektro-kot View Post

                    Wayne, can I install the latest 5.5.4 version if 5.5.2 was installed during the hack? Or first I have to put 5.5.2, and then upgrade to 5.5.4?
                    You should upload the vBulletin 5.5.4 Patch Level 1 files in a new directory and then run upgrade.php against your database. The old directory should be removed from the web root.
                    Translations provided by Google.

                    Wayne Luke
                    The Rabid Badger - a vBulletin Cloud demonstration site.
                    vBulletin 5 API - Full / Mobile
                    Vote for your favorite feature requests and the bugs you want to see fixed.

                    Comment


                    • elektro-kot
                      elektro-kot commented
                      Editing a comment
                      Many thanks, Wayne!
                      Now all works fine.

                  Related Topics

                  Collapse

                  Working...
                  X