Announcement

Collapse
No announcement yet.

I can no longer login as "admin" - have I been hacked?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • I can no longer login as "admin" - have I been hacked?

    I can no longer login as "admin" this morning. Sometime between Friday and Monday morning, something happened. I have not upgraded to the latest yet. What can I do if I cannot login as admin? I have requested forgot password but I am not seeing those emails arriving in my inbox.

    I do have two other test users. I know their passwords. Can I do a MySQL update user, set token and secret equal to the users I know the passwords for? Will that work?

    Thanks for any help. I have access to the code and database.

  • #2
    What do you get when you try? Blank Page?

    What version are you on?
    adktramping ~ my happy place.

    "Whoever said practice makes perfect was an idiot. Humans can't be perfect because we're not machines." ~ Sam Gardner.

    Vote for your favorite feature requests and the bugs you want to see fixed.

    Comment


    • #3
      I am on version 5.6.0. Where can I see the exact version so I can tell you?

      I am looking at vb_adminlog, and I can see 6 records that occurred late Friday night. The script values are index.php, options.php, with action values of options, validate, dooptions, options. I am not sure what else I can see.

      Can I overrride the admin password from my known passwords of my other two accounts so I can log in again?

      Thanks.

      Comment


      • #4
        Originally posted by NumNum View Post
        What do you get when you try? Blank Page?

        What version are you on?
        I don't get a blank page, I just cannot login. I get the prompt that says you have used 3 out of 5 attempts to login. I try to request forgot password and I get nothing in my inbox when I do get emails for my other account. I can see in the vb_users table that my email is what I am expecting.

        Comment


        • #5
          Clear your browser cache and try again
          adktramping ~ my happy place.

          "Whoever said practice makes perfect was an idiot. Humans can't be perfect because we're not machines." ~ Sam Gardner.

          Vote for your favorite feature requests and the bugs you want to see fixed.

          Comment


          • #6
            Originally posted by NumNum View Post
            Clear your browser cache and try again
            Thanks, but that is not working either.

            I have done a sudo system restart apache2. I am using several different browsers, all in private browsing mode. At this point, I need to do some MySQL changes to either reset the admin password to one of the other accounts I know, or I need to promote one of the other accounts I own to be an administrator.

            Where can I see the generated text for the forgot password emails? Since I am not receiving any emails for this account (not sure why), there must be a log of this URL in the database, right? If I can find that log, I can try to click on it to reset my password.

            I am running out of ideas. Thanks for the help.

            Comment


            • #7
              Any suspect files when you run a scan?
              adktramping ~ my happy place.

              "Whoever said practice makes perfect was an idiot. Humans can't be perfect because we're not machines." ~ Sam Gardner.

              Vote for your favorite feature requests and the bugs you want to see fixed.

              Comment


              • #8
                How do I run a scan? Do I need to be logged into the site (admin panel)? Or is this running a scan against my linux server where I am hosting the site?

                Comment


                • #9
                  Let's back up. You haven't necessarily been hacked. It's entirely possible your password expired.

                  Upload the tools.php file to your /core/admincp directory.

                  Upload the /core/install folder.

                  Navigate to https://URL.com/core/tools.php

                  Enter your Customer Number

                  Create a new administrator.

                  Delete the tools.php file and the install folder.

                  Add the new administrator User ID to the config.php file as a SuperAdministrator

                  Login using the new administrator account.

                  Change the password on the original administrator account.

                  Check the permissions under the Administrator User Group to enure passwords are not set to expire.

                  Delete the new administrator account (unless you want to keep it)

                  Remove the User ID from the config.php file.

                  Comment


                  • #10
                    Originally posted by In Omnibus View Post
                    Let's back up. You haven't necessarily been hacked. It's entirely possible your password expired.

                    Upload the tools.php file to your /core/admincp directory.

                    Upload the /core/install folder.

                    Navigate to https://URL.com/core/tools.php

                    Enter your Customer Number

                    Create a new administrator.

                    Delete the tools.php file and the install folder.

                    Add the new administrator User ID to the config.php file as a SuperAdministrator

                    Login using the new administrator account.

                    Change the password on the original administrator account.

                    Check the permissions under the Administrator User Group to enure passwords are not set to expire.

                    Delete the new administrator account (unless you want to keep it)

                    Remove the User ID from the config.php file.
                    This approach worked. Thank you!

                    Why would my password change? Do passwords expire? I have now updated my user's passwords that I manage, but I was not aware they could expire. Any idea how to tell if I had been hacked versus expired password?

                    Thanks for the help!

                    Comment


                    • #11
                      You should upgrade to 5.6.1 patch 1 ASAP. There is a nasty bug https://nvd.nist.gov/vuln/detail/CVE-2020-12720 in that version that allows SQL injection.

                      Comment


                      • #12
                        Originally posted by liam821 View Post
                        You should upgrade to 5.6.1 patch 1 ASAP. There is a nasty bug https://nvd.nist.gov/vuln/detail/CVE-2020-12720 in that version that allows SQL injection.
                        I am all patched up now. Thank you.

                        Comment


                        • #13
                          Version 5.5.6 is currently installed
                          My profile has also been hacked , currently I have done 2 things to prevent it a .htacces in my ACP and a hiden superadmin user , the superadmin can always reset my password . Next to do is upgrade to a secure vb version .

                          Comment


                          • #14
                            If you haven't applied the 5.5.6 security patch that we released on May 8th, then you were probably hacked. A few days ago, an exploit for earlier versions was released on the web.

                            You will need to apply the 5.5.6 Patch from your members area or upgrade to 5.6.1 PL1 (recommended). Then you can use Tools.php to regain access to the site through a regular account.
                            Translations provided by Google.

                            Wayne Luke
                            The Rabid Badger - a vBulletin Cloud demonstration site.
                            vBulletin 5 API - Full / Mobile
                            Vote for your favorite feature requests and the bugs you want to see fixed.

                            Comment

                            Related Topics

                            Collapse

                            Working...
                            X